Five ways the Biden administration could impact cyber insurance

president-joe-biden-signs-three-documents-including-an-news-photo-1611168418_

Five ways the Biden administration could impact cyber insurance

Recent remarks from the newly inaugurated president have alluded to a greater government presence in cybersecurity arenas.

As President Joe Biden pledges to level up cybersecurity response and operations in the wake of the SolarWinds cyberattack, expect the new administration to build upon the current cybersecurity infrastructure. The benefits and drawbacks for the insurance industry are, of course, not certain, but based on previous policies, commissioned reports, and Biden’s recent moves, we’ll outline some possible impacts on cyber insurance.

Background on cyber policy

The Trump administration made a number of notable cybersecurity policy and strategic moves. Most notably, the creation of the 2018 National Cyber Strategy, which gave birth to the Cybersecurity and Infrastructure Security Agency (CISA), and the removal of the dedicated Cyber Coordinator position. Further, the Trump administration brought to bear its cyber policy through a variety of laws, executive orders, and directives. Some of those actions include:

Generally, the Trump administration steered away from legislation and executive actions that would bring government policy and the insurance sector together.

Biden is preparing to leverage some of the Trump administration’s changes and ramp up security operations. The newly inaugurated 46th President has already earmarked $9B for CISA and echoed the need to “modernize and secure federal IT networks” similar to Executive Order 13800. This agenda was amplified in urgency and importance as the SolarWind hack was exposed: “My administration will make cybersecurity a top priority at every level of government, and we will make dealing with this breach a top priority from the moment we take office,” Biden said on December 17th, four days after the devastating attack was first reported.

Biden promises to “elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyberattacks,” alluding to greater government presence in cybersecurity arenas.

The new administration’s possible impact on cyber

Below are a few potential scenarios and their impact on cyber insurance.

Federal privacy legislation

Given the Democratic majority now in both houses, tech-related legislation is likely to pick up the pace, especially regarding cybersecurity. One issue that is bound to get lawmakers’ attention is data privacy.

As the privacy landscape continues to evolve, we can expect that more states will adopt legislation regarding data collection practices, mechanisms for proper accountability, as well as compliance. Currently, there are several states with legislation in place, including California (California Consumer Privacy Act – CCPA), New York (the “SHIELD Act”), Maine (Maine Act to Protect the Privacy of Online Consumer Information), and Nevada (NV SB220), to name a few.

At the current rate of adaptation by the individual states, we could see the White House and Congress move to adopt a federal act, as well. In previous years, legislators have introduced national bills, including the U.S. Consumer Data Protection Act, the Filter Bubble Transparency Act, and the Deceptive Experiences To Online Users Reduction Act, to no avail. The most recent bill, the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA Act), is a bipartisan effort introduced to Congress in September 2020. With the Democrats controlling Congress and The White House, the SAFE DATA Act, or a future version of it, has a good chance of becoming law.

This means businesses would need to adhere to a national standard along with state requirements. Inevitably, businesses will get breached and be in violation of possible state and federal legislation, driving up penalties, lawsuits, and reparations for damage done.  Insurers will be covering these increased losses, which will drive up premiums and evolve coverage as the market continues to harden.

Government vendors will have to carry cyber coverage

As part of the government’s efforts to minimize its own risk, the Biden administration could require vendors to carry cyber coverage as a way of minimizing the damage from breaches and cybercriminals.

The idea is not new.

The state of California almost passed Bill 2320 that would require any business that contracts with the state and has access to personal information records protected under the state’s Information Practices Act (IPA) to carry cyber coverage.

The congressionally mandated Cyberspace Solarium Commission (CSC) included a recommendation to require contractors to carry cyber insurance, as well. The CSC report carries weight with legislators — several of the CSC’s recommendations have already landed in Congress in the form of recommended bill amendments, but little has made progress to date.  With a willing partner in Congress, Biden’s cybersecurity team will undoubtedly turn to the CSC report as a guide to beef up the government’s defenses, including implementing a requirement of coverage for federal vendor partners. Naturally, this would be a boon to carriers and brokers alike as thousands of companies would be required to seek stand-alone cyber coverage and/or expand their current policies.

