From: Gideon T. Rasmussen, CISSP,
CRISC, CISA, CISM, CIPP
Sent: Monday, October 24, 2022 3:04 PM
To: 'Richard Ifft'; 'Jeremiah Pam'; 'Philip Goodman'
Cc: Mary Rasmussen
Subject: Potential Federal Insurance Response to Catastrophic Cyber Incidents
Federal Insurance Office,
Thanks for soliciting feedback on cyber insurance and catastrophic cyber incidents. Here is my response to your request for information:
Catastrophic Cyber Incidents
1. Nature of Event. What type of cyber incidents could have a catastrophic effect on U.S. critical infrastructure?
GTR: An attack on our power grids would have a catastrophic effect. Idaho National Labs conducted a test, physically destroying a 27-ton power generator over the Internet. They hacked into the control system and instructed the generator to tear itself apart. The generator began to shake and finally smoke appeared. At the time it took months to replace one of these custom made generators. If many generators are destroyed at once, replacement time and duration of the power outage increases. It has been years since that test and replacement of destroyed hardware may be less of an issue. However, that scenario raises reasonable concern of a simultaneous attack on our power grids and resulting impact.
How likely are such incidents? Are particular sectors of U.S. critical infrastructure more susceptible to such incidents?
GTR: These are questions for your partners at CISA and DHS. They have that information.
3. Cybersecurity Measures. What cybersecurity measures would most effectively reduce the likelihood or magnitude of catastrophic cyber incidents?
Program: It is necessary to implement controls in accordance with a
cybersecurity framework to reduce the likelihood or magnitude of catastrophic
cyber incidents. There must be a formal cybersecurity program, with a leader
that presents to the board of directors or similar executive forum.
Control Standards: It is necessary for the federal government to provide sector-specific control standards. The NIST Cybersecurity Framework provides a foundation at 108 controls. However, there are differing architectures and technology within critical infrastructure such as Operational Technology within power grids and water systems.
Risk Assessments: Each control framework has a requirement for a risk assessment and risk mitigation in accordance with the risk tolerance of the organization. Private sector organizations may have difficulties conducting such an assessment in practice. There is opportunity to provide clear guidance and training.
Innovation: We know
current power grid implementations are vulnerable to attack. Increase resilience
by funding fuel cells and solar at homes and office buildings. Produce power
locally and feed excess capacity back into the grid. This approach would also
increase resiliency in the event of a power outage due to a hurricane or other
types of natural disasters. Use of clean energy is also good for the
environment. Seems like this strategic approach could be a win on a few fronts.
What steps could the federal government take to potentially incentivize or require policyholders to adopt these measures?
GTR: Here are steps the federal government could use to influence policyholders:
Provide cybersecurity control standards
- Embed a maturity model with levels
Gather evidence of current security posture
Influence good behavior
- Road map for enhanced security over time
- Reduced insurance cost to match
Federal funding for critical infrastructure controls will be necessary. In some cases it will be challenging for a private sector organization to fund the necessary people, processes and technology. Much of critical infrastructure relies on Operational Technology that was not designed with security in mind and may have vulnerable technology at its core. CISA published an advisory to that effect in September 2022.
Potential Federal Insurance Response for Catastrophic
4. Insurance Coverage Availability. What are the current limitations on coverage for catastrophic cyber incidents?
GTR: Policy limits may reduce coverage. For example, an insurance policy for millions of dollars may only cover a fraction of that amount for certain events. Policy exclusions may eliminate coverage altogether (e.g. acts of cyber-war or nation-state retaliation attacks). Cybersecurity insurance rates are rising, while coverage is being reduced (Cyber-Insurance Firms Limit Payouts, Risk Obsolescence).
Is the private market currently making available insurance for catastrophic cyber incidents that is desired by policyholders, in terms of the limits, the scope of coverage, and the type and size of businesses seeking coverage?
GTR: No. Reference the two links above.
6. Federal Insurance Response. Is a federal insurance response for catastrophic cyber incidents warranted? Why or why not?
GTR: Yes, a federal insurance response for catastrophic cyber incidents is warranted. Insurance companies and reinsurance companies cannot provide sufficient coverage while making a profit. The details are all over the news media.
7. Potential Structures for Federal Insurance Response. What structures should be considered by FIO and CISA for a potential federal insurance response for catastrophic cyber incidents? In your answer, please address:
Participation. If there were a federal insurance response, should all cyber insurers be required to participate? Should there be other conditions surrounding participation, whether for cyber insurance or policyholders?
GTR: Consider where it would be most effective to inject resources. For example:
Option 1: Fill the role of a Re-Reinsurance company. Provide funding to reinsurance companies in the event of catastrophic cyber incidents.
