On March 9, IWP Cyber Intelligence Initiative Instructor and Advisory Board Member Ethan Burger gave a talk on the topic of “Cyber-Insurance and the Need for a New Model of the National Interest” at an event organized by the Cyber and Future Technologies Society at the Army and Navy Club in Washington, D.C.
To express the need to be aware of the danger posed by cybersecurity threats, Mr. Burger compared a potential computer virus to the ongoing outbreak of COVID-19. He outlined the theoretical appropriate steps to take in order to manage a crisis. He noted that, in a public health crisis, everyone is encouraged to keep good personal hygiene to reduce risk to others. Similarly, he argued, organizations should keep good “cyber-hygiene” because a “failure to do so poses a threat to other” organizations.
But on whom does the “responsibility” fall for making sure these organizations keep good “cyber-hygiene” in an increasingly globalized world? Mr. Burger argued that there is a model for joint public and private partnership for cybersecurity that can overcome this issue to some extent. Noting President Obama’s creation of the National Institute of Standards and Technology (NIST), Mr. Burger pointed out that there is now a “Framework for Improving Critical Infrastructure Cybersecurity” implemented by NIST that is widely employed in both the private and public sectors.
However, Mr. Burger highlighted the argument that cybersecurity regulation needs to go further. He quoted Robert Knake from the Council on Foreign Relations, who argues that the government should force private corporations to be more open about the state of cybersecurity in the private sector, for example, by requiring the disclosure of intellectual property thefts. He argued that measures such as these will open the market for “cyber-insurance,” since the economic consequences of cyber-attacks on the private sector will be more widely felt and understood.
Adding to this, Mr. Burger also pointed out a report by the Council of Economic Advisors, who, in 2016, claimed that the private sector underinvests in cybersecurity protection and that the government should fill that investment gap in order to prevent the highly damaging fallout to the U.S. economy that a cyber-attack on a private organization would inevitably create.
Mr. Burger then discussed the current state of cyber-insurance. He noted that cyber-insurance may be at risk of facing “moral hazard.” This phenomenon explains how comprehensive insurance policies decrease the incentive for insureds to defend their assets, or, in this case, their data, since firms will be covered by insurance companies, who, in turn, are covered by the government. This leaves the door open for calls for government intervention should a wide-scale attack occur that affects multiple corporations. To this end, the Department of Homeland Security seems to promote cyber-insurance to reduce the number of cyber-attacks. They also seem to be promoting good “cyber-hygiene” and “encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.”
Some key studies that helped Mr. Burger formulate his opinions include a study on the insurance industry’s cyber risk, which concluded that a cyber-attack could cause more than $53 billion worth of damage, and an Institute of Insurance Economics study which found that, while it is possible to insure against “cyber risks of daily life,” organizations tend to under-insure when it comes to their cybersecurity. This report also found that extreme scenarios, like the breakdown of critical infrastructure, are incredibly difficult to insure against, but are unlikely to occur in the next ten years. As such, a two-tier approach is needed, one that increases the insurability of “cyber risks of daily life” by fomenting cooperation in the private sector, and also addresses extreme scenarios through government programs and sector-wide initiatives.
A key question that needs to be answered, according to Mr. Burger, is why the cyber-insurance market is not “mature.” For Mr. Burger, this is because there is a lack of trust between insurance companies and potential insureds. Insurance companies are over-willing to write cyber-insurance policies to cash in on an emerging market but are also eager to find reasons to deny coverage, and the language surrounding cyber-insurance has not yet been standardized, making litigation an all-too-real concern.
Learning from our past mistakes is key to developing the cyber-insurance market and to maintaining good cyber-hygiene going forward. For Mr. Burger, the Wanna Cry and [Not]Petya attacks of 2017 show that not enough people are covered by cyber-insurance, that the globalized nature of the modern world means that cyber-attacks are a truly global issue, and that “good cyber-hygiene practices could have prevented infection.” Furthermore, according to an IBM report, the average cost of a data breach in the United States was $8.19 million in 2019, highlighting the need for robust cyber-insurance.
Mr. Burger also pointed out some concerning questions concerning cyber-insurance:
- “If the global value of cyber-insurance premiums written is estimated at $3.5bn, but the global cost of cyber-crime exceeds $450bn annually can the cyber-insurance market be viable? Can these numbers be trusted?”
- “When the cyber-insurance policy is in force, how can insurers be confident that the insureds’ cybersecurity ‘baselines’ are being observed?”
- “Is the interconnectedness of the economy and the Internet of Things likely to cause a collapse in consumer and business confidence [in the event of a major cyber-attack]?”
So, what should the government do? Mr. Burger summarized the actions governments can take. These actions include incentivizing the use of standardized insurance policy provisions and language, creating cyber-insurance policy pools (for example, giving small businesses tax incentives to buy cyber-insurance), and establishing federal level programs modeled after flood or terrorist response programs.
Mr. Burger concluded with an appendix that summarized the findings from some studies he had read. You can download his presentation here which includes the appendix slides.