When is a cyberattack not a cyberattack?

Even before COVID-19, the cyber threatscape was expanding with cybercriminals ranging from basement hackers to nation-state sanctioned criminal entities, growing more sophisticated and more brazen with each success. Concurrently, small- to medium-sized businesses (SMBs) and public sector institutions are now more in the crosshairs of bad actors making virtually any business, municipality, or government office in the country a target.

President Biden may look to more aggressive tactics such as robust counterattacks or even offensive actions such as Offensive Cyber Effects Operations (OCEOs) that President Obama considered as laid out in the Presidential Policy Directive 20 (PPD20) in 2012. (PPD20 was a classified initiative until June 2013 when former intelligence NSA analyst Edward Snowden made its existence public.)

These actions were defined as “operations and related programs or activities … conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States government networks.”

This could quickly create a lex talionis situation with bad actors retaliating by targeting US businesses and public sector operations for purposes other than profit. The biggest challenge for insurers then becomes correctly identifying the perpetrators of the attack and the nature of the attack itself.  Was the hacker a state-sponsored group, lone wolf, or something else?

Depending on the attacker and victim, a cyberattack could be defined as “other,” such as an act of terrorism or war. If the hack is determined to be one of the latter, cyber insurance may not cover the event. The attack itself could also change what coverage is triggered — DDoS attacks and data grabs suggest less of a financial incentive than ransomware or social engineered computer fraud. Even without any aggressive policy in place, identifying an attack’s nature and what coverage is triggered will only grow in complexity, making claim settlements more difficult.

The creation of a Central Bureau Of Cyber Statistics

The CSC also recommends creating a federal institution with the intention of sharing collected data, both public and private, with insurers to improve actuarial practices for better risk understanding.

The commission recommends that this new agency, the Bureau of Cyber Statistics (BCS), be granted the ability to collect “aggregated, anonymized, minimized data on cyber incidents” from government bodies and companies “that regularly collect cyber incident data as a part of their business.” The commission directly called out the insurance industry as a potential provider of data. The BCS would also procure data from breached companies themselves. This would require a national notification law to mandate the reporting of cyber events.

Conversely, the BCS would share its data with a select group of private-sector segments. The commission report specifically mentions insurance as one of those areas that would have access to this data. The BCS could prove to be a valuable tool in cyber underwriting and actuarial practice.

Creation of a national cyber reinsurance program

In November, the Treasury Department requested details from the CSC asking for feedback on how it should define cyber events emanating from outside the U.S. for the purpose of including cyber events into a national reinsurance program, possibly under the umbrella of the Terrorism Risk Insurance Act (TRIA). The idea is to hedge against a “cyber Pearl Harbor” by providing backstop reinsurance for cyber-insurers. This was also a policy recommendation from the Obama administration. Given Biden’s position as Vice President in that administration, as well as the CSC’s recommendation, look for possible legislation to either create such a program and/or include greater cyber definitions within the TRIA.

Of course, no one knows what the future holds. Still, based on the recent history of legislative efforts, increased cybercriminal activity, and promises made by the incoming administration, cyber insurance will be a larger part of this new future.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related posts

Crisis Management

California Wildfire Relief: A Collaborative Effort by Lawmakers and Insurance Leaders

