Pillsbury partner Brian Finch presented written testimony before the U.S. House of Representatives Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies at a March 22 hearing on the role of cyber insurance in risk management. The purpose of the hearing was to examine potential opportunities to encourage the adoption of cyber best practices and more effectively manage cyber risks through cyber insurance.

Finch’s testimony focused on new ideas for using insurance to promote cybersecurity, beginning with a discussion of the significant benefits a health insurance-type approach could offer. Under such a program, companies would pay monthly premiums to insurers in exchange for discounted access to cybersecurity vendors and professionals that could be called upon for regular system maintenance or in the event of a serious breach.

“Cyber insurers should look to establish an infrastructure that supports constant care and promotes wellness, not merely reimbursement for periodic losses,” Finch wrote. “This model… addresses the reality that inevitably some sort of cyber disease will work its way into the blood stream by supporting interventional care that prevents minor scratches from developing into a serious infection.”

Finch also endorsed an insurance model predicated on insurance “pools." In this model, similarly situated companies would pool their risk —jointly purchasing or creating insurance coverage, collectively establishing hard liability limits and sharing cyber defense resources — thereby gaining access to more insurance and creating greater certainty regarding potential losses following a cyber-attack. Specifically, Finch outlined the enormous benefit such pools would offer when combined with protections offered by the SAFETY Act.

“The SAFETY Act on top of the insurance pool effectively limits the exposure of the group to the amount of insurance they have purchased, or even a portion thereof. That is because with all the members being covered under the SAFETY Act award, any eligible claim following a cyber-attack will be subject to liability limits under Federal law. Further, this arrangement also potentially allows more of the insurance funds to be used for “first party” losses the company has directly suffered (damaged equipment, lost data, business interruption, etc.) rather than losses suffered by third parties.”

Finch is a member of Pillsbury’s Government Law & Strategies Practice and is based in firm’s Washington, DC office. He focuses on regulatory and government affairs issues involving the Department of Homeland Security, Congress, the Department of Defense and other federal agencies, and is particularly active in advising clients on the legal and policy challenges associated with the aftermath of a cyberattack and the steps that can be taken to help mitigate the risk associated. A leading authority on the SAFETY Act, he has helped prepare over 100 applications for such protections and testified twice before the U.S. Congress on matters related the Act. He is a senior advisor to the Homeland Security and Defense Council, serves on the National Center for Spectator Sports Safety and Security’s advisory board, and is an inaugural Senior Fellow at George Washington University’s Homeland Security Policy Institute.