A broad range of federal contractors fear a watchdog report on the government’s role facilitating coverage of cybersecurity risks—included in the House-passed National Defense Authorization Act—will lead to a mandate that their companies hold related insurance policies.
In a recent letter to leaders of the House and Senate Armed Services committees, the Professional Services Council opposed a provision in the House bill calling for the Government Accountability Office to produce recommendations after studying the state of the insurance industry and the extent to which it’s tied to minimum standards for cybersecurity.
The provision—Sec. 1710A—doesn’t require federal contractors to have cyber insurance policies, but it is grouped together in the letter with a number of other proposals around cyber threat hunting and intelligence sharing that are based on recommendations of the public-private, nonpartisan, congressionally established Cyberspace Solarium Commission.
The commission’s lawmakers—who represent the political spectrum—are trying to get as many of its recommendations as possible to survive conference negotiations and make it into the final annual defense authorization bill.
“PSC appreciates the extensive work of the Cyberspace Solarium Commission and believes that the report and many of its recommendations will significantly improve cybersecurity and cyber hygiene,” the group wrote. “That said, the inclusion of these specific provisions would require significant contractor community investments while providing few if any benefits to cybersecurity.”
The commission proposes a whole new ecosystem of government and government-adjacent structures based on its preference for financial incentives instead of regulatory mandates. For at least a decade, policy makers on both sides of the aisle have posited that given a boost, cybersecurity insurance could perform the same role of government regulations in improving organizations’ cybersecurity practices. One way they saw of helping the market along, then and now, is to use the government’s purchasing power.
“Insurers will require a level of security as a precondition of coverage, and companies adopting better security practices often receive lower insurance rates,” the Obama administration wrote in 2009. “This helps companies to internalize both the benefits of good security and the costs of poor security, which in turn leads to greater investment and improvements in cyber-security.”
“The federal government can promote the use of cyber-insurance with its strong position in the marketplace by requiring government contractors and subcontractors to carry cyber-insurance,” the White House recommended. “This would directly stimulate the cyber insurance market by increasing demand for cyber-insurance.”
In 2011, the House Republican Cybersecurity Task Force agreed with many parts of the Obama administration’s recommendations and proposed exploring the possibility of requiring companies to report data on cybersecurity vulnerabilities and incidents in order to protect critical infrastructure. It said a clearinghouse of such data could act as a repository and that “some sort of anonymous reporting mechanism should be developed in order to facilitate a better evaluation of risk for the development of a functioning cyber insurance market.”
They said the anonymity of data in such a repository would help assuage privacy concerns.
What could be wrong with that?
From 2012 through 2016, with the support of then-undersecretary Suzanne Spaulding, a Department of Homeland Security strategist named Tom Finan personally took on the cause without orders from the White House or Congress. He sought out insurance brokers, underwriters and academics to put them at the same table with chief information security officers.
The insurance industry had plenty of reason to welcome his initiative. “I think they were very happy that cyber insurance got a lot of attention,” Finan told Nextgov. “It was sort of like helping them expand their market.” But they also really wanted data on organizations’ cybersecurity incidents, as well as insight into what their competitors were doing, he said.
Finan said chief information security officers—as the would-be customers—were skeptical of cyber insurance. The conventional thinking at the time was that insurance would take away from resources that could be put toward security controls.
But Finan said everyone involved appreciated having a forum where they could have a frank discussion about how insurance might serve everyone’s business interests, as well as cybersecurity. The parties met under the rules of the Critical Infrastructure Partnership Advisory Council, which is exempt from the public disclosure requirements of the Federal Advisory Committee Act. “They liked that … you’re not going to be outed if you say something controversial,” Finan said.
The initiative evolved into the Cyber Incident Data and Analysis Working Group, or CIDAWG, and published three white papers in 2015 that laid out a value proposition for the repository, the kinds of data that would be collected, and suggestions for encouraging organizations to share it. DHS issued a March 28, 2016 notice in the Federal Register for public comments. None were posted in the public docket.
There were a number of reasons insurance companies were hesitant to set up the data repository.
Finan said concerns included how the government would keep the data anonymous, whether it would use the information for regulations, and questions about why companies should contribute if their competitors weren’t participating.
