Stabilize Global Cyber Risk
Threatonomics

Stabilize Global Cyber Risk with The Cyber Insurance Industry

by Davis Hake , Co-Founder & VP of Communications
Published

So far it’s been more subtle than a massive attack against the US power grid, but threats to critical infrastructure are growing as geopolitics get more complex. Security firm Dragos reported that the Pipedream malware, launched by hackers linked to Russia, recently attempted to take down “around a dozen” U.S. electric and liquid natural gas sites. Ransomware attacks targeting the health sector have driven hospitals hit by a cyberattack to a 20% reported increase in mortality afterward. Multiple municipalities, LA Unified School District and Oakland, California, have recently had thousands of their citizens, students and employees’ private data dumped onto the dark web where criminals can leverage it for fraud and future phishing attacks.

With the backdrop of these dramatic attacks, the 2023 U.S. National Cybersecurity Strategy, announced last week, acknowledged that the threat of cyber disruption to critical infrastructure was so high that U.S. Federal regulators would begin using existing health and safety regulations to audit the cybersecurity integrity of critical infrastructure like water and pipelines.

The primary challenge with cyber attacks is the unknown nature of the risk. No one is actually sure what the “big one” in cyber would look like, when it will come, or what it would cost.

Harnessing Cyber Insurance as a Tool for Enhanced Cybersecurity and Crisis Management

Resilience believes cyber insurance provides a powerful stabilizing force that overlays the existing cybersecurity domain. Insurance encourages policyholders to utilize strong cybersecurity standards, controls, and best practices and provides enhanced access to mitigation and response resources in the event an incident does occur.

As a former Congressional staffer, I have seen no shortage of legislative overreach in times of crisis. The cyber insurance market cannot afford knee-jerk reaction from policymakers when a new wormable crypto malware locks up thousands of US networks or major metropolitan regions are scrambling to restore heat in the winter because of a common vulnerability in electric substations’ industrial control systems.

This is why Resilience joined with leading security companies as a member of the Cybersecurity Coalition in writing in support of the US Treasury’s work to explore the issue of establishing a cyber insurance backstop to help address larger systemic level cyber risks.

The cyber insurance market has seen the problem coming for some time. In 2019, Resilience (formerly Arceo Labs) joined as authors from Marsh and Microsoft to identify some of the sources of systemic risk that could lead to failures of the cyber insurance market. The report recommended:

“Increasing overall capacity in the cyber insurance market to handle a major, multi-market loss through the creation of a government backstop for systemic cyber incidents, similar to those created for terrorist events (TRIA in the U.S. and Pool Re in the UK). A private reinsurance pool is imagined as the most appropriate model for cyber insurance, which could include the following: certification of an incident by a government official as eligible for coverage under the program, a requirement that all primary insurers offer cyber coverage to commercial clients, multi-line coverage, and incentives for consumers and service providers to invest in cybersecurity.”

Near Misses in Cybersecurity and Their Insurance Market Impact

Since then, the insurance market has seen several “near miss” events that could have easily triggered catastrophic losses across the insurance market. The SolarWinds supply chain attack of 2020 targeted several US government agencies, including the Department of Defense, and private companies, including Microsoft and FireEye. This attack had the potential for a systemic threat due to the use of a vulnerability in the widely used SolarWinds Orion software to allow a highly advanced adversary to gain access to a broad range of organizations.

However, while the attack was highly sophisticated, the attackers were primarily focused on government data theft rather than system manipulation or destruction. This, along with the primary targeting of US government entities, significantly lowered the attack’s impact on the cyber insurance market.

The Log4Shell vulnerability of 2021 was a second near miss for the cyber insurance market.  This critical vulnerability in the popular open-source logging tool, Apache Log4j, allows attackers to execute arbitrary code remotely. It is considered highly severe because threat actors can exploit it with just one specially crafted HTTP request or network packet, and it affects a wide range of systems and applications that use Log4j.

