The Cyber Insurance industry can help stabilize global cyber risk. Here’s how.

by Davis Hake , Co-Founder & VP of Communications

So far it’s been more subtle than a massive attack against the US power grid, but threats to critical infrastructure are growing as geopolitics get more complex.

Security firm Dragos reported that the Pipedream malware, launched by hackers linked to Russia, recently attempted to take down “around a dozen” U.S. electric and liquid natural gas sites. Ransomware attacks targeting the health sector have driven hospitals hit by a cyberattack to a 20% reported increase in mortality afterward. And multiple municipalities, LA Unified School District and Oakland, California, have recently had thousands of their citizens, students and employees’ private data dumped on to the darkweb where criminals can leverage it for fraud and future phishing attacks.

With the backdrop of these dramatic attacks, the 2023 U.S. National Cybersecurity Strategy, announced last week, acknowledged that the threat of cyber disruption to critical infrastructure was so high, U.S. Federal regulators would begin using existing health and safety regulations to audit the cybersecurity integrity of critical infrastructure like water and pipelines.

The primary challenge with cyber attacks is the unknown nature of the risk. No one is actually sure what the “big one” in cyber would look like, when it will come, or what it would cost.

Resilience believes cyber insurance provides a powerful stabilizing force that overlays the existing cybersecurity domain. Insurance encourages policyholders to utilize strong cybersecurity standards, controls, and best practices and provides enhanced access to mitigation and response resources in the event an incident does occur.

As a former Congressional staffer I have seen no shortage of legislative overreach in times of crisis. The cyber insurance market cannot afford knee jerk reaction from policy makers when thousands of US networks are locked up by a new wormable crypto malware or major metropolitan regions are scrambling to restore heat in the winter because of a common vulnerability in electric substations’ industrial control systems.

This is why Resilience joined with leading security companies as a member of the Cybersecurity Coalition in writing in support of the US Treasury’s work to explore the issue of establishing a cyber insurance backstop to help address larger systemic level cyber risks.

The cyber insurance market has seen the problem coming for some time. In 2019, Resilience (formerly Arceo Labs) joined as an authors from Marsh and Microsoft to identify some of the sources of systemic risk that could lead to failures of the cyber insurance market. The report recommended

“Increasing overall capacity in the cyber insurance market to handle a major, multi-market loss through the creation of a government backstop for systemic cyber incidents, similar to those created for terrorist events (TRIA in the U.S. and Pool Re in the UK). A private reinsurance pool is imagined as the most appropriate model for cyber insurance, which could include the following: certification of an incident by a government official as eligible for coverage under the program, a requirement that all primary insurers offer cyber coverage to commercial clients, multi-line coverage, and incentives for consumers and service providers to invest in cybersecurity.”

Since then, the insurance market has seen several “near miss” events that could have easily triggered catastrophic losses across the insurance market.

The SolarWinds supply chain attack of 2020 targeted several US government agencies, including the Department of Defense, and private companies, including Microsoft and FireEye. This attack had the potential for a systemic threat due to the use of a vulnerability in the widely used SolarWinds Orion software to allow a highly advanced adversary to gain access to a broad range of organizations.

However, while the attack was highly sophisticated, the attackers were primarily focused on government data theft rather than system manipulation or destruction. This, along with the primary targeting of US government entities, significantly lowered the attack’s impact on the cyber insurance market.

The Log4Shell vulnerability of 2021 was a second near miss for the cyber insurance market.  This critical vulnerability in the popular open-source logging tool, Apache Log4j allows attackers to execute arbitrary code remotely. It is considered highly severe because threat actors can exploit it with just one specially crafted HTTP request or network packet, and it affects a wide range of systems and applications that use Log4j.

While this vulnerability represents an actual disaster scenario if fully leveraged by criminals, upon its release, the security community reacted with speed and cooperation to develop patches and distribute them as widely as possible. While criminal groups today have been observed leveraging this vulnerability, the publicity surrounding it drove most organizations to implement this patch before criminals could widely exploit it.

Given the increase in threat to critical infrastructure and the number of near misses we are seeing, the government has an opportunity to begin a conversation with the insurance industry on how to work together to tackle these looming issues.

In advance of this discussion, however, there is more the insurance industry can do today to reduce the impact of these types of risks on clients and capacity providers.

  • First, regularly scan and warn all clients about critical vulnerabilities currently being exploited and have actionable mitigations. When Log4Shell was discovered, the Resilience Security team immediately checked all its clients and followed up directly with remediation actions. If there is a highly “contagious” vulnerability, we will ensure we are a part of the immune system response.
  • Second, leverage data-driven frameworks like the NIST Cybersecurity Framework and CIS Critical Controls as a part of underwriting and guidance to clients. Resilience leverages these tools in our modeling to ensure that our clients, and capital placement follow the most up-to-date guidance on cyber hygiene.
  • Finally, use data tools to understand and model your portfolio risk. This has been a long term goal for Resilience to help provide visibility to capital providers on sources of systemic risk. This drives proactive mitigations into our client base through guidance and policy language when we see trends that could lead to massive systemic level losses.

We believe these concrete steps taken across the market help mitigate capital exposure to unforeseen systemic events and, more importantly, the potential for harm to our clients and global critical infrastructure.

The attacker will always have the edge in imagination, but failing to explore the conversation will guarantee disaster. With the Administration opening the door for discussion, the industry should show up at the table.

You might also like