Tom Finan shares his experience with the Dept. of Homeland Security to improve cyber risk modeling and controls.

In March, the Cyberspace Solarium Commission—a bipartisan body created by the 2019 National Defense Authorization Act—released a report outlining 75 recommendations for defending the United States in cyberspace. Several recommendations specifically address the cybersecurity insurance market. While the Commission acknowledges that policies are already helping many organizations transfer their cyber risk, it cites a lack of carrier knowledge as a major obstacle to better pricing products.

To overcome this, the Commission suggests that the U.S. Department of Homeland Security (DHS) establish a private-public working group, “to collaborate in pooling and leveraging available statistics and data that can inform innovation in cyber risk modeling.” It likewise recommends the establishment of a permanent Federally Funded Research and Development Center (FFRDC) at DHS to foster this and other cybersecurity insurance initiatives.

To support its case, the Commission cites the prior work of DHS’ Cyber Incident Data and Analysis Working Group (CIDAWG). The Commission describes that work as an example of successful private-public collaboration that brought sustained attention to the insurance industry as a potential public policy partner.

I was privileged to serve as the DHS Senior Cybersecurity Strategist and Counsel who initiated and led the CIDAWG effort. I believe several lessons learned from that experience should guide a future DHS working group as it develops its cyber risk modeling agenda.

Building on past insight

The Federal Government has had a long-standing goal of leveraging the insurance industry to incentivize the adoption of better cyber risk management practices across the private and public sectors. To do so, it wants to promote a more mature market—specifically, one that provides expanded coverage on better terms to organizations that voluntarily adopt effective cyber risk controls. This same goal informs the Commission’s current cyber risk modeling recommendation.

As envisioned, a future DHS working group would:

• Develop frameworks and research methodologies to understand and accurately price cyber risk
• Conduct research on the applicability and utility of common frameworks, controls, and “essentials” as baseline requirements for reducing premiums in pricing insurance risk
• Identify common areas of interest for pooling anonymized data from which to derive better, more accurate [cyber] risk models

When I launched the CIDAWG in 2015 as part of DHS’ broader Cybersecurity Insurance Initiative, our discussions touched on these same themes. At the time, DHS’ point of reference for all things insurance was the fire insurance market.

We knew that the fire insurance market had amassed a tremendous amount of data over a century of fire losses and—through rigorous analysis—had identified fire safety controls that showed consistent value. Those controls include, for example, installing sprinkler systems in commercial buildings, locating fire extinguishers at certain distances on every floor, and using fire resistant construction materials. Over time, each became a de facto business requirement. Without them, builders could not obtain the fire insurance coverage they desired at prices they could afford. This reality led to a revolution in fire safety that protects lives and property to this very day.

Given this history, we had a few straightforward questions:

• Could the cybersecurity insurance market do the same thing?
• Could it help identify the kinds of cyber risk controls that—if adopted—would differentiate “safer” companies from less safe peers and provide them access to more coverage on more favorable terms?

Early on, our insurance industry participants answered, “Not yet, but we’ll get there.” Today, that answer is much closer to “yes.” As the Commission correctly notes, however, real obstacles to this nirvana state remain that improved cyber risk models could help overcome. The CIDAWG sessions made clear that some hard facts must be embraced and corresponding questions answered before true progress can happen.

Lessons learned

Cyber risk is not fire risk

During the DHS discussion, several experts compared fire risks and cyber risks and shared their thoughts on how the former might inform the latter when it comes to prevention and mitigation strategies.¹ They noted that fire risk management typically involves physics and engineering questions about chemistry, fluid dynamics, heat transfer, and materials composition. Consequently, the only direct parallel they saw between fire and cyber incidents—which typically involve intentional human activity—is arson. On that point, the experts agreed that profit is the shared goal of arsonists and cyber criminals alike.

The experts also agreed that consumer protection behaviors—such as installing smoke alarms and computer firewalls—help minimize losses in both loss contexts. The similarities, however, end there.

