In March, the Cyberspace Solarium Commission—a bipartisan body created by the 2019 National Defense Authorization Act—released a report outlining 75 recommendations for defending the United States in cyberspace. Several recommendations specifically address the cybersecurity insurance market. While the Commission acknowledges that policies are already helping many organizations transfer their cyber risk, it cites a lack of carrier knowledge as a major obstacle to better pricing products.
To overcome this, the Commission suggests that the U.S. Department of Homeland Security (DHS) establish a private-public working group, “to collaborate in pooling and leveraging available statistics and data that can inform innovation in cyber risk modeling.” It likewise recommends the establishment of a permanent Federally Funded Research and Development Center (FFRDC) at DHS to foster this and other cybersecurity insurance initiatives.
To support its case, the Commission cites the prior work of DHS’ Cyber Incident Data and Analysis Working Group (CIDAWG). The Commission describes that work as an example of successful private-public collaboration that brought sustained attention to the insurance industry as a potential public policy partner.
I was privileged to serve as the DHS Senior Cybersecurity Strategist and Counsel who initiated and led the CIDAWG effort. I believe several lessons learned from that experience should guide a future DHS working group as it develops its cyber risk modeling agenda.
The Federal Government has had a long-standing goal of leveraging the insurance industry to incentivize the adoption of better cyber risk management practices across the private and public sectors. To do so, it wants to promote a more mature market—specifically, one that provides expanded coverage on better terms to organizations that voluntarily adopt effective cyber risk controls. This same goal informs the Commission’s current cyber risk modeling recommendation.
As envisioned, a future DHS working group would:
When I launched the CIDAWG in 2015 as part of DHS’ broader Cybersecurity Insurance Initiative, our discussions touched on these same themes. At the time, DHS’ point of reference for all things insurance was the fire insurance market.
We knew that the fire insurance market had amassed a tremendous amount of data over a century of fire losses and—through rigorous analysis—had identified fire safety controls that showed consistent value. Those controls include, for example, installing sprinkler systems in commercial buildings, locating fire extinguishers at certain distances on every floor, and using fire resistant construction materials. Over time, each became a de facto business requirement. Without them, builders could not obtain the fire insurance coverage they desired at prices they could afford. This reality led to a revolution in fire safety that protects lives and property to this very day.
Given this history, we had a few straightforward questions:
Early on, our insurance industry participants answered, “Not yet, but we’ll get there.” Today, that answer is much closer to “yes.” As the Commission correctly notes, however, real obstacles to this nirvana state remain that improved cyber risk models could help overcome. The CIDAWG sessions made clear that some hard facts must be embraced and corresponding questions answered before true progress can happen.
During the DHS discussion, several experts compared fire risks and cyber risks and shared their thoughts on how the former might inform the latter when it comes to prevention and mitigation strategies.1 They noted that fire risk management typically involves physics and engineering questions about chemistry, fluid dynamics, heat transfer, and materials composition. Consequently, the only direct parallel they saw between fire and cyber incidents—which typically involve intentional human activity—is arson. On that point, the experts agreed that profit is the shared goal of arsonists and cyber criminals alike.
The experts also agreed that consumer protection behaviors—such as installing smoke alarms and computer firewalls—help minimize losses in both loss contexts. The similarities, however, end there.
There are dramatic differences between fire risk and cyber risk in regards to three key areas:
What does this mean for a future DHS working group’s agenda? The bottom line is that modeling fire loss is child’s play compared to the ever-changing complexity that abounds with cyber.
To maximize success, the working group accordingly should prioritize the development of models that incorporate data sets that remain largely constant over time: cybercriminal tactics, techniques, and procedures (TTPs).
The MITRE Corp.’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, for example, is based on real-world observations of cyberattacks in progress — getting to the why and how cybercriminals conduct their nefarious activities. Models rooted in these TTPs would provide much needed insight into which controls provide the greatest cybersecurity value over time for what industry sectors.
Armed with this insight, brokers and underwriters could incorporate identified controls into the insurance application, underwriting, and renewal process and then “reward” the insureds adopting them with enhanced coverage options.
While the Commission rightly highlights the need for better modeling to advance the cybersecurity insurance market, it does not specify what kind of modeling would provide the greatest benefit. The CIDAWG provides an answer: cyberattacks on operational technology (OT) such as SCADA and other industrial control systems.2
Brokers and underwriters today have access to reams of data about the frequency and impacts of so-called “privacy events”—the well-publicized thefts of massive amounts of personal data from retailers, credit card companies, and government agencies. What they lack, however, is the same information about cyber-caused business interruption events, their duration, and related costs.
