WILL CONTRACTORS BE REQUIRED TO HAVE CYBER INSURANCE?
A provision in the House version of the FY’21 National Defense Authorization Act (NDAA) requiring GAO to conduct a study on whether cybersecurity insurance should be mandated for government contractors has industry groups concerned. The fear is that the report, coupled with recommendations by the influential Cyberspace Solarium Commission, will result in companies having to buy potentially costly cybersecurity insurance or risk losing government business. Supporters believe that cybersecurity insurance could perform the same role of government regulations in improving organizations’ cybersecurity practices. Instead of a regulation, companies that did not take out such insurance would be at risk of being at a competitive disadvantage when being evaluated for a contract award or excluded from procurements all together. Opponents believe that having insurance, itself, will do little to advance real cybersecurity and, in fact, may drain company resources away from investing in actual improvements to pay for the insurance. Others see it as a give-away to the insurance industry. This is not, however, the first-time contractors have had consider government-only insurance requirements. Unlimited liability requirements, especially at the state level, were a true fad in the late 1990’s as public sector officials worried about unproven technology impacting their missions. Whether the push cybersecurity insurance will largely fade away as that issue did remains uncertain. What is certain is that there is a true sense of urgency on the part of legislative and executive branch officials to try and ensure iron-clad security. It is unfortunate that they don’t hold government agencies to the same standard, as anyone involved with Fairfax County Public Schools will note with irony.