lolloj - Fotolia
How would a cyberattack information database affect companies?
A proposed cyberattack information database in the U.K. aims to improve cyberinsurance. Expert Mike Chapple explains what collecting data breach information means for U.S. companies.
In the U.K., an insurance industry organization called for the government to establish a database where companies would have to "record details of cyberattacks." The purpose, according to the organization, would be to give companies offering cyberinsurance policies more data to assess premiums. But won't keeping a database of enterprises' cyberattack information be a violation of the laws and regulations protecting this type of data? How would such a cyberattack information database affect companies that are in both the U.K. and the U.S.?
Current data breach notification laws in many jurisdictions require organizations to disclose to the government and individuals when their information is compromised during a cyberattack. The recent proposal from the director general of the Association of British Insurers (ABI), Huw Evans, would go beyond this common standard and make it mandatory for companies to record detailed cyberattack information in a database created by the U.K. government.
The ABI is proposing this initiative to collect better cyberattack information so that insurers can improve their assessment of risk and their pricing for cyberinsurance. To counter fears of reputational damage to companies that disclose breaches, the ABI suggests anonymizing the data and limiting the use of the cyberattack database to insurers. On the other hand, the ABI wants a wider range of industries than just those providing essential services to provide detailed cyberattack information.
It remains to be seen if the ABI's proposal gets any further, and if so, the extent and type of details that companies would have to supply. U.S. companies are familiar with the data breach notification requirements contained within state and federal laws and industry regulations. By the time the ABI proposal reaches any enforceable state, it may resemble those laws. The biggest variable here will be the level of detailed cyberattack information required to comply with the requirement.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out whether or not companies should share data breach information with the public
Learn more about the differences in data breaches based on region
Check out the biggest influences on the cost of data breaches
Dig Deeper on Security operations and management
Related Q&A from Mike Chapple
Stateful vs. stateless firewalls: Understanding the differences
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Wired vs. wireless network security: Best practices
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
The difference between AES and DES encryption
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading