Search
Close this search box.

Five ways the Biden administration could impact cyber insurance

president-joe-biden-signs-three-documents-including-an-news-photo-1611168418_

Five ways the Biden administration could impact cyber insurance

Recent remarks from the newly inaugurated president have alluded to a greater government presence in cybersecurity arenas.

As President Joe Biden pledges to level up cybersecurity response and operations in the wake of the SolarWinds cyberattack, expect the new administration to build upon the current cybersecurity infrastructure. The benefits and drawbacks for the insurance industry are, of course, not certain, but based on previous policies, commissioned reports, and Biden’s recent moves, we’ll outline some possible impacts on cyber insurance.

Background on cyber policy

The Trump administration made a number of notable cybersecurity policy and strategic moves. Most notably, the creation of the 2018 National Cyber Strategy, which gave birth to the Cybersecurity and Infrastructure Security Agency (CISA), and the removal of the dedicated Cyber Coordinator position. Further, the Trump administration brought to bear its cyber policy through a variety of laws, executive orders, and directives. Some of those actions include:

Generally, the Trump administration steered away from legislation and executive actions that would bring government policy and the insurance sector together.

Biden is preparing to leverage some of the Trump administration’s changes and ramp up security operations. The newly inaugurated 46th President has already earmarked $9B for CISA and echoed the need to “modernize and secure federal IT networks” similar to Executive Order 13800. This agenda was amplified in urgency and importance as the SolarWind hack was exposed: “My administration will make cybersecurity a top priority at every level of government, and we will make dealing with this breach a top priority from the moment we take office,” Biden said on December 17th, four days after the devastating attack was first reported.

Biden promises to “elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyberattacks,” alluding to greater government presence in cybersecurity arenas.

The new administration’s possible impact on cyber

Below are a few potential scenarios and their impact on cyber insurance.

Federal privacy legislation

Given the Democratic majority now in both houses, tech-related legislation is likely to pick up the pace, especially regarding cybersecurity. One issue that is bound to get lawmakers’ attention is data privacy.

As the privacy landscape continues to evolve, we can expect that more states will adopt legislation regarding data collection practices, mechanisms for proper accountability, as well as compliance. Currently, there are several states with legislation in place, including California (California Consumer Privacy Act – CCPA), New York (the “SHIELD Act”), Maine (Maine Act to Protect the Privacy of Online Consumer Information), and Nevada (NV SB220), to name a few.

At the current rate of adaptation by the individual states, we could see the White House and Congress move to adopt a federal act, as well. In previous years, legislators have introduced national bills, including the U.S. Consumer Data Protection Act, the Filter Bubble Transparency Act, and the Deceptive Experiences To Online Users Reduction Act, to no avail. The most recent bill, the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA Act), is a bipartisan effort introduced to Congress in September 2020. With the Democrats controlling Congress and The White House, the SAFE DATA Act, or a future version of it, has a good chance of becoming law.

This means businesses would need to adhere to a national standard along with state requirements. Inevitably, businesses will get breached and be in violation of possible state and federal legislation, driving up penalties, lawsuits, and reparations for damage done.  Insurers will be covering these increased losses, which will drive up premiums and evolve coverage as the market continues to harden.

Government vendors will have to carry cyber coverage

As part of the government’s efforts to minimize its own risk, the Biden administration could require vendors to carry cyber coverage as a way of minimizing the damage from breaches and cybercriminals.

The idea is not new.

The state of California almost passed Bill 2320 that would require any business that contracts with the state and has access to personal information records protected under the state’s Information Practices Act (IPA) to carry cyber coverage.

The congressionally mandated Cyberspace Solarium Commission (CSC) included a recommendation to require contractors to carry cyber insurance, as well. The CSC report carries weight with legislators — several of the CSC’s recommendations have already landed in Congress in the form of recommended bill amendments, but little has made progress to date.  With a willing partner in Congress, Biden’s cybersecurity team will undoubtedly turn to the CSC report as a guide to beef up the government’s defenses, including implementing a requirement of coverage for federal vendor partners. Naturally, this would be a boon to carriers and brokers alike as thousands of companies would be required to seek stand-alone cyber coverage and/or expand their current policies.

