From: Gideon T. Rasmussen, CISSP,
CRISC, CISA, CISM, CIPP
Sent: Monday, October 24, 2022 3:04 PM
To: 'Richard Ifft'; 'Jeremiah Pam'; 'Philip Goodman'
Cc: Mary Rasmussen
Subject: Potential Federal Insurance Response to Catastrophic Cyber
Incidents
Federal Insurance Office,
Thanks for soliciting feedback on cyber insurance and catastrophic
cyber incidents. Here is my response to your request
for information:
Catastrophic Cyber Incidents
1. Nature
of Event. What type of cyber incidents could have a catastrophic effect on U.S. critical
infrastructure?
GTR: An attack on
our power grids would have a catastrophic effect. Idaho National Labs conducted
a test, physically
destroying a 27-ton power generator over the Internet. They hacked into the
control system and instructed the generator to tear itself apart. The generator
began to shake and finally smoke appeared. At the time it took months to
replace one of these custom made generators. If many generators are destroyed
at once, replacement time and duration of the power outage increases. It has
been years since that test and replacement of destroyed hardware may be less of
an issue. However, that scenario raises reasonable concern of a simultaneous
attack on our power grids and resulting impact.
How likely are such incidents? Are particular sectors of
U.S. critical infrastructure more susceptible to such incidents?
GTR: These are questions
for your partners at CISA and DHS. They have that information.
3. Cybersecurity Measures. What cybersecurity
measures would most effectively reduce the likelihood
or magnitude of catastrophic cyber incidents?
GTR: Cybersecurity
Program: It is necessary to implement controls in accordance with a
cybersecurity framework to reduce the likelihood or magnitude of catastrophic
cyber incidents. There must be a formal cybersecurity program, with a leader
that presents to the board of directors or similar executive forum.
Control Standards: It is necessary for the federal government to provide
sector-specific control standards. The NIST Cybersecurity Framework provides a
foundation at 108 controls. However, there are differing architectures and
technology within critical infrastructure such as Operational Technology within
power grids and water systems.
Risk Assessments: Each
control framework has a requirement for a risk assessment and risk mitigation in accordance with the
risk tolerance of the organization. Private sector organizations may have
difficulties conducting such an assessment in practice. There is opportunity to provide clear guidance and training.
Innovation: We know
current power grid implementations are vulnerable to attack. Increase resilience
by funding fuel cells and solar at homes and office buildings. Produce power
locally and feed excess capacity back into the grid. This approach would also
increase resiliency in the event of a power outage due to a hurricane or other
types of natural disasters. Use of clean energy is also good for the
environment. Seems like this strategic approach could be a win on a few fronts.
What steps could the
federal government take to potentially incentivize or require policyholders to
adopt these measures?
GTR: Here are steps the federal government could use to influence
policyholders:
Provide cybersecurity control standards
- Embed a maturity model with levels
Gather evidence of current security posture
Influence good behavior
- Road map for enhanced security over time
- Reduced insurance cost to match
Federal funding for critical infrastructure controls will
be necessary. In some cases it will be challenging for a private sector
organization to fund the necessary people, processes and technology. Much of
critical infrastructure relies on Operational Technology that was not designed
with security in mind and may have vulnerable technology at its core. CISA
published an
advisory to that effect in September 2022.
Potential Federal Insurance Response for Catastrophic
Cyber Incidents.
4. Insurance Coverage Availability. What are the current limitations on
coverage for catastrophic cyber incidents?
GTR: Policy limits may reduce coverage. For example, an
insurance policy for millions of dollars may only cover a fraction of that
amount for certain events. Policy exclusions may eliminate coverage altogether
(e.g. acts of
cyber-war or nation-state retaliation attacks).
Cybersecurity insurance rates are rising, while coverage is being reduced (Cyber-Insurance
Firms Limit Payouts, Risk Obsolescence).
Is the private market currently making available insurance for catastrophic
cyber incidents that is desired by policyholders, in terms of the limits, the
scope of coverage, and the type and size of businesses seeking coverage?
GTR: No. Reference
the two links above.
6. Federal Insurance Response. Is a federal
insurance response for catastrophic cyber incidents warranted? Why or why not?
GTR: Yes, a
federal insurance response for catastrophic cyber incidents is warranted.
Insurance companies and reinsurance companies cannot provide sufficient
coverage while making a profit. The details are all over the news media.
7. Potential Structures for Federal Insurance
Response. What structures should be considered by FIO and CISA for a
potential federal insurance response for catastrophic cyber incidents? In your
answer, please address:
Participation. If there were a federal insurance
response, should all cyber insurers be required to participate? Should there be
other conditions surrounding participation, whether for cyber insurance or
policyholders?
GTR: Consider
where it would be most effective to inject resources. For example:
Option 1: Fill the
role of a Re-Reinsurance company. Provide funding to reinsurance companies in
the event of catastrophic cyber incidents.
