A major government report on cybersecurity that warns the nation is seriously underprepared for cyber attacks calls for the creation of a federally funded center to develop cybersecurity insurance certifications and a public-private partnership on cyber risk models.
“Our country is at risk, not only from a catastrophic cyber attack but from millions of daily intrusions disrupting everything from financial transactions to the inner workings of our electoral system,” says the report from the Cyberspace Solarium Commission.
The commission advocates a strategic approach to cybersecurity that it refers to as “layered cyber deterrence,” which has the goal of a “reduced probability and impact of cyber attacks of significant consequence.”
It organizes its proposals around what it calls six pillars: reforming the U.S. government’s structure and organization for cyberspace; strengthening norms and nonmilitary tools; promoting national resilience; reshaping the cyber ecosystem; operationalizing cybersecurity cooperation with the private sector; and preserving and employing the military instrument of national power.
According to the report, the country is “dangerously insecure in cyber” and increasingly relies on networks of digital devices that are vulnerable, if not already compromised.
“The status quo is inviting attacks on America every second of every day. The status quo is a slow surrender of American power and responsibility,” says the report.
The commission says the government needs to step in because the insurance industry is failing to provide financial incentives for better cyber risk management. Learn more.
The commission says the country has lost hundreds of billions of dollars to nation-state-sponsored intellectual property theft using cyber espionage and that a major cyber attack on the nation’s critical infrastructure and economic system would “create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest and hurricanes in the Southeast.”
The bipartisan commission was established by the 2019 National Defense Authorization Act. Senator Angus King (I-Maine) and Representative Mike Gallagher (R-Wis.) are co-chairs. Its members include cyber experts, private sector representatives, members of Congress and senior government officials. These “strategists, technologists, economists and policymakers” were charged with coming up with a comprehensive strategy for how the United States should defend itself in cyberspace.
In addition to its insurance proposals, the commission also recommends a new cybersecurity bureau in the State Department and a national data privacy protection law.
Another recommendation is that the government institute an economic continuity plan to ensure that the country can “rapidly restore critical functions across corporations and industry sectors” and get the economy back up and running after a catastrophic cyber attack.
It also calls for cloud security certification or modernizing corporate accountability reporting requirements. “We do not want to saddle the private sector with onerous and counterproductive regulations, nor do we want to force companies to hand over their data to the federal government,” the authors say.
It further emphasizes a need for steps to secure elections from foreign intervention. “If we don’t get election security right, deterrence will fail and future generations will look back with longing and regret on the once powerful American Republic and wonder how we screwed the whole thing up,” the executive summary warns.
The commission’s more than 75 recommendations include several in the area of insurance.
First, the report calls on the Department of Homeland Security to launch a federally funded research and development center to work with state regulators in developing certifications for cybersecurity insurance products as well as for underwriter and claims adjuster training. According to the report, this center and certifications are necessary, in part, because the insurance industry lacks the talent and pricing tools to improve the cyber risk management practices in the private sector.
“A robust and functioning market for insurance products can have the same positive effect on the risk management behavior of firms as do regulatory interventions. Although the insurance industry plays an important role in enabling organizations to transfer a small portion of their cyber risk, it is falling short of achieving the public policy objective of driving better practices of risk management in the private sector more generally. The reasons for this failure are varied but largely come down to an inability on the part of the insurance industry to comprehensively understand and price risk, due in part to a lack of talented underwriters and claims adjusters and the absence of standards and frameworks for how cyber risk should be priced. This has had the combined effect of creating an opaque environment for enterprises attempting to purchase coverage and undermining the effectiveness of insurance as an incentive to push enterprises toward better security behavior.”
Thus, Congress should direct DHS to resource a Federally Funded Research and Development Center (FFRDC) to develop the following models in coordination with state insurance regulators:
Underwriter Training and Certification: For underwriters to effectively evaluate and analyze risk in a given industry, they must understand it, the report says, citing certifications now available for underwriters in other areas of insurance, including homeowners, flood, life and health. The FFRDC should work with insurers, state regulators and experts in cybersecurity risk management to develop curricula and training courses for cyber insurance underwriters required under a cyber insurance underwriter certification.
Claims Adjuster Training and Certification: “Like underwriters, claims adjusters are crucial in ensuring that insurance policies can adapt to changing conditions,” the report says. The FFRDC should work with insurers, state regulators and cybersecurity risk management experts to develop training and certification models for cyber claims adjusters.
Cyber Insurance Product Certification: State insurance regulators can and often do set minimum standards that insurance products must meet in order to be offered in their state, thereby “ensuring that insurance policy provisions comply with state law, are reasonable and fair, and do not contain major gaps in coverage that might be misunderstood by consumers and leave them unprotected.” The FFRDC should develop cybersecurity product certifications based on a common lexicon and security standards.
Cyber Risk Modeling
The report continues in the area of insurance, calling for a public-private partnership on cyber risk modeling.
“For insurance to act as a de facto regulator of organizational behavior, the market for insurance must accurately price risk. Premiums and limits on insurance products must also drive firms that have bought insurance to invest in improving their cyber risk posture. Today, insurance companies lack quality datasets and models to understand, price and mitigate cyber risk. Although bad or incomplete data is a major barrier to accurately pricing cyber risk, insurers are not incentivized to pool and aggregate their data to build more robust and accurate pricing models,” the report says.
Under this proposal, a DHS public-private working group of insurance companies and cyber risk modeling companies would collaborate in pooling available statistics and data for use in developing better, more accurate cyber risk models. This group should “identify areas of common interest so that these entities can benefit from one another’s risk modeling efforts, particularly with regard to dependency mapping and the consequences of cyber disruptions.”
A third recommendation in the area of insurance calls for the exploration of government-backed reinsurance to cover catastrophic cyber events.
The authors note that currently the federal government plays a role in cyber via the Treasury department’s authority to indicate cyber events that trigger Terrorism Risk Insurance Act (TRIA) protections. Also, the Government Accountability Office (GAO) has been authorized to assess the current state of cyber insurance.
However, the commission believes, the federal government is in a position to do more. The commission supports having the GAO work with relevant departments and agencies, including the Department of Commerce, DHS and Department of the Treasury, to also study:
- Current exemptions for property/casualty insurance policies, including act of war exemptions, and complications of including them in cyber insurance policies.
- The existing scope of TRIA to assess whether it is sufficiently broad to cover cyber events perpetrated by nation-states, which most general property/casualty insurance policies currently exclude or attempt to exclude.
- If the triggering threshold for TRIA—a loss of $200 million, as of the 2020 reauthorization—is the appropriate size to trigger a similar backstop for catastrophic cyber events.
- Comparative models of federal share percentage of a cyber insurance-related backstop.
- What types of cyber events constitute “certified acts of terrorism” and whether this provides a sufficient backstop for insurers, as many major cyber events— particularly those perpetrated by nation-states—may not fit squarely under the definition of “certified act of terrorism.”
- What events and which entities would be covered by a backstop, given that terror attacks generally take place in and affect a confined area, while some cyber incidents are not bound by geography. For example, the study should address whether a cyber attack on an American company affecting only assets in another jurisdiction would qualify.
The commission members urged the public to demand that government and private sector leaders “act with speed and agility” to address the cyber threats.