Sasha Romanosky, a senior researcher at the RAND Corporation and former cyber adviser to the Defense Department, has been studying how insurance carriers price cybersecurity risk and attended the workshops. He told Nextgov the idea of anonymizing the data repository—in an attempt to overcome perceived barriers to information sharing—also diluted how effective it could be.
“You need to correlate [a] firm and its security posture with the outcome that they were actually breached,” he said. “By watering it down, by anonymizing, you turn it into something that isn’t helpful. You create a really wonderful incident database. Maybe that helps firms better protect themselves, because they see, ‘Oh, there’s a lot of activity against this vulnerability so maybe I should patch that thing first.’ That’s all useful in that sense, but it doesn’t really help in the insurance world, necessarily.”
But 2016 was still very early days for the insurance industry and they didn’t understand the value of the data they were collecting from claims following breaches, Finan said. At the time, he asked whether they’d like the government to build the repository, the industry didn’t know.
Finan left DHS shortly after the department sought comment on CIDAWG’s white papers. For the last three years, he’s been with Willis Towers Watson, which sells cyber insurance. The firm has been around since 1828 and is the third largest insurance broker in the world. Finan helped build its consulting practice, he said, to get better deals for clients making their case to underwriters.
“We want to understand the good, the bad, and the ugly, and then help them fix the bad and the ugly, so when they go for coverage, they can say, ‘Look, we are a safer risk, we have adopted these controls and as a result of that, we should have access to more coverage and the most favorable terms possible,’” Finan said. “What we’re trying to do is really be in the risk management space, but not just risk transfer. And I think this is the future of the whole industry.”
The Current State of Cyber Insurance
Early last year, cybersecurity insurance was still seen by advocates of light-touch regulation as a free market fix and Finan said things have changed since 2016. The insurance industry is hungry for information on the posture of those seeking coverage and that they’re using more of it in the underwriting process, even incorporating data categories identified by CIDAWG, he said.
But a July 2019 study by the Office of the Chief Economist at DHS painted a different picture of recent years. The study, requested by what is now the department’s Cybersecurity and Infrastructure Security Agency’s National Risk Management Center, showed an industry in cost-cutting mode and mostly avoiding efforts to gather data.
The assessment cites survey data from PricewaterhouseCoopers that found 75% of insurers have implemented cost-cutting measures from 2014 to 2017 and that 61% of chief executive officers of insurance companies planned to launch cost reduction programs in 2018. Cost-cutting measures typically include gathering less information during the underwriting process and eliminating data fields in the notification of loss, according to the DHS study.
“Given the data-sparse environment of cyber insurance, these cost-cutting trends may put a constraint on the investment and data collection that insurance companies would need to develop more mature and validated cyber loss models to properly align underwritten risk with price premiums,” the DHS Office of the Chief Economist wrote. “In addition, this trend runs counter to the expectation and recommendations of cyber practitioners that cyber insurers should be getting more involved with risk mitigation and reduction.”
Overall, the DHS study looked for evidence of whether insurance—versus other levers such as regulatory requirements or legal action—significantly improves cybersecurity practices.
Citing another survey, released in the summer of 2018 by the Council of Insurance Agents and Brokers, the DHS assessment found no increased scrutiny in carriers’ underwriting process, even after greater awareness from recent breaches.
“This challenges the premise that insurance can improve cybersecurity standards and best practices by requiring a minimum level of security as a pre-condition or basing a premium on the security posture of the policyholder,” the study reads, questioning the principal assumption made by the Obama administration 10 years ago.
The Office of the Chief Economist also noted that while there’s a positive trend of insurance companies partnering with cybersecurity organizations, “those partnerships are predominantly utilized for post-event response and consulting rather than proactively advising on cybersecurity measures with preventative value or detection and protection capabilities.”
Finan said while the findings of the 2019 study are certainly true for some insurance agents, firms that have been around for longer do things differently.
He also argued that the study was from before a prodigious growth in the number and payouts associated with ransomware attacks on local governments and critical services, including hospitals and schools.
Last summer the insurance industry started taking a lot of heat for encouraging the attacks by paying ransoms. By January of this year, a former government official joined those noting that some insurers preferred to pay the ransom in order to avoid larger payout obligations associated with recovering the data from backups over time. And at the start of this month, the Treasury Department issued a warning to cyber insurance firms and other companies facilitating ransom payments, reminding them that doing so could violate U.S. sanctions.
