Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Stabilize Global Cyber Risk with The Cyber Insurance Industry

by Davis Hake , Co-Founder & VP of Communications
Published

So far it’s been more subtle than a massive attack against the US power grid, but threats to critical infrastructure are growing as geopolitics get more complex. Security firm Dragos reported that the Pipedream malware, launched by hackers linked to Russia, recently attempted to take down “around a dozen” U.S. electric and liquid natural gas sites. Ransomware attacks targeting the health sector have driven hospitals hit by a cyberattack to a 20% reported increase in mortality afterward. Multiple municipalities, LA Unified School District and Oakland, California, have recently had thousands of their citizens, students and employees’ private data dumped onto the dark web where criminals can leverage it for fraud and future phishing attacks.

With the backdrop of these dramatic attacks, the 2023 U.S. National Cybersecurity Strategy, announced last week, acknowledged that the threat of cyber disruption to critical infrastructure was so high that U.S. Federal regulators would begin using existing health and safety regulations to audit the cybersecurity integrity of critical infrastructure like water and pipelines.

The primary challenge with cyber attacks is the unknown nature of the risk. No one is actually sure what the “big one” in cyber would look like, when it will come, or what it would cost.

Harnessing Cyber Insurance as a Tool for Enhanced Cybersecurity and Crisis Management

Resilience believes cyber insurance provides a powerful stabilizing force that overlays the existing cybersecurity domain. Insurance encourages policyholders to utilize strong cybersecurity standards, controls, and best practices and provides enhanced access to mitigation and response resources in the event an incident does occur.

As a former Congressional staffer, I have seen no shortage of legislative overreach in times of crisis. The cyber insurance market cannot afford knee-jerk reaction from policymakers when a new wormable crypto malware locks up thousands of US networks or major metropolitan regions are scrambling to restore heat in the winter because of a common vulnerability in electric substations’ industrial control systems.

This is why Resilience joined with leading security companies as a member of the Cybersecurity Coalition in writing in support of the US Treasury’s work to explore the issue of establishing a cyber insurance backstop to help address larger systemic level cyber risks.

The cyber insurance market has seen the problem coming for some time. In 2019, Resilience (formerly Arceo Labs) joined as authors from Marsh and Microsoft to identify some of the sources of systemic risk that could lead to failures of the cyber insurance market. The report recommended:

Increasing overall capacity in the cyber insurance market to handle a major, multi-market loss through the creation of a government backstop for systemic cyber incidents, similar to those created for terrorist events (TRIA in the U.S. and Pool Re in the UK). A private reinsurance pool is imagined as the most appropriate model for cyber insurance, which could include the following: certification of an incident by a government official as eligible for coverage under the program, a requirement that all primary insurers offer cyber coverage to commercial clients, multi-line coverage, and incentives for consumers and service providers to invest in cybersecurity.

Near Misses in Cybersecurity and Their Insurance Market Impact

Since then, the insurance market has seen several “near miss” events that could have easily triggered catastrophic losses across the insurance market. The SolarWinds supply chain attack of 2020 targeted several US government agencies, including the Department of Defense, and private companies, including Microsoft and FireEye. This attack had the potential for a systemic threat due to the use of a vulnerability in the widely used SolarWinds Orion software to allow a highly advanced adversary to gain access to a broad range of organizations.

However, while the attack was highly sophisticated, the attackers were primarily focused on government data theft rather than system manipulation or destruction. This, along with the primary targeting of US government entities, significantly lowered the attack’s impact on the cyber insurance market.

The Log4Shell vulnerability of 2021 was a second near miss for the cyber insurance market.  This critical vulnerability in the popular open-source logging tool, Apache Log4j, allows attackers to execute arbitrary code remotely. It is considered highly severe because threat actors can exploit it with just one specially crafted HTTP request or network packet, and it affects a wide range of systems and applications that use Log4j.