California’s recent wildfires have highlighted the urgent need for action to address the growing insurance challenges in the state. With insured losses estimated at $30 billion, leaders are working tirelessly to provide relief and ensure resilience. Protecting Policyholders Amid Wildfire RisksCalifornia Insurance Commissioner Ricardo Lara has taken swift action, issuing a one-year moratorium on insurance companies canceling or non-renewing residential policies in wildfire-affected areas. Additionally, those who received non-renewal notices within 90 days before the fires are now protected.“If you’ve received a non-renewal notice between October 9 and January 7, your insurer should retain you as a valued policyholder,” Lara emphasized during a press briefing. Lara also proposed a future grant program to assist low-income homeowners in reducing wildfire risks by installing fire-resistant roofs and creating defensible spaces around their homes.“This initiative is crucial for protecting homes and building long-term resilience,” he noted. Legislative Action for Stability and Faster ClaimsCalifornia lawmakers introduced the FAIR Plan Stabilization Act, aiming to bolster the California FAIR Plan with catastrophe bonds to address potential liquidity shortfalls. Speaker of the Assembly Robert Rivas also announced plans to advance legislation that would streamline insurance claims for homeowners affected by the wildfires. The Financial Toll and Industry ResponseAccording to Wells Fargo Securities, insured losses from the wildfires are projected at $30 billion, with homeowners’ insurance accounting for 85% of those losses. High-value properties and extensive damage underscore the financial strain, as the Palisades Fire alone has burned over 23,000 acres and destroyed 4,500 buildings. Despite the magnitude of the disaster, industry leaders assure Californians that the insurance sector is equipped to handle the recovery. Sean Kevelighan, CEO of the Insurance Information Institute (Triple-I), affirmed that “all claims will be covered, whether through private insurers or the California FAIR Plan.” A Call for Resilience and ReformThe devastating wildfires serve as a wake-up call for California to rethink its preparedness and insurance strategies.“This catastrophic event underscores the need for greater resilience,” Kevelighan said. “It’s time to reevaluate how we manage risks and sustain a functional insurance market in this state.” At Skyscraper Insurance, we are committed to supporting our clients in navigating these challenges, ensuring access to reliable coverage, and fostering resilience for the future. Together, we can weather any storm. #WeShareYourVisionForABetterTomorrow

Read More
Workers' Comp

2025 Workers’ Compensation Trends: What to Expect

As the workforce continues to evolve, workers’ compensation is at the forefront of addressing new challenges and opportunities. By 2033, nearly one in four U.S. workers will be 55 or older, as reported by the Bureau of Labor Statistics (BLS). This marks a significant increase from just over 15% in 2003. The aging workforce brings new complexities, including a rise in chronic health conditions, comorbidities, and longer recovery times following workplace injuries. At Skyscraper Insurance, we understand that these trends require adaptive strategies. Tailored safety programs, ergonomic solutions, and a focus on preventive care and health maintenance are vital to ensuring the health, productivity, and safety of older employees. These measures don’t just mitigate risks—they also create a supportive and efficient workplace environment. In parallel, advancements in technology are revolutionizing the workers’ compensation landscape. Innovations like artificial intelligence and telemedicine are enhancing the customer experience, from streamlining underwriting and claims processes to providing injured workers with immediate access to medical professionals. The rise of the gig economy further underscores the need for dynamic, tech-driven solutions to keep pace with an ever-changing workforce. The importance of risk management is also reflected in recent executive surveys. In 2024, 23% of global executives identified employee risk as their top concern, surpassing all other business risks. Additionally, 42% believed they were operating in a high-risk environment, a notable increase from 31% in 2023. This sentiment highlights the growing recognition of the need for proactive and comprehensive workers’ compensation solutions. Looking ahead to 2025, businesses should prepare for potential shifts in workers’ compensation costs. Factors such as wage inflation, increased claim sizes, and market dynamics may lead to rising premiums despite a softer market. At Skyscraper Insurance, we are dedicated to helping businesses navigate these changes effectively. By staying ahead of industry trends and leveraging cutting-edge solutions, we empower our clients to maintain robust, compliant, and forward-thinking workers’ compensation programs. Together, we share your vision for a safer and more prosperous tomorrow.

Read More
Try your instant quote