This paper outlines the potential benefits of a trusted cyber incident data repository that enterprise risk owners and insurers could use to anonymously share, store, aggregate, and analyze sensitive cyber incident data. Optimally, such a repository could enable a novel information sharing capability among the Federal government, enterprise risk owners, and insurers that increases shared awareness about current and historical cyber risk conditions and helps identify longer-term cyber risk trends.
This information sharing approach could help not only enhance existing cyber risk mitigation strategies but also improve and expand upon existing cybersecurity insurance offerings. Rooted in rich repository data, new analytics products could help inform more effective private and public sector investment in these complementary cyber risk management categories.
Specifically, such products could help promote greater understanding about the financial and operational impacts of cyber events, the effectiveness of existing cyber risk controls in addressing them, and the new kinds of products and services that cybersecurity solutions providers should develop to meet the evolving risk mitigation needs of their customers.
These developments, in turn, could help drive the critical infrastructure protection and national resilience goals outlined in White House Executive Orders 13636 and 13691 and advance the risk-based approach of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.