When is a cyberattack not a cyberattack?

Even before COVID-19, the cyber threatscape was expanding with cybercriminals ranging from basement hackers to nation-state sanctioned criminal entities, growing more sophisticated and more brazen with each success. Concurrently, small- to medium-sized businesses (SMBs) and public sector institutions are now more in the crosshairs of bad actors making virtually any business, municipality, or government office in the country a target.

President Biden may look to more aggressive tactics such as robust counterattacks or even offensive actions such as Offensive Cyber Effects Operations (OCEOs) that President Obama considered as laid out in the Presidential Policy Directive 20 (PPD20) in 2012. (PPD20 was a classified initiative until June 2013 when former intelligence NSA analyst Edward Snowden made its existence public.)

These actions were defined as “operations and related programs or activities … conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States government networks.”

This could quickly create a lex talionis situation with bad actors retaliating by targeting US businesses and public sector operations for purposes other than profit. The biggest challenge for insurers then becomes correctly identifying the perpetrators of the attack and the nature of the attack itself.  Was the hacker a state-sponsored group, lone wolf, or something else?

Depending on the attacker and victim, a cyberattack could be defined as “other,” such as an act of terrorism or war. If the hack is determined to be one of the latter, cyber insurance may not cover the event. The attack itself could also change what coverage is triggered — DDoS attacks and data grabs suggest less of a financial incentive than ransomware or social engineered computer fraud. Even without any aggressive policy in place, identifying an attack’s nature and what coverage is triggered will only grow in complexity, making claim settlements more difficult.

The creation of a Central Bureau Of Cyber Statistics

The CSC also recommends creating a federal institution with the intention of sharing collected data, both public and private, with insurers to improve actuarial practices for better risk understanding.

The commission recommends that this new agency, the Bureau of Cyber Statistics (BCS), be granted the ability to collect “aggregated, anonymized, minimized data on cyber incidents” from government bodies and companies “that regularly collect cyber incident data as a part of their business.” The commission directly called out the insurance industry as a potential provider of data. The BCS would also procure data from breached companies themselves. This would require a national notification law to mandate the reporting of cyber events.

Conversely, the BCS would share its data with a select group of private-sector segments. The commission report specifically mentions insurance as one of those areas that would have access to this data. The BCS could prove to be a valuable tool in cyber underwriting and actuarial practice.

Creation of a national cyber reinsurance program

In November, the Treasury Department requested details from the CSC asking for feedback on how it should define cyber events emanating from outside the U.S. for the purpose of including cyber events into a national reinsurance program, possibly under the umbrella of the Terrorism Risk Insurance Act (TRIA). The idea is to hedge against a “cyber Pearl Harbor” by providing backstop reinsurance for cyber-insurers. This was also a policy recommendation from the Obama administration. Given Biden’s position as Vice President in that administration, as well as the CSC’s recommendation, look for possible legislation to either create such a program and/or include greater cyber definitions within the TRIA.

Of course, no one knows what the future holds. Still, based on the recent history of legislative efforts, increased cybercriminal activity, and promises made by the incoming administration, cyber insurance will be a larger part of this new future.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related posts

