Growing worries about digital assaults on critical infrastructure compounded by the war in Ukraine are reviving questions about the ability of cybersecurity insurance to cover the risks of a catastrophic attack.
“The cyber insurance industry is not just discovering the cyber risk, with respect to critical infrastructure,” said Michael Phillips, chief risk officer at cyber insurance firm Resilience. “I think what is new is there is a more vivid understanding in the market that the time to understand systemic cyber risk and the risk to critical infrastructure is now.”
The challenge has policymakers wondering if and when the government should intervene with its own form of insurance, a U.S. Government Accountability Office report last month showed.
“The Department of the Treasury’s Federal Insurance Office (FIO) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) both have taken steps to understand the financial implications of growing cybersecurity risks,” the report notes. “However, they have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.”
But as decades of cyber insurance industry research show, coming up with those answers isn’t so easy.
An unpredictable market
Cybersecurity insurance has existed in some form since at least the early 2000s. The coverage initially started out as a means to deal with cybersecurity issues such as data breaches and the lawsuits and regulatory penalties that could ensue.
That changed rapidly in 2017 when the WannaCry and NotPetya attacks showed how quickly a cyberattack could have resounding consequences around the globe. Then came another crisis moment for the industry: a rapid rise in ransomware attacks and an increase in ransomware demands, including a high-profile ransomware attack on U.S. fuel provider Colonial Pipeline.
Both turning points surfaced a longstanding problem for the industry.
“The first problem with the cyber industry is that the past doesn’t necessarily predict the future,” said Monica Shokrai, head of business risk and insurance at Google Cloud.
Most types of insurance, such as auto insurance, rely on previous data to predict future risks.
Cybersecurity insurance analysts, on the other hand, are up against a rapidly changing threat landscape, making it difficult to know what kinds of risks companies will face in the year ahead. Take for instance the rapid rise in ransomware attacks over the past few years. A flood of high-cost claims caught the industry by surprise, leading to skyrocketing premiums and reduced coverage.
When ransomware and other attacks hit critical infrastructure, assessing the risk becomes even more difficult.
“[The public sector and the private sector] don’t have a sufficiently mature view of the systemic risks and cyber risks to critical infrastructure,” said Phillips.
The devil is in the data
Part of the problem, experts say, is getting good data to build actuarial models. Cyber incidents often go unreported and there’s no comprehensive set of data from either industry or the government. A law passed earlier this year requiring critical infrastructure owners and operators to report incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency may help, but it won’t go into effect for at least another two years.
There are private sector initiatives also seeking to solve the data gap. CyberAcuView, a 20-member consortium of global cyber insurance companies, formed last year to pool together data and experience to address industry problems like assessing systemic risk.
Should the government intervene?
Some federal insurance for cyber assistance already exists. The Terrorism Risk Insurance Program (TRIP), created in 2002 to underwrite acts of terrorism, covers cybersecurity incidents that are “violent or coercive in nature.”
That insurance has been insufficient in part because there’s no clear definition of what kind of cyberattacks apply, experts say.
Instead, insurers are left with “a kind of vague sense the federal government might provide some support for insurance in the event of a really catastrophic cyber attack, but without [the government] defining what the parameters of that are,” said Josephine Wolff, an associate professor of cybersecurity policy at Tufts University.
As government auditors now ask CISA and the FIO to report to Congress as to whether the federal government should create a federal funding mechanism as a backstop for the industry, experts are hoping that policymakers don’t make the same mistakes.
One good initial step insurers say would be for the government to provide a clearer definition of what critical infrastructure means. Without this guidance, it’s difficult for the industry to know how to set limits on policies, experts say.
Even when high-risk scenarios are defined, the minimum standards that insurers should enforce aren’t always clear. More government guidance on cybersecurity standards could also help, experts say.
“A lot of the traditional assessment techniques that insurers would rely on or other companies rely on are not yet present in the operational technology space that several of these critical infrastructure providers will rely on,” said Sharon Chand, a principal with Deloitte’s cyber risk services. As a result, it’s more difficult to assess what to put “in place to protect against some of those high priority cyber threat scenarios.”
The private sector is prepared to step up in other ways, says CyberAcuView’s CEO Mark Camillo. He suggested the market can bring in additional capacity by introducing investor-backed securities, for instance. “We want to get as far as we can take it and then we can look at other types of public-private partnerships to cover some of those gaps.”