Sixty million school children’s personal information exposed. Thousands of flights canceled. A venerated retailer brought to its knees. Dire warnings from public officials about urgent threats to our national security.
This isn’t speculative fiction. These are all real incidents that have happened in the last year. The stakes in cyberspace are high and growing, especially as the LLM boom means society is increasingly reliant on software. Yet, repeated incidents show we are not doing enough to protect ourselves from cybercriminals or adversary nation-states. Unfortunately, Congress appears poised to leave a key tool on the shelf that could raise our cyber defenses: insurance.
In other areas of risk, insurance has a proven track record of both reducing the likelihood of incidents and helping with recovery when they do occur. Consider homeowners’ insurance: If you act recklessly—maybe by deep frying your Thanksgiving turkey indoors—your insurer may deny your claim, which incentivizes you to avoid risky behavior. Insurers also lower your premium if you make safety and security investments, like installing smoke detectors. And if a fire still breaks out, your insurance helps you recover quickly by covering the cost of repairs and even paying for a hotel room while your house is fixed.
The same set of virtuous incentives increasingly applies in cybersecurity. Cyber insurers have already shown their value in helping victims recover. Now, they are increasing underwriting standards and are even beginning to deny claims if they find reckless behavior or insufficient security investments. Policymakers should be overjoyed, as insurance represents the kind of market-based solution for cybersecurity challenges that both Democrats and Republicans have long embraced.
But there’s a problem: cyber insurance is marked by a persistent coverage gap. Today, about 90 percent of cyber damages are not insured. And the gap is being exposed. In the wake of the $2.5 billion hack of Jaguar Land Rover, the CEO of the United Kingdom’s Financial Conduct Authority said last week that the UK is “potentially massively underinsuring.”
The coverage gap exists for several reasons, including a lack of awareness of cyber insurance, since it’s a relatively new product and because it is rarely required by contracts or regulations. But as we argued in a paper published in June, one of the biggest obstacles for the industry is the risk of a “systemic” incident—and the difficulty insurers have in diversifying their policyholders to mitigate that risk.
Normally, insurers have many ways to make sure risk is “uncorrelated,” meaning the likelihood of a claim is independent of another. For example, when insuring businesses, they might aim to diversify by location, business size, or industry. This approach helps prevent all policyholders from filing claims at the same time, because of a single event or other underlying factor.
Unfortunately, that diversity is hard to come by in cyberspace. The information technology we rely on is functionally the same, no matter the location, business size or industry. For insurers, the complexity of software systems and the lack of historical claims data makes it extremely difficult to predict large-scale cyber events. This uncertainty causes insurers to raise premiums or limit coverage. As a result, the organizations that would benefit most from cyber insurance can struggle to find adequate coverage.
Fortunately, there is a practical policy solution: A government-backed reinsurance program. Such a program can cap the losses insurers face if a cyber catastrophe — known as a “grey swan” event — occurs. Even if disaster never strikes, the mere existence of this financial backstop helps lower cyber insurance costs, benefitting the entire economy. If a massive cyber incident does happen, the backstop ensures that cyber insurers continue to operate and support their policyholders. It also protects taxpayers through a built-in recoupment process. This backstop approach has worked before; after the September 11 attacks, the Terrorism Risk Insurance Program (TRIP) kept terrorism insurance market from collapsing.
Unfortunately, Congress is set to pass on a critical opportunity to enact this common-sense proposal. At a hearing last month on reauthorizing the TRIP, policymakers only seemed focused on whether or not “cyber terrorism” would qualify for the existing program.
To be clear, we agree that acts of cyber terror fall within the scope of the existing program. However, terrorism is not the acute national security threat facing us in cyberspace. Time and again, assessments of cyber threats by governments and private industry point to financially-motivated criminals and nation-state actors, not politically-motivated terror groups. A clear example of the kind of threat that should concern policymakers is NotPetya, a state-sponsored cyberattack launched by Russia against Ukraine in 2017. The attack quickly spread worldwide, causing billions of dollars in damages.
Congressional leaders are asking the wrong question. They should be asking: are the cyber incidents costing billions of dollars in damage each year covered by TRIP? If there was another NotPetya-style incident targeting American businesses, would it be covered by TRIP? How much damage have insurers themselves assessed a systemic event would cause?
A cyber reinsurance program should be different from TRIP. We encourage cybersecurity leaders, like House Homeland Security Committee Chairman Rep. Andrew Garbarino, to hold a new set of hearings on the topic with a goal of developing a legislative solution. However, in our experience, Congress moves fastest when there is a deadline. In the case of TRIP, a deadline is approaching: the program must be reauthorized by the end of next year. If Congress doesn’t use this opportunity to address cybersecurity and insurance, the issue could remain unresolved for almost another decade.
We don’t have that kind of time. Cyber terrorism is not what’s keeping us up at night. It’s cyber criminals and adversary states. Let’s hope Congress takes another shot at addressing the real challenges in cybersecurity and the critical role market-based solutions can play in protecting our nation.
Nicholas Leiserson is Senior Vice President for Policy at the Institute for Security and Technology. He previously served in the White House Office of the National Cyber Director and as a senior Congressional staffer focused on cyber issues.
RADM (Ret.) Mark Montgomery is senior director of the Foundation for the Defense of Democracies’ Center on Cyber and Technology Innovation. Mark served for more than three decades in the U.S. Navy, held senior leadership roles in Congress, and served as Executive Director of the Cyberspace Solarium Commission.
The post Don’t let Congress punt on cyber insurance reform appeared first on CyberScoop.
The cyber incidents in the headlines aren’t acts of cyber terror.
The post Don’t let Congress punt on cyber insurance reform appeared first on CyberScoop. Read MoreCyberScoop