There are dramatic differences between fire risk and cyber risk in regards to three key areas:

• Scale: When committing their crimes, arsonists set in motion a defined physical process that usually culminates in damage to one or two buildings (at most) before containment. Corresponding losses at this scale can be estimated with considerable precision. By contrast, cyber incidents can arise from any one of thousands of malware variants, causing a wide range of potential virtual and physical impacts to just one or many thousands of companies globally.
• Skill: The unsophisticated juveniles who set most arson fires with a match and common household accelerants stand in stark contrast to the tech-savvy cyber criminals who commit cybercrimes. Those cyber criminals often have access to extensive resources to support their malicious activity—enabling them to discover previously unknown vulnerabilities, evolve new kinds of malware to exploit them, and do their damage sometimes for years without detection.
• Size: The relatively small number of arson fires each year pales in comparison to the thousands (if not millions) of cyber incidents that occur annually. Given their distinct characteristics, moreover, each critical infrastructure sector experiences cyber losses differently. Each therefore must identify and adopt controls suited to their particular cyber risk challenges.

What does this mean for a future DHS working group’s agenda? The bottom line is that modeling fire loss is child’s play compared to the ever-changing complexity that abounds with cyber.

To maximize success, the working group accordingly should prioritize the development of models that incorporate data sets that remain largely constant over time: cybercriminal tactics, techniques, and procedures (TTPs).

The MITRE Corp.’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, for example, is based on real-world observations of cyberattacks in progress — getting to the why and how cybercriminals conduct their nefarious activities. Models rooted in these TTPs would provide much needed insight into which controls provide the greatest cybersecurity value over time for what industry sectors.

Armed with this insight, brokers and underwriters could incorporate identified controls into the insurance application, underwriting, and renewal process and then “reward” the insureds adopting them with enhanced coverage options.

Prioritize operational risk, not privacy risk

While the Commission rightly highlights the need for better modeling to advance the cybersecurity insurance market, it does not specify what kind of modeling would provide the greatest benefit. The CIDAWG provides an answer: cyberattacks on operational technology (OT) such as SCADA and other industrial control systems.²

Brokers and underwriters today have access to reams of data about the frequency and impacts of so-called “privacy events”—the well-publicized thefts of massive amounts of personal data from retailers, credit card companies, and government agencies. What they lack, however, is the same information about cyber-caused business interruption events, their duration, and related costs.

The reason for this disparity is simple. Today, all 50 states have some kind of data breach notification law that requires companies to disclose breaches involving personally identifiable information (PII) to impacted individuals and relevant authorities. The European Union’s General Data Protection Regulation (GDPR), the new California Consumer Privacy Act (CCPA), and New York’s SHIELD Act are all continuations of this trend and have laid the groundwork for developing increasingly rich data sets for future privacy modeling.

By contrast, no comparable laws exist to compel disclosures of business interruption events. Such laws are unlikely to arise in the foreseeable future given the lack of personally impacted (and loudly complaining) third parties in such events. A future DHS working group’s focus on OT cyberattack modeling would be a huge step toward filling this critical gap.

The need for OT cyber risk analysis to advance the cybersecurity insurance market—and cyber risk management investment more generally—is growing. As just one point of reference, a 2017 Ponemon Institute study assessing the oil and gas industry found the following:

• 68% of oil and gas companies reported experiencing at least one cyber compromise to their OT environment in the prior twelve months
• 67% reported that cyber risks to industrial control systems had increased in recent years
• 61% described their organizations’ industrial control systems protections as inadequate
• 59% reported that cyber risks to their OT systems was greater than to their IT systems³

More recently, a February 2020 report from the U.S. Government Accountability Office observed that cyber threats are increasing for all critical infrastructure sectors.⁴ It stands to reason that they include threats to OT systems.

Define requirements for the insurance industry . . . and beyond

As a future DHS working group begins its planning, it should abide by an old adage: stop, look, and listen. The group’s success will depend largely on talking early and often to brokers and underwriters about their risk modeling needs.

Many a government program has gone off the rails because its founders failed to clarify customer requirements from the outset. They unfortunately produced seemingly wonderful outputs that were of practical use to no one. To avoid this outcome, every effort should be made to define the kinds of OT cyber risk analysis that will most help the insurance industry price the risk. Moreover, the group should regularly update this required information through constant dialogue with broker and underwriter “customers” to ensure it remains current and relevant.