While this vulnerability represents an actual disaster scenario if fully leveraged by criminals, upon its release, the security community reacted with speed and cooperation to develop patches and distribute them as widely as possible. While criminal groups today have been observed leveraging this vulnerability, the publicity surrounding it drove most organizations to implement this patch before criminals could widely exploit it.

Strengthening Cyber Insurance Against Systemic Risks

Given the increase in threat to critical infrastructure and the number of near misses we are seeing, the government has an opportunity to begin a conversation with the insurance industry on how to work together to tackle these looming issues.

In advance of this discussion, however, there is more the insurance industry can do today to reduce the impact of these types of risks on clients and capacity providers.

  • First, regularly scan and warn all clients about critical vulnerabilities currently being exploited and have actionable mitigations. When Log4Shell was discovered, the Resilience Security team immediately checked all its clients and followed up directly with remediation actions. If there is a highly “contagious” vulnerability, we will ensure we are a part of the immune system response.
  • Second, leverage data-driven frameworks like the NIST Cybersecurity Framework and CIS Critical Controls as a part of underwriting and guidance to clients. Resilience leverages these tools in our modeling to ensure that our clients, and capital placement follow the most up-to-date guidance on cyber hygiene.
  • Finally, use data tools to understand and model your portfolio risk. This has been a long-term goal for Resilience to help provide visibility to capital providers on sources of systemic risk. This drives proactive mitigations into our client base through guidance and policy language when we see trends that could lead to massive systemic level losses.

We believe these concrete steps taken across the market help mitigate capital exposure to unforeseen systemic events and, more importantly, the potential for harm to our clients and global critical infrastructure.

The attacker will always have the edge in imagination, but failing to explore the conversation will guarantee disaster. With the Administration opening the door for discussion, the industry should appear at the table.

Leveraging the Power of Cyber Insurance to Stabilize Global Cyber Risk

The cyber insurance industry has a crucial role to play in stabilizing global cyber risk. As threats to critical infrastructure grow and the unknown nature of cyber attacks looms, insurance providers like Resilience emphasize the need for strong cybersecurity standards and response resources. 

By addressing systemic risks, exploring government backstops, and taking proactive measures, the insurance industry can effectively mitigate the impact of global cyber risk and protect clients and critical infrastructure. Request a demo today and learn how Resilience can leverage your organization.

You might also like

Five Predictions on the State of Cyber Claims in 2024

Unravel the complexities of cyber risk with the 2023 Mid-Year Claims Report by Resilience. Dive into our analysis and predictions for the cyber insurance industry in 2024, including the pivotal role of AI and regulatory changes.

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the […]

Top Three Trends on Cyber Resilience from The World Economic Forum

With generative AI dominating the conversation at the World Economic Forum’s annual meeting in Davos this year – a massive 32 sessions in total – it’s easy to overlook another topic that was the focus of WEF’s 2024 Global Cybersecurity Outlook: Cyber Resilience.  The term has taken on a new importance in 2024 as enterprise […]

Do you Need Human Brains to make AI Useful in Cybersecurity?

As the world advances with data processing and artificial intelligence (AI) capabilities at a mind-boggling pace, we might feel as if humans are becoming obsolete. This is certainly the question of an endless series of articles that have clogged our inboxes since the release of ChatGPT publicly in late 2022. Maybe this development is a […]

Mastering Cyber Resilience

Cyber Resilience 101, 202, and accompanying Cyber Resilience Workshops are designed to teach brokers the fundamentals of proactive cyber risk management

Best of Threatonomics Year-End Review

As 2023 comes to an end, we are looking back on our top five most popular blog posts that helped shape our understanding of what it means to be cyber-resilient. 1. Moneyballing Cyber Resilience  Chief Cyber Resilience Officer Richard Seiersen wrote “Moneyballing Cyber Resilience” as a follow-up to  his first webinar, “Superforecasting.” The book, Moneyball, […]