Option 2: Act as a
reinsurance company. Provide funding to insurance companies in the event of catastrophic
cyber incidents.
Option 3: Provide
cybersecurity insurance directly to private sector organizations. That would
place the government in direct competition with insurance companies. Not a good
approach.
Option 4: Establish a
captive insurance company or a trust fund, where critical infrastructure
organizations contribute money into a conservative investment portfolio. In the
event of a catastrophic cyber incident, the portfolio would pay out. Investment
revenue above policy coverage could be used to fund cybersecurity controls.
Scope of Coverage. What should be included in
the scope of coverage? For example, should it be limited to certain critical infrastructure sectors, size(s) of
policyholder permitted to participate, policyholder retentions or deductibles,
any required coverages, limits, deductibles, etc.?
GTR: Yes, the
scope of coverage should be critical
infrastructure sectors. Federal insurance should
be limited to catastrophic cyber incidents. The insurance industry should
continue to provide coverage for events of less severity.
Cybersecurity Measures. Should cybersecurity
and/or cyber hygiene measures be required of policyholders under the structure?
If so, which measures should be required?
GTR: Yes,
absolutely. Insurance should be considered a backstop, a method of recovery in
the gravest extreme. Critical services must be hardened against attack and have
controls to be resilient and highly available.
Feedback above in 3. Cybersecurity
Measures addresses which measures should
be required.
The federal government needs to know whether necessary
controls are in place to protect critical infrastructure. Federal insurance
coverage should require cybersecurity assessments, penetration tests and red
team assessments conducted by an external firm.
Assessment scope and activity:
In scope data / services
- Where the data is stored, processed and transmitted
- Systems necessary for service (e.g. power grid, water
systems)
Control framework
Evidence that controls are in place
Moral Hazard. What measures should be included
to minimize potential moral hazard risks (e.g., the possibility that either
insurers or policyholders might take undue risks in reliance upon a federal
insurance response or fail to implement cybersecurity controls)?
GTR: (1) Only provide
coverage for catastrophic cyber incidents (e.g. attack by a hostile nation
state, cyberwar, etc.). That would protect critical infrastructure sectors in
the gravest extreme. If a company takes too much risk, they would still be
exposed to business impact, which should influence the right behaviors.
(2) Require independent assessments, etc. as a requirement
for insurance coverage. That helps ensure necessary controls are in place and
effective.
Consider hiring an executive from the cybersecurity insurance
industry. They know whats broken and are currently constrained by the need to
make a profit.
Risk Sharing. How should any structure involving private insurance address risk sharing with the
government and the private insurance sector?
GTR: Carefully
articulate policy language so it is clear that only catastrophic cyber
incidents are covered, with definitions of in-scope events and threat actors.
Reinsurance/Capital Markets. To what extent should
reinsurance arrangements, including capital markets participation, be included
in any potential insurance response? How would a potential federal insurance
response affect the reinsurance and capital markets?
GTR: The cost for
reinsurance companies to cover catastrophic cyber incidents is becoming too
high within the current threat landscape (see the two article links above).
Federal cyber insurance could provide funding in the event of catastrophic
impact from a hostile nation state or due to cyberwar.
Evaluation/Data Collection. How should any
structure and its program administration be evaluated on an ongoing basis,
whether by policymakers and/or administrators, including whether there should
be reporting requirements to Congress or other authorities
(and on what topics) and data collection (and which information to collect)?
GTR: Yes, annual
reporting to Congress would be a good practice. Topics
could include whether each organization has submitted assessment/test
documentation within the past year and a risk rating for their service
offering. Assessment/test findings should be further restricted to those with a
need-to-know.
Consider adopting existing governance processes such as how
the payment card brands ensure security controls are in place. They have a
Security Standards Council, a Data Security Standard, Information Supplements,
Qualified Security Assessors and Approved Scanning Vendors. No need to reinvent
the wheel.
8. Effects on Cyber Insurance Market. How might a
federal insurance response affect the availability and affordability of cyber
insurance across the entire insurance market? What would be the effect on any part of the cyber insurance market that
would remain outside the parameters of a federal insurance response?
GTR: If the
federal government focuses on limiting coverage to catastrophic cyber
incidents, that should not have much of an effect on insurance companies. They
are already shying away from providing coverage within that scope.
However, if federal insurance required validation of a
detailed set controls, reduced risk would have an effect on the insurance
industry.
Federal Insurance Office: Thanks for reaching
out for feedback. I appreciate that you are adopting a thoughtful and
deliberate approach to cybersecurity insurance.
Feel free to reach out to me with questions or comments.
Thanks,
Gideon
Gideon T. Rasmussen |
CISSP, CRISC, CISA, CISM, CIPP | Consultant
Virtual
CSO, LLC | www.virtualcso.com | www.gideonras.com