Finan predicts the ransomware epidemic could end up being a good thing for the industry’s maturity.
“My heart goes out to any company that’s in a ransomware situation. It’s horrible, and it makes me very angry that cyber criminals are exploiting companies,” he said. “But the silver lining in what is right now a very alarming and dark cloud is that it is bringing attention to [having to] tie risk mitigation and prevention and transfer as a unified deal in a way. People would say that before, but they didn’t always do it. It’s forcing them to do it now.”
Making federal contractors buy cyber insurance policies could arguably paint a target on their backs, as the attackers will know for sure they have coverage to pay ransoms. But asked about their opposition to the NDAA provision, PSC told Nextgov it was because “requiring that all contractors obtain cybersecurity insurance coverage may only redistribute risk rather than reduce it.”
Even if the insurance industry did want to invest more in determining the cyber posture of their customers, the 2019 DHS study also noted another significant challenge they face: ensuring the integrity of the information available to them.
“Policyholders have information on their respective security postures and vulnerabilities,” it reads, “while the insurance companies must rely on self-reported information from the policyholders to the extent that information is collected during the underwriting process.”
Where Certification Fits and What Could Be Next for CMMC
In March, the Cybersecurity Solarium Commission recommended federal contractors maintain a certified level of cybersecurity insurance. It also called for DHS to host a public-private effort within DHS that would work on modeling cybersecurity risks and be informed by the work of the CIDAWG and a new Bureau of Cyber Statistics, which would be established at either the Department of Commerce or another agency.
The commission said the Bureau of Cyber Statistics would aggregate open source data and pay for proprietary repositories. It also recommends that Congress should require relevant government departments and agencies as well as “companies that regularly collect cyber incident data as a part of their business” to annually submit that data to the bureau.
The data would all be anonymized. In fact, the commission suggests the possibility of penalties for sharing raw data and suggests protections: “The law should also insulate these private companies from liability associated with disclosing minimized, anonymized, and aggregated data to the Bureau.”
Romanosky said there are ways cyber insurance might work but was not impressed by the commission’s efforts to outline the appropriate circumstances and is puzzled by the level of commitment given to an unproven assumption.
“I honestly don’t get why everyone is latching on to this,” he said. “The sense I get is that people think it’ll work, they’ve heard from others that it will work, they don’t really know what else to do, so they reiterate the same stance without really getting into the details. I see that from the Solarium report, too. They’re like, ‘Oh, the solution to cybersecurity in this country is not enough insurance. And if only we had more insurance.’ Well, maybe? But it’s not a foregone conclusion … I don’t see any deep analysis on their side that they’ve thought through and understood it.”
But the Cybersecurity Solarium Commission is intent on making cyber insurance work as an alternative to regulatory requirements to improve organizations’ basic cyber hygiene practices.
“Short of regulation, there is likely no one way to incentivize companies to better patch their systems,” reads the commission’s report. “Instead, the U.S. government should study the potential effectiveness of several actions, including directing [the National Institute of Standards and Technology] to develop guidance or expectations about how quickly patches should be implemented once released [and] placing a cap, via standards or certifications of insurance products, on insurance payouts for incidents that involve unpatched systems.”
Because insurance is regulated at the state level, the federal government is limited in its ability to directly decree such standards for insurance companies. Instead, the commission recommends having DHS resource a federally funded research development center—RAND and The MITRE Corporation are examples of these—to develop models for training and certifying individual underwriters and claims adjusters. The center would also work with state regulators to develop certification frameworks for cyber insurance products.
The commission also recommends that the Federal Acquisition Regulation Council then require “U.S. government contractors maintain a certified level of cybersecurity insurance and explore whether the Cybersecurity Maturity Model Certification should be updated to require cybersecurity insurance.”
Brian Finch is a partner at Pillsbury Winthrop Shaw Pittman LLP, which helps companies negotiate policy terms and claims with insurance companies. He said he is agnostic about a mandate for federal contractors, but is largely supportive of the solarium commission’s recommendations.
“More data is critical, especially as ransomware incidents skyrocket and insurance policies are invoked more regularly,” he told Nextgov. “It would be great to have more insight into that kind of data to better understand the risks as well as the efficacy of various cybersecurity measures.”