lolloj - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How would a cyberattack information database affect companies?

A proposed cyberattack information database in the U.K. aims to improve cyberinsurance. Expert Mike Chapple explains what collecting data breach information means for U.S. companies.

In the U.K., an insurance industry organization called for the government to establish a database where companies would have to "record details of cyberattacks." The purpose, according to the organization, would be to give companies offering cyberinsurance policies more data to assess premiums. But won't keeping a database of enterprises' cyberattack information be a violation of the laws and regulations protecting this type of data? How would such a cyberattack information database affect companies that are in both the U.K. and the U.S.?

Current data breach notification laws in many jurisdictions require organizations to disclose to the government and individuals when their information is compromised during a cyberattack. The recent proposal from the director general of the Association of British Insurers (ABI), Huw Evans, would go beyond this common standard and make it mandatory for companies to record detailed cyberattack information in a database created by the U.K. government.

The ABI is proposing this initiative to collect better cyberattack information so that insurers can improve their assessment of risk and their pricing for cyberinsurance. To counter fears of reputational damage to companies that disclose breaches, the ABI suggests anonymizing the data and limiting the use of the cyberattack database to insurers. On the other hand, the ABI wants a wider range of industries than just those providing essential services to provide detailed cyberattack information.

It remains to be seen if the ABI's proposal gets any further, and if so, the extent and type of details that companies would have to supply. U.S. companies are familiar with the data breach notification requirements contained within state and federal laws and industry regulations. By the time the ABI proposal reaches any enforceable state, it may resemble those laws. The biggest variable here will be the level of detailed cyberattack information required to comply with the requirement.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out whether or not companies should share data breach information with the public

Learn more about the differences in data breaches based on region

Check out the biggest influences on the cost of data breaches

This was last published in October 2016

Dig Deeper on Information Security Incident Response-Information

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you think there should be a data breach information database? Why or why not?
Seems to be an opportunity for the venture capitalists/private sector startup to provide the service, and via contract basis with its customers and the services rendered by appropriate information sharing function developed, a means would exist to not need government involvement, and by contractual means with a customer company that subscribes to the services offered, the market place satisfies a much needed information sharing offering. Like we have experienced with the politicization/exploitation by government agencies that abuse the information collected, a private sector company offering the Cyber information sharing capability on a legal basis would be held accountable in a court of law if it exposed/abused the information it collected from a customer company. No such restraints exist for curtailing a government agency that does rogue on exposing/exploiting/politicizing critical information to the disadvantage of some specific entity that is mandated by Congressional legislation to share vital, critical information. With the dynamism that is Cyber, a more responsive, cost effective solution capability can be delivered by the private sector, free enterprise, venture capitalists marketplace.