A few years ago many people questioned the need for cyber insurance. In fact, the argument was made that although there were a substantial amount of resources dedicated to Y2K preparation, Y2K never became a problem. However, these days it is evident that there is a need for cyber insurance due to the increased number of data breaches. In fact, Rep. Ed Perlmutter of Colorado proposed new legislation last week that could have a dramatic impact on the cyber insurance markets.
As proposed, the Data Breach Insurance Act (H.R. 6032) would take a “two prong approach” to encourage cyber security by providing a 15% deduction for the costs related to data breach for any taxpayer that purchases cyber insurance and adopting the standards laid out in the National Institute of Standards and Technology (NIST) Cybersecurity Framework “or any other standard approved by the Secretary of Treasury.”
Perlmutter’s office issued a statement that this proposed legislation is intended to encourage protection on “both the front end and the back end” of a cyber incident. Perlmutter’s statement further stated that, “[t]he tax credit will help offset some of the costs associated with implementing the cyber frameworks, such as risk assessments, hardware/software upgrades, employee education, training and vendor testing.”
This legislation attempts to incentivize cyber incident preparation in the following manner:
The Data Breach Insurance Act helps businesses realize the value proposition of purchasing data breach insurance and the NIST Cybersecurity Framework as risk mitigation tools. This legislation will also help develop a robust data breach and cyber liability insurance marketplace to help businesses cover legal and liability costs, costs of notifying affected consumers, business interruption, settling cyber extortion threats, among others.
Perlmutter’s press release further states that this legislation is intended to build on existing legislation:
In response to President Obama’s Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity which was issued in 2013, NIST developed its Cybersecurity Framework with extensive private sector input and released it in February 2014. According to NIST, thirty percent of businesses currently use the Cybersecurity Framework to help manage their cyber risk.
If this legislation is passed, we can expect substantial growth in cyber insurance and cyber security products. However, regardless of whether this proposed legislation becomes law, the mere suggestion of tax incentives for purchasing cyber insurance and preparing for a cyber incident shows the rapid development of this area.