Industry executives urged the Federal government Monday to do more to advance the use of blockchain technology to secure online financial transactions, and to get behind nationwide adoption of cybersecurity insurance.
Testifying at the first field hearing of the President’s Commission on Enhancing National Cybersecurity in New York, prominent industry experts said further development of a potential game-changing technology known as blockchain—a permissionless distributed database that is best known as the public ledger component of the bitcoin cryptocurrency—and a healthy cyber insurance market are critical to improving cybersecurity across the country.
IBM Fellow Jerry Cuomo told the commission that IBM believes blockchain could usher in a major improvement in financial transaction security and how citizens interact with government. Although bitcoin is an anonymous network, Cuomo advised the commission to support what is known as permissioned blockchain, which involves the use of blockchain in networks where the users are known and trusted.
“Blockchain has tremendous potential to help transform business and society, but it’s so strikingly different from what people are used to that many business and government leaders are adopting a wait-and-see attitude,” Cuomo said. “We applaud judicious caution, but, at the same time, we believe that organizations and institutions that don’t quickly assess the potential of blockchain and begin experimenting with it risk falling behind as the world undergoes what we see as a tectonic shift.”
Cuomo told the commission that government will play a critical role in the broader adoption of blockchain. “The Federal government must invest in scientific research to accelerate progress. The National Institute of Standards and Technology can help shape standards for interoperability, privacy, and security,” he said. “And government agencies can become early adopters of blockchain applications. In addition, government has a key role to play in certifying the identities of participants in blockchain-based systems.”
Peter Beshar, executive vice president and general counsel of Marsh & McLennan Companies, one of the world’s largest insurance brokers, said the insurance underwriting process creates powerful incentives that can force behavioral changes at companies. Because insurance companies charge different premiums for different organizations based on the standards they meet, pricing pressures drive companies to adopt best practices, he said.
Last year, insurance companies collected $2.75 billion in cybersecurity insurance premiums, and that figure is expected to grow to more than $10 billion by 2020, according to a study by Betterley Risk Consultants.
The number of Marsh clients purchasing cyber insurance increased by 27 percent in 2015 after an increase of more than 30 percent in 2014, according to Beshar. In addition, companies are purchasing higher limits. “Coverages, which formerly were in the tens of millions, are now climbing up to $500 million for companies in particularly vulnerable industries,” Beshar said in written testimony submitted to the commission. “Indeed, the average limit placed for large communications, media, and technology organizations is approaching $100 million.”
Because the insurance industry is driven by data, Beshar urged the commission to support research and development into the use of big data in helping to assess risk and vulnerability at companies seeking cybersecurity insurance. “Without stepping foot inside of a company’s offices, the cyber resilience of a company can be assessed by analyzing hundreds of externally available data points,” Beshar said.
The external data Beshar referred to included information about employee use of vulnerable Web browsers; the sharing of Web hosting platforms and cloud storage with other companies; data from the company, including stolen passwords, that appear in the dark Web; and how the company’s ranking of employee satisfaction on Glassdoor correlates to the risk that a disaffected insider will compromise its data security.
Beshar recommended the commission support broader use of the SAFETY Act—a law enacted in the wake of the 9/11 terrorist attacks that limits the legal liabilities for technology companies that offer products or services that are certified by the Department of Homeland Security and fail in some way to prevent a terrorist attack.
“If necessary, a congressional amendment to the SAFETY Act would expand application, subject to legislatively set thresholds, for cyberattacks that threaten material harm to the U.S. economy or national security,” wrote Beshar. “This type of action would likely foster greater collaboration between government and industry.”