The reason for this disparity is simple. Today, all 50 states have some kind of data breach notification law that requires companies to disclose breaches involving personally identifiable information (PII) to impacted individuals and relevant authorities. The European Union’s General Data Protection Regulation (GDPR), the new California Consumer Privacy Act (CCPA), and New York’s SHIELD Act are all continuations of this trend and have laid the groundwork for developing increasingly rich data sets for future privacy modeling.
By contrast, no comparable laws exist to compel disclosures of business interruption events. Such laws are unlikely to arise in the foreseeable future given the lack of personally impacted (and loudly complaining) third parties in such events. A future DHS working group’s focus on OT cyberattack modeling would be a huge step toward filling this critical gap.
The need for OT cyber risk analysis to advance the cybersecurity insurance market—and cyber risk management investment more generally—is growing. As just one point of reference, a 2017 Ponemon Institute study assessing the oil and gas industry found the following:
More recently, a February 2020 report from the U.S. Government Accountability Office observed that cyber threats are increasing for all critical infrastructure sectors.4 It stands to reason that they include threats to OT systems.
As a future DHS working group begins its planning, it should abide by an old adage: stop, look, and listen. The group’s success will depend largely on talking early and often to brokers and underwriters about their risk modeling needs.
Many a government program has gone off the rails because its founders failed to clarify customer requirements from the outset. They unfortunately produced seemingly wonderful outputs that were of practical use to no one. To avoid this outcome, every effort should be made to define the kinds of OT cyber risk analysis that will most help the insurance industry price the risk. Moreover, the group should regularly update this required information through constant dialogue with broker and underwriter “customers” to ensure it remains current and relevant.
Lastly, it’s important to remember that cybersecurity insurance—risk transfer—should be the final component of a comprehensive cybersecurity program that first includes investment in cyber risk prevention and mitigation efforts. A future DHS working group accordingly should explore how improved modeling could identify and promote the adoption of more effective cyber risk controls as a predicate to an insurance purchase.
While brokers and underwriters would welcome this insight, they are not the only stakeholders who stand to benefit. On the contrary, the group should invite participation by state and local governments, along with critical infrastructure owners and operators, who want to know which controls work best in order to promote the economic vitality of their communities.
To this end, the group should define requirements for cyber risk models that answer regional resiliency questions such as:
The Cyberspace Solarium Commission’s recommendation that DHS lead a renewed cybersecurity insurance engagement is a welcome one. Focusing on cyber risk modeling to help better price the risk is an important next step toward advancing the industry’s ability to provide meaningful coverage that incentivizes wise cybersecurity investment. By taking cybercriminal TTPs into account, targeting OT cyber risks as part of the modeling agenda, and bringing state and local stakeholders into the conversation, a future DHS working group will help ensure that the private and public sectors not only survive future cyber incidents but also thrive in their aftermath.
Each applicable policy of insurance must be reviewed to determine the extent, if any, of coverage for COVID-19. Coverage may vary depending on the jurisdiction and circumstances. For global client programs it is critical to consider all local operations and how policies may or may not include COVID-19 coverage. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal and/or other professional advisors. Some of the information in this publication may be compiled by third party sources we consider to be reliable, however we do not guarantee and are not responsible for the accuracy of such information. We assume no duty in contract, tort, or otherwise in connection with this publication and expressly disclaim, to the fullest extent permitted by law, any liability in connection with this publication. Willis Towers Watson offers insurance-related services through its appropriately licensed entities in each jurisdiction in which it operates.
COVID-19 is a rapidly evolving situation and changes are occurring frequently. Willis Towers Watson does not undertake to update the information included herein after the date of publication. Accordingly, readers should be aware that certain content may have changed since the date of this publication. Please reach out to the author or your Willis Towers Watson contact for more information.
1 U.S. Department of Homeland Security. (2012). Cybersecurity Insurance Readout Report. Retrieved from
https://www.cisa.gov/sites/default/files/publications/November 2012 Cybersecurity Insurance Workshop.pdf.
2 U.S. Department of Homeland Security. (2015). The Value Proposition for a Cyber Incident Data Repository. Retrieved from
https://www.cisa.gov/sites/default/files/publications/dhs-value-proposition-white-paper-2015_v2.pdf.
3 Ponemon Institute. (2017). The State of Cybersecurity in the Oil & Gas Industry: United States. Retrieved from
https://assets.new.siemens.com/siemens/assets/api/uuid:4ec3d46c-234e-4f48-9bc7-aef5889dcaba/version:1581364148/ponemoncyberreadinessinoilgasfinal.pdf.
4 U.S. Government Accountability Office. (2020). CRITICAL INFRASTRUCTURE PROTECTION: Actions Needed to Identify Framework Adoption and Resulting Improvements (GAO-20-299). Retrieved from
https://www.gao.gov/assets/710/704808.pdf.
This article originally appeared as a "Decode Cyber Brief" from Willis Towers Watson. It is republished here with the permission of its author.