While this vulnerability represents an actual disaster scenario if fully leveraged by criminals, upon its release, the security community reacted with speed and cooperation to develop patches and distribute them as widely as possible. While criminal groups today have been observed leveraging this vulnerability, the publicity surrounding it drove most organizations to implement this patch before criminals could widely exploit it.

Strengthening Cyber Insurance Against Systemic Risks

Given the increase in threat to critical infrastructure and the number of near misses we are seeing, the government has an opportunity to begin a conversation with the insurance industry on how to work together to tackle these looming issues.

In advance of this discussion, however, there is more the insurance industry can do today to reduce the impact of these types of risks on clients and capacity providers.

  • First, regularly scan and warn all clients about critical vulnerabilities currently being exploited and have actionable mitigations. When Log4Shell was discovered, the Resilience Security team immediately checked all its clients and followed up directly with remediation actions. If there is a highly “contagious” vulnerability, we will ensure we are a part of the immune system response.
  • Second, leverage data-driven frameworks like the NIST Cybersecurity Framework and CIS Critical Controls as a part of underwriting and guidance to clients. Resilience leverages these tools in our modeling to ensure that our clients, and capital placement follow the most up-to-date guidance on cyber hygiene.
  • Finally, use data tools to understand and model your portfolio risk. This has been a long-term goal for Resilience to help provide visibility to capital providers on sources of systemic risk. This drives proactive mitigations into our client base through guidance and policy language when we see trends that could lead to massive systemic level losses.

We believe these concrete steps taken across the market help mitigate capital exposure to unforeseen systemic events and, more importantly, the potential for harm to our clients and global critical infrastructure.

The attacker will always have the edge in imagination, but failing to explore the conversation will guarantee disaster. With the Administration opening the door for discussion, the industry should appear at the table.

Leveraging the Power of Cyber Insurance to Stabilize Global Cyber Risk

The cyber insurance industry has a crucial role to play in stabilizing global cyber risk. As threats to critical infrastructure grow and the unknown nature of cyber attacks looms, insurance providers like Resilience emphasize the need for strong cybersecurity standards and response resources. 

By addressing systemic risks, exploring government backstops, and taking proactive measures, the insurance industry can effectively mitigate the impact of global cyber risk and protect clients and critical infrastructure. Request a demo today and learn how Resilience can leverage your organization.

You might also like

Understanding identity-based attacks and how to defend against them

Breaches used to be primarily carried out via software vulnerabilities: Companies would announce a flaw, take a while to fix it, and attackers would find their way into the system using those exploits. From there they might not only steal information and assets from their primary target, but would also use their access to jump […]

Get ready for threats both old and new in 2025

It’s prediction season and while no one can see into the future, we can definitely take some educated guesses. From increasingly severe ransomware attacks to deepfakes that deceive Fortune 500 companies, we’re keeping an eye out for some major events in 2025. And while many organizations are taking steps to beef up their defenses, the […]

Contrasting and comparing FAIR with the Resilience solution

As market awareness of cyber risk quantification grows, we frequently receive questions from clients and curious risk managers about FAIR (Factor Analysis of Information Risk)—what it is, whether it truly provides accurate cyber risk quantification, the effort needed to set it up and maintain, and more. Clients often ask us to compare the FAIR methodology […]

How does Resilience establish the probabilities presented in my LEC?

Managing risk successfully at any level requires an understanding of a concept called “probability.” As both an insurance company (risk transfer) and a cyber risk management company, Resilience relies on understanding probabilities to price our services and to guide our clients to greater levels of cyber resilience. As we often receive questions from our clients […]

Moving beyond heat maps for better risk management

Heat maps are among the most widely used—and debated—tools for risk managers worldwide to communicate risks in their registries or project portfolios. Despite their popularity, we advise leaders seeking transparency in discussing risk and value to avoid relying on them. What are heat maps? Risk managers often use heat maps (or risk matrices) to represent […]

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]