Skip to Content



Department of Homeland Security Releases Working Session Readout Report on Insurance for Cyber-Related Critical Infrastructure Loss

Blogs, Cyber Risks, Liabilities, Insurance and Litigation

The Department of Homeland Security (“DHS”) National Protection and Programs Directorate (“NPPD”) has convened a series of sessions focusing on developing the first-party cyber insurance market. The most recent session was held on April 7, 2014, and it included representatives from 10 insurance brokers, 10 insurance underwriters, and 10 reinsurers. On July 22, 2014, DHS released its Readout Report of that Session. The entire 44-page report, together with the Reports of three earlier sessions, can be found here 

April 7, 2014, Session focused on three subjects, the essence of which are described below:

Cyber Incident Information Sharing/Data Repository. There was industry support for the creation of a mechanism, referred to as a “cyber incident data repository,” through which private companies, public sector entities, and the United States Government (“USG”) would be able to submit information about cyber incidents they have experienced or have become aware of. For private sector companies, the submissions would be anonymous. The purpose would be to develop cyber risk actuarial tables and inform cyber incident trend analysis.

Cyber Incident Consequence Analysis/Analytics Approaches. Participants expressed a need for information and assistance from the USG in building models, simulations, and exercises “to confidently expand first-party coverage for cyber-related critical infrastructure loss.” They pointed to the core insurance industry need to estimate the probable maximum loss. They also suggested that the USG design, develop, and execute a cyber incident tabletop exercise that would include insurance industry representatives and vendors.

ERM Evangelization. Participants expressed support for Enterprise Risk Management which included analysis of cyber risks. They believe that greater public awareness and education about cyber risk would be beneficial, and advocated for a general push for “ERM Evangelization.”

For further information, contact Vince Vitkowsky at