Option 2: Act as a reinsurance company. Provide funding to insurance companies in the event of catastrophic cyber incidents.
Option 3: Provide cybersecurity insurance directly to private sector organizations. That would place the government in direct competition with insurance companies. Not a good approach.
Option 4: Establish a captive insurance company or a trust fund, where critical infrastructure organizations contribute money into a conservative investment portfolio. In the event of a catastrophic cyber incident, the portfolio would pay out. Investment revenue above policy coverage could be used to fund cybersecurity controls.
Scope of Coverage. What should be included in the scope of coverage? For example, should it be limited to certain critical infrastructure sectors, size(s) of policyholder permitted to participate, policyholder retentions or deductibles, any required coverages, limits, deductibles, etc.?
GTR: Yes, the scope of coverage should be critical infrastructure sectors. Federal insurance should be limited to catastrophic cyber incidents. The insurance industry should continue to provide coverage for events of less severity.
Cybersecurity Measures. Should cybersecurity and/or cyber hygiene measures be required of policyholders under the structure? If so, which measures should be required?
GTR: Yes, absolutely. Insurance should be considered a backstop, a method of recovery in the gravest extreme. Critical services must be hardened against attack and have controls to be resilient and highly available.
Feedback above in 3. Cybersecurity Measures addresses which measures should be required.
The federal government needs to know whether necessary controls are in place to protect critical infrastructure. Federal insurance coverage should require cybersecurity assessments, penetration tests and red team assessments conducted by an external firm.
Assessment scope and activity:
In scope data / services
- Where the data is stored, processed and transmitted
- Systems necessary for service (e.g. power grid, water systems)
Evidence that controls are in place
Moral Hazard. What measures should be included to minimize potential moral hazard risks (e.g., the possibility that either insurers or policyholders might take undue risks in reliance upon a federal insurance response or fail to implement cybersecurity controls)?
GTR: (1) Only provide coverage for catastrophic cyber incidents (e.g. attack by a hostile nation state, cyberwar, etc.). That would protect critical infrastructure sectors in the gravest extreme. If a company takes too much risk, they would still be exposed to business impact, which should influence the right behaviors.
(2) Require independent assessments, etc. as a requirement for insurance coverage. That helps ensure necessary controls are in place and effective.
Consider hiring an executive from the cybersecurity insurance industry. They know whats broken and are currently constrained by the need to make a profit.
Risk Sharing. How should any structure involving private insurance address risk sharing with the government and the private insurance sector?
GTR: Carefully articulate policy language so it is clear that only catastrophic cyber incidents are covered, with definitions of in-scope events and threat actors.
Reinsurance/Capital Markets. To what extent should reinsurance arrangements, including capital markets participation, be included in any potential insurance response? How would a potential federal insurance response affect the reinsurance and capital markets?
GTR: The cost for reinsurance companies to cover catastrophic cyber incidents is becoming too high within the current threat landscape (see the two article links above). Federal cyber insurance could provide funding in the event of catastrophic impact from a hostile nation state or due to cyberwar.
Evaluation/Data Collection. How should any structure and its program administration be evaluated on an ongoing basis, whether by policymakers and/or administrators, including whether there should be reporting requirements to Congress or other authorities (and on what topics) and data collection (and which information to collect)?
GTR: Yes, annual reporting to Congress would be a good practice. Topics could include whether each organization has submitted assessment/test documentation within the past year and a risk rating for their service offering. Assessment/test findings should be further restricted to those with a need-to-know.
Consider adopting existing governance processes such as how the payment card brands ensure security controls are in place. They have a Security Standards Council, a Data Security Standard, Information Supplements, Qualified Security Assessors and Approved Scanning Vendors. No need to reinvent the wheel.
8. Effects on Cyber Insurance Market. How might a federal insurance response affect the availability and affordability of cyber insurance across the entire insurance market? What would be the effect on any part of the cyber insurance market that would remain outside the parameters of a federal insurance response?
GTR: If the federal government focuses on limiting coverage to catastrophic cyber incidents, that should not have much of an effect on insurance companies. They are already shying away from providing coverage within that scope.
However, if federal insurance required validation of a detailed set controls, reduced risk would have an effect on the insurance industry.
Federal Insurance Office: Thanks for reaching out for feedback. I appreciate that you are adopting a thoughtful and deliberate approach to cybersecurity insurance.
Feel free to reach out to me with questions or comments.
Gideon T. Rasmussen | CISSP, CRISC, CISA, CISM, CIPP | Consultant
Virtual CSO, LLC | www.virtualcso.com | www.gideonras.com