Ride the Lightning

What if the Lights All Go Out? Cyberinsurance is Not Prepared

July 14, 2022

CyberScoop reported on July 11 that the cyberinsurance market has a critical infrastructure problem. There is increasing concern that there may be assaults on critical infrastructure, particularly with the war in Ukraine and knowledge that Russian cyberattack capabilities have grown.

“The cyber insurance industry is not just discovering the cyber risk, with respect to critical infrastructure,” said Michael Phillips, chief risk officer at cyber insurance firm Resilience. “I think what is new is there is a more vivid understanding in the market that the time to understand systemic cyber risk and the risk to critical infrastructure is now.”

Policymakers are wondering if the government should intervene with its own form of insurance, a U.S. Government Accountability Office report last month showed.

“The Department of the Treasury’s Federal Insurance Office (FIO) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) both have taken steps to understand the financial implications of growing cybersecurity risks,” the report notes. “However, they have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.”

Monica Shokai, Head of Business Rick and Insurance at Google Cloud has said, “The first problem with the cyber industry is that the past doesn’t necessarily predict the future.”

Cybersecurity insurance initially was a means to deal with cybersecurity issues such as data breaches and the lawsuits and regulatory penalties that frequently followed.

That changed quickly in 2017 when the WannaCry and NotPetya attacks demonstrated how fast a cyberattack could have resounding consequences around the globe. Then came another crisis moment for the industry: a rapid rise in ransomware attacks and an increase in ransomware demands, including a high-profile ransomware attack on U.S. fuel provider Colonial Pipeline.

Most types of insurance, such as auto insurance, rely on previous data to predict future risks.

Cybersecurity insurance analysts, however, are up against a rapidly changing threat landscape, making it difficult to know what kinds of risks companies will have to face. As ransomware attacks rose, a surge of expensive claims took the industry by surprise, leading to escalating premiums and reduced coverage.

Assessing the risks becomes more difficult when ransomware and other attacks hit our critical infrastructure.  Part of the problem, experts say, is getting good data to build actuarial models. Cyber incidents often go unreported and there’s no comprehensive set of data from either industry or the government.

A law passed earlier this year requiring critical infrastructure owners and operators to report incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency may help, but it won’t go into effect for at least another two years. And that may be too late.

There are private sector initiatives also seeking to solve the data gap. CyberAcuView, a 20-member consortium of global cyber insurance companies, was established last year to put together data and experience to address industry problems such as assessing systemic risk.

Should the government intervene? Some federal insurance for cyber assistance already exists. The Terrorism Risk Insurance Program (TRIP), created in 2002 to underwrite acts of terrorism, covers cybersecurity incidents that are “violent or coercive in nature.”

A problem here: There’s no clear definition of what kind of cyberattacks apply, experts say.

Insurers are left with “a kind of vague sense the federal government might provide some support for insurance in the event of a really catastrophic cyber attack, but without [the government] defining what the parameters of that are,” said Josephine Wolff, an associate professor of cybersecurity policy at Tufts University.

As government auditors now ask CISA and the FIO to report to Congress as to whether the federal government should create a federal funding mechanism as a backstop for the industry, experts are hoping that policymakers don’t make the same errors.

A logical first step, according to insurers, would be for the government to provide a clearer definition of what critical infrastructure means. Without this guidance, it’s hard for the industry to know how to set limits on policies.

Even when high-risk scenarios are defined, the minimum standards that insurers should enforce aren’t always clear. More government guidance on cybersecurity standards could also help with that, experts say.

“A lot of the traditional assessment techniques that insurers would rely on or other companies rely on are not yet present in the operational technology space that several of these critical infrastructure providers will rely on,” said Sharon Chand, a principal with Deloitte’s cyber risk services. As a result, it’s more difficult to assess what to put “in place to protect against some of those high priority cyber threat scenarios.”

Clearly, a lot of work needs to be done relatively quickly because right now we really don’t know what will happen if all the lights go out. That is ominous in the face of the rising threats from Russia, in particular.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson