Cyber risk is no longer a relatively new issue and hasn’t been for a number of years. However, many organizations, both in the public and private sector, until several recent events that have occurred since November 2020, have viewed cyber risk as a relatively new issue. Fortunately, the consensus is that cyber risk can no longer be viewed as an immature risk and must be taken seriously and addressed today. Indeed, as many could argue, better late than never.
Looking Back at the Start of Cyber Insurance
The cyber insurance industry has existed since 1997, which is when the first policy was created. By 2000, some businesses began to take notice that a data breach could cripple and put them out of business if one happened to them. However, it wasn’t until 2013 when cyber risk became one of the top concerns of many executives. In fact, it was in 2011 that our company, Cyber Data Risk Managers was founded, as we noticed that cyber risk was not a trend and would become commonplace over time.
How the New Cyber Security Executive Order can help the Cyber Insurance Industry
While the Executive Order was created to chart a new course to improve the nation’s cyber security and protect federal government networks, there are many key takeways for how this can be a great benefit to and help the cyber insurance industry through this challenging risk environment.
Specifically, the Executive Order intends to:
Remove Barriers to Threat Information Sharing Between Government and the Private Sector. The cyber insurance industry has struggled for years with a lack of threat information data. While there were four DHS working sessions between 2012 through 2014, in which cyber insurance underwriters and cyber security professionals participated, nothing surmountable came from the sessions. It would be ideal and beneficial for the government to share anonymous threat and breach information with cyber insurance carriers. This information would help carriers obtain real-time threat information data, and the end-result is that we all benefit from having carriers who are better armed with data that can help improve the underwriting process and provide coverage improvements or enhancements to the companies that need it.
Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The executive order specifically states that it helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period. Indeed, cyber insurance carriers are already a step ahead in 2021, as many carriers now require MFA in order to obtain or renew cyber insurance coverage. In addition, the Executive Order states that outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. In the past few years, there have been many new cyber insurance carriers that have been overanxious to grow their premium volume by looking the other way and not asking about outdated security models and unencrypted data. Many organizations with such unfavorable practices benefited from this lax underwriting. However, this is no longer the case being that cyber insurance underwriting has tightened and if your company or organization does not have tight security measures in place, you will likely not be eligible for coverage. While I don’t anticipate carriers will be moving towards a zero-trust security requirement, it will certainly benefit the industry directly when this best practice is adopted by many public and private organizations.
Improve Software Supply Chain Security. The Executive Order states it will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. While I’m not keen on the idea of security data being made publicly available, the baseline software development security standards will likely be desirable and beneficial to carriers as many do not delve into assessing software development vulnerabilities.
Establish a Cybersecurity Safety Review Board. The Executive Order calls for a Cybersecurity Safety Review Board, co-chaired by government and private sector leads. Indeed, it would be wise for the Administration to include a cyber insurance carrier underwriter on the board. This will help the industry have a seat at the table which benefits all organizations and companies that either have or are considering cyber insurance.
Create a Standard Playbook for Responding to Cyber Incidents. The Executive Order states that it will provide a template to the private sector for its response efforts. While many companies have an incident response plan in place, it will be of great value for those that don’t. For those that don’t have an incident response plan, carriers will likely insist that their insureds adopt and use the Executive Order’s response template.
Improve Detection of Cybersecurity Incidents on Federal Government Networks. If the Federal Government is able to lead in cyber security as the Executive Order proposes, it will be an easier proposition for carriers to have their insureds adopt the same best practices that are proven to work. Though, based on the security environment, this will take a great amount of time before this happens, if it happens.
Improve Investigative and Remediation Capabilities. Lastly, the Executive Order creates cyber security event log requirements for federal departments and agencies. This is certainly a necessity as accurate monitoring and real-time analysis of event logs can provide clues to upcoming problems well before they strike. The Executive Order states it will help move the Federal Government to secure its cloud services. However, it will be a bit more complicated when managing event logs in the cloud, especially if more than one cloud is in play. Perhaps, event log management software could be of use. Cyber insurance carriers need to play more of a role in ensuring that insureds are implementing robust and consistent logging practices, as the Executive Order suggests, by doing so it will solve much of this problem.
Cyber risk and cyber insurance have come a long way and having been exclusively focused on both for the past ten years, we are delighted to see that both are being discussed by everyone with an internet connection and/or assets that need to be protected. The recent gas pipeline ransom attack sparked a lot of interest and had everyone wondering if they would be able to get gas at the gas pump or have to pay more for it, leading many to have cyber risk now on their minds. On a candid note, it now helps my family better understand what I do for a living.
If cyber insurance is on your mind, and you would like to get a cyber insurance quote, please reach out to our experienced cyber insurance brokers for assistance.