Lastly, it’s important to remember that cybersecurity insurance—risk transfer—should be the final component of a comprehensive cybersecurity program that first includes investment in cyber risk prevention and mitigation efforts. A future DHS working group accordingly should explore how improved modeling could identify and promote the adoption of more effective cyber risk controls as a predicate to an insurance purchase.

While brokers and underwriters would welcome this insight, they are not the only stakeholders who stand to benefit. On the contrary, the group should invite participation by state and local governments, along with critical infrastructure owners and operators, who want to know which controls work best in order to promote the economic vitality of their communities.

To this end, the group should define requirements for cyber risk models that answer regional resiliency questions such as:

• What would the cascading impacts be from a cyberattack on a particular region’s electrical grid, telecommunications systems, transportation hubs, and water supply?
• What kinds of controls investments could help halt or blunt those impacts, and where should they be deployed?
• Which government leaders should communicate with which industry leaders in order to plan joint controls investment and incident response strategies?
• Who needs to be at that planning table to enable coordinated awareness and action over time as the cyber risk landscape evolves?
• Where is the greatest need for cybersecurity insurance to supplement prevention and mitigation efforts across interconnected environments?

Conclusion

The Cyberspace Solarium Commission’s recommendation that DHS lead a renewed cybersecurity insurance engagement is a welcome one. Focusing on cyber risk modeling to help better price the risk is an important next step toward advancing the industry’s ability to provide meaningful coverage that incentivizes wise cybersecurity investment. By taking cybercriminal TTPs into account, targeting OT cyber risks as part of the modeling agenda, and bringing state and local stakeholders into the conversation, a future DHS working group will help ensure that the private and public sectors not only survive future cyber incidents but also thrive in their aftermath.

Disclaimer

Each applicable policy of insurance must be reviewed to determine the extent, if any, of coverage for COVID-19. Coverage may vary depending on the jurisdiction and circumstances. For global client programs it is critical to consider all local operations and how policies may or may not include COVID-19 coverage. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal and/or other professional advisors. Some of the information in this publication may be compiled by third party sources we consider to be reliable, however we do not guarantee and are not responsible for the accuracy of such information. We assume no duty in contract, tort, or otherwise in connection with this publication and expressly disclaim, to the fullest extent permitted by law, any liability in connection with this publication. Willis Towers Watson offers insurance-related services through its appropriately licensed entities in each jurisdiction in which it operates.

COVID-19 is a rapidly evolving situation and changes are occurring frequently. Willis Towers Watson does not undertake to update the information included herein after the date of publication. Accordingly, readers should be aware that certain content may have changed since the date of this publication. Please reach out to the author or your Willis Towers Watson contact for more information.

Footnote

¹ U.S. Department of Homeland Security. (2012). Cybersecurity Insurance Readout Report. Retrieved from
https://www.cisa.gov/sites/default/files/publications/November 2012 Cybersecurity Insurance Workshop.pdf.

² U.S. Department of Homeland Security. (2015). The Value Proposition for a Cyber Incident Data Repository. Retrieved from
https://www.cisa.gov/sites/default/files/publications/dhs-value-proposition-white-paper-2015_v2.pdf.

³ Ponemon Institute. (2017). The State of Cybersecurity in the Oil & Gas Industry: United States. Retrieved from
https://assets.new.siemens.com/siemens/assets/api/uuid:4ec3d46c-234e-4f48-9bc7-aef5889dcaba/version:1581364148/ponemoncyberreadinessinoilgasfinal.pdf.

⁴ U.S. Government Accountability Office. (2020). CRITICAL INFRASTRUCTURE PROTECTION: Actions Needed to Identify Framework Adoption and Resulting Improvements (GAO-20-299). Retrieved from
https://www.gao.gov/assets/710/704808.pdf.

This article originally appeared as a "Decode Cyber Brief" from Willis Towers Watson. It is republished here with the permission of its author.