Image by NASA.
The Federal Information Security Management Act of 2002 "requires agencies to assess their own risk factors and conduct risk management activities" on cyber security issues, "such as developing a security plan." Grace Knofczynski, "Auditor Says Federal Cybersecurity Efforts Are Inadequate" (RegBlog, the Penn Program on Regulation, posted on Tuesday, November 10, 2015).
As a measure of the performance of federal agencies in assessing cyber risks and in developing risk management activities, the General Accounting Office released a report in about the last Quarter of 2014 examining whether six representative federal agencies "had developed and carried out policies for overseeing contractor-operated networks and systems." Tim Yang, "GAO Recommends Improved Oversight of Information Technology Contracts" (RegBlog, Penn Program on Regulation, posted Thursday, September 18, 2014).
The GAO found in its report in late 2014 that only the Department of Homeland Security ("DHS") had "fully implemented policies on contractor oversight," and "had consistently planned and executed assessments of their policies," and "had consistently reviewed its assessments."
These findings support the need for at least the following questions on any application for cyber insurance (among other questions on the application, of course):
- Does the applicant have policies in place on contractor oversight?
- Does the applicant consistently plan and execute assessments of its policies on contractor oversight, and if the answer is "yes," state how often these assessments are planned and executed: _______________.
- State how often the applicant reviews its assessments of its policies on contractor oversight: _________________.
As is usually the case, the application should of course provide that false or incomplete and misleading answers to the questions on the application are grounds for the insurance company rescinding the insurance, in this case for cyber insurance.
Before concluding this article, it is worth revisiting FISMA. The FISMA or Federal Information Security Act of 2002 was mentioned above. Two things were reported in the two above RegBlog posts over one year apart that bear mention about compliance with this federal law:
- FISMA mandates that both the National Institute of Standards and Technology ("NIST") and the General Services Administration ("GSA") should provide "guidance" to federal agencies "on how to establish effective oversight of contractors …." Further, RegBlog reports that unspecified "[f]ederal law" mandates that the Office of Management and Budget ("OMB") and the DHS "provide guidance to agencies about enhancing their cybersecurity and reporting compliance." Whether the mandated "guidance" is actually the same or duplicative in each case is not clear. What is clear, according to the GAO, is that the OMB's and the DHS's "guidance" are both "often incomplete or unclear."
- Despite the FISMA mandate that federal agencies assess their risks and conduct risk management activities in response to threats to cyber security, "[l]ess than two-thirds of the agencies covered in the GAO report," said RegBlog this month -- on November 10, 2015 -- "had fully assessed their risk factors during 2013 and 2014." Which leads to an interesting overall question of insurance coverage for cyber insurance policies:
What are the risks to cyber security that cyber insurance is being asked to cover, and how do applicants seeking cyber insurance manage those risks, if at all?
Please Read The Disclaimer. ©2015 by Dennis J. Wall. All rights reserved.
Comments