Commercial P&C Insurance

Commercial Office Space Set for a Strong Comeback

The sustained increase in demand for office space across the nation since late 2022 suggests that the market has moved past its lowest point, according to insights from the real estate technology platform, VTS. Demand for office space began to rise in late 2022 and continued into early 2023. Since then, the office market has experienced a period of stability and growth, supported by favorable economic factors, indicating a market rebound. This conclusion is drawn from the VTS Office Demand Index (VODI), which tracks unique new tenant tour requests for office properties in key U.S. markets. The VODI serves as an early indicator of future office leasing activity. According to the index, demand for office space has grown consistently over the past 12 months, closing the second quarter with a 17% year-over-year increase and a 34% rise from the VODI’s lowest point in December 2022. A significant shift in office-based employment patterns further supports the belief that demand for office space has stabilized. After reaching its peak in August 2022, office-based employment declined by 3.9% in early 2024. However, this trend has since stabilized, and employment growth has remained steady. Additionally, a recent decrease in work-from-home rates has fueled the renewed demand for office space. “They say you can only recognize a market bottom after it has passed, and the office space market is no exception. Following what we now see as the bottom, the national demand has gradually increased, though it remains susceptible to economic challenges,” said Nick Romito, CEO of VTS. “However, the growth observed in VODI over the past 18 months, coupled with positive trends in the office-using workforce, suggests that the market has reset, and the worst is behind us.” It’s important to note that this national trend does not impact all local markets equally. Cities like Los Angeles and New York City have seen healthy growth in office space demand, while markets such as San Francisco and Washington, D.C., have experienced prolonged stagnation. In Los Angeles, office space demand surged in the second quarter, briefly surpassing pre-COVID levels, driven by an increase in the average size of office spaces sought by tenants. New York City followed a similar overall pattern, though with some softness in the second quarter. Conversely, San Francisco’s demand for office space remains unpredictable, largely due to its tech-focused workforce, which continues to favor remote work more than other industries. “Markets heavily dependent on the tech sector, like San Francisco and Seattle, are on a markedly different post-COVID recovery path compared to more diversified markets like Los Angeles and New York City. It may take some time before we see office demand in San Francisco and Seattle return to pre-COVID levels,” added Ryan Masiello, Chief Strategy Officer at VTS.

Read More
Cyber Liability

Global IT Outage Puts Business Interruption Insurance in the Spotlight

In July, a global IT outage had a significant impact on business interruption insurance policies, overshadowing the effects on cyber insurance coverages. “This incident wasn’t a result of a malicious attack, which is why typical cyber insurance policies may not have been activated,” explained Peter McMurtrie, a partner in West Monroe’s insurance sector, in an interview with PropertyCasualty360.com. “Where coverage was applicable, factors like deductible amounts, waiting periods, and coverage limits played a critical role in determining the extent of exposure,” McMurtrie noted. “Standard policies for small businesses were less likely to offer coverage, while more complex policies for mid-sized companies and Fortune 500 corporations may have included broader triggers for non-malicious outages caused by third-party software issues.” The outage was triggered by a software update on July 19, 2024, by cybersecurity firm CrowdStrike, which affected organizations worldwide using Microsoft Windows. This interruption had far-reaching consequences, including disrupting hospital systems, media outlets, financial institutions, delaying thousands of flights, and halting daily business operations. McMurtrie emphasized that while the initial impact of the outage was similar for both large and small businesses, the ability to recover operations and whether insurance covered the loss of business income varied. “Larger companies are more likely to have advanced disaster recovery plans that ensure service redundancy following unexpected outages,” he added. “Their insurance programs also tend to cover a wider range of incidents.” According to Microsoft, the CrowdStrike update error affected over 8.5 million Windows devices globally. The incident highlighted the interconnected nature of our global ecosystem, including cloud providers, software platforms, security services, and their clients. “It’s a stark reminder of the importance of prioritizing safe deployment and disaster recovery across the tech industry,” the company said in a blog post. McMurtrie pointed out that the outage’s widespread impact was largely due to its effect on organizations that are critical to societal infrastructure—sectors like agriculture, airlines, banking, energy, government, healthcare, manufacturing, and retail. “Insurance companies base their risk appetite on their ability to understand and price risks appropriately. This becomes increasingly challenging with emerging threats,” he said. “However, I anticipate that insurers will respond by clarifying policy language, refining risk selection criteria, and possibly developing new products specifically designed for this evolving exposure.”

Read More
Try your instant quote