Recent remarks from the newly inaugurated president have alluded to a greater government presence in cybersecurity arenas.
As President Joe Biden pledges to level up cybersecurity response and operations in the wake of the SolarWinds cyberattack, expect the new administration to build upon the current cybersecurity infrastructure. The benefits and drawbacks for the insurance industry are, of course, not certain, but based on previous policies, commissioned reports, and Biden’s recent moves, we’ll outline some possible impacts on cyber insurance.
Background on cyber policy
The Trump administration made a number of notable cybersecurity policy and strategic moves. Most notably, the creation of the 2018 National Cyber Strategy, which gave birth to the Cybersecurity and Infrastructure Security Agency (CISA), and the removal of the dedicated Cyber Coordinator position. Further, the Trump administration brought to bear its cyber policy through a variety of laws, executive orders, and directives. Some of those actions include:
- The Defending the Integrity of Voting Systems Act: Makes attempted hacking of a voting system a federal crime.
- Executive Order 13870: The goal is to stimulate cyber job growth in the private and public sectors.
- Executive Order 13800: The purpose is to modernize federal information technology infrastructure.
- Space Policy Directive-5 (SPD-5): Intended to strengthen cyber posture of national space assets.
Generally, the Trump administration steered away from legislation and executive actions that would bring government policy and the insurance sector together.
Biden is preparing to leverage some of the Trump administration’s changes and ramp up security operations. The newly inaugurated 46th President has already earmarked $9B for CISA and echoed the need to “modernize and secure federal IT networks” similar to Executive Order 13800. This agenda was amplified in urgency and importance as the SolarWind hack was exposed: “My administration will make cybersecurity a top priority at every level of government, and we will make dealing with this breach a top priority from the moment we take office,” Biden said on December 17th, four days after the devastating attack was first reported.
Biden promises to “elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyberattacks,” alluding to greater government presence in cybersecurity arenas.
The new administration’s possible impact on cyber
Below are a few potential scenarios and their impact on cyber insurance.
Federal privacy legislation
Given the Democratic majority now in both houses, tech-related legislation is likely to pick up the pace, especially regarding cybersecurity. One issue that is bound to get lawmakers’ attention is data privacy.
As the privacy landscape continues to evolve, we can expect that more states will adopt legislation regarding data collection practices, mechanisms for proper accountability, as well as compliance. Currently, there are several states with legislation in place, including California (California Consumer Privacy Act – CCPA), New York (the “SHIELD Act”), Maine (Maine Act to Protect the Privacy of Online Consumer Information), and Nevada (NV SB220), to name a few.
At the current rate of adaptation by the individual states, we could see the White House and Congress move to adopt a federal act, as well. In previous years, legislators have introduced national bills, including the U.S. Consumer Data Protection Act, the Filter Bubble Transparency Act, and the Deceptive Experiences To Online Users Reduction Act, to no avail. The most recent bill, the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA Act), is a bipartisan effort introduced to Congress in September 2020. With the Democrats controlling Congress and The White House, the SAFE DATA Act, or a future version of it, has a good chance of becoming law.
This means businesses would need to adhere to a national standard along with state requirements. Inevitably, businesses will get breached and be in violation of possible state and federal legislation, driving up penalties, lawsuits, and reparations for damage done. Insurers will be covering these increased losses, which will drive up premiums and evolve coverage as the market continues to harden.
Government vendors will have to carry cyber coverage
As part of the government’s efforts to minimize its own risk, the Biden administration could require vendors to carry cyber coverage as a way of minimizing the damage from breaches and cybercriminals.
The idea is not new.
The state of California almost passed Bill 2320 that would require any business that contracts with the state and has access to personal information records protected under the state’s Information Practices Act (IPA) to carry cyber coverage.
The congressionally mandated Cyberspace Solarium Commission (CSC) included a recommendation to require contractors to carry cyber insurance, as well. The CSC report carries weight with legislators — several of the CSC’s recommendations have already landed in Congress in the form of recommended bill amendments, but little has made progress to date. With a willing partner in Congress, Biden’s cybersecurity team will undoubtedly turn to the CSC report as a guide to beef up the government’s defenses, including implementing a requirement of coverage for federal vendor partners. Naturally, this would be a boon to carriers and brokers alike as thousands of companies would be required to seek stand-alone cyber coverage and/or expand their current policies.
When is a cyberattack not a cyberattack?
Even before COVID-19, the cyber threatscape was expanding with cybercriminals ranging from basement hackers to nation-state sanctioned criminal entities, growing more sophisticated and more brazen with each success. Concurrently, small- to medium-sized businesses (SMBs) and public sector institutions are now more in the crosshairs of bad actors making virtually any business, municipality, or government office in the country a target.
President Biden may look to more aggressive tactics such as robust counterattacks or even offensive actions such as Offensive Cyber Effects Operations (OCEOs) that President Obama considered as laid out in the Presidential Policy Directive 20 (PPD20) in 2012. (PPD20 was a classified initiative until June 2013 when former intelligence NSA analyst Edward Snowden made its existence public.)
These actions were defined as “operations and related programs or activities … conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States government networks.”
This could quickly create a lex talionis situation with bad actors retaliating by targeting US businesses and public sector operations for purposes other than profit. The biggest challenge for insurers then becomes correctly identifying the perpetrators of the attack and the nature of the attack itself. Was the hacker a state-sponsored group, lone wolf, or something else?
Depending on the attacker and victim, a cyberattack could be defined as “other,” such as an act of terrorism or war. If the hack is determined to be one of the latter, cyber insurance may not cover the event. The attack itself could also change what coverage is triggered — DDoS attacks and data grabs suggest less of a financial incentive than ransomware or social engineered computer fraud. Even without any aggressive policy in place, identifying an attack’s nature and what coverage is triggered will only grow in complexity, making claim settlements more difficult.
The creation of a Central Bureau Of Cyber Statistics
The CSC also recommends creating a federal institution with the intention of sharing collected data, both public and private, with insurers to improve actuarial practices for better risk understanding.
The commission recommends that this new agency, the Bureau of Cyber Statistics (BCS), be granted the ability to collect “aggregated, anonymized, minimized data on cyber incidents” from government bodies and companies “that regularly collect cyber incident data as a part of their business.” The commission directly called out the insurance industry as a potential provider of data. The BCS would also procure data from breached companies themselves. This would require a national notification law to mandate the reporting of cyber events.
Conversely, the BCS would share its data with a select group of private-sector segments. The commission report specifically mentions insurance as one of those areas that would have access to this data. The BCS could prove to be a valuable tool in cyber underwriting and actuarial practice.
Creation of a national cyber reinsurance program
In November, the Treasury Department requested details from the CSC asking for feedback on how it should define cyber events emanating from outside the U.S. for the purpose of including cyber events into a national reinsurance program, possibly under the umbrella of the Terrorism Risk Insurance Act (TRIA). The idea is to hedge against a “cyber Pearl Harbor” by providing backstop reinsurance for cyber-insurers. This was also a policy recommendation from the Obama administration. Given Biden’s position as Vice President in that administration, as well as the CSC’s recommendation, look for possible legislation to either create such a program and/or include greater cyber definitions within the TRIA.
Of course, no one knows what the future holds. Still, based on the recent history of legislative efforts, increased cybercriminal activity, and promises made by the incoming administration, cyber insurance will be a larger part of this new future.