You can’t turn a television on today without seeing one of the nations’ most beloved insurance icons “Flo” from Progressive insurance. We enjoy her whimsical plays on how to get the best price for an insurance policy, but I wonder at what point will these commercials hype “cyber”?
On June 3rd, 2014, Tripwire’s The State of Security published a very interesting piece by Federico Delamora. While this article was centric to the United Kingdom, there are parallels to be drawn here in the United States. In December of 2012, the U.S. Department of Homeland Security (DHS) tasked its National Protection and Programs Directorate (NPPD) with assessing how the cyber insurance markets can play a role in facilitating risk reduction strategies for U.S. critical infrastructure.
Information yielded indicates that the underwriters do not have enough data to make educated determinations on payout estimates. As a result, it makes the job of DHS (as a facilitator) to give meaningful guidance to industry on what do acquire, how to acquire and what industry should insist as “mandatory” within the policy.
In May, an article was produced by Blake Sobczak where Joseph Rigby was quoted as calling a successful cyber-attack an “extinction-level event” for an average power provider. While I am not convinced a cyber-attack will cause the citizens of Maryland go the way of the T-Rex, I do have great concerns that the industry is doing a “he says she says” argument that is preventing any forward progress.
The underwriters claim they do not have enough data points to enable benchmarks, but information provided to me by a senior vice president with a large brokerage firm advised me 50% of their clients are getting payouts. After I pried my jaw from the table at disbelief, I was further advised the overwhelming root cause of payout is to prepare for litigant action.
Okay, so how does an underwriter evaluate a client’s risk? Oddly enough with a questionnaire that is self-attested. No independent verification or validation required. When asked how they handle a situation where a probability exists that the questions are not answered correctly (either intentionally or unintentionally), the response was “we would construe that as fraud and not pay out”. I bring your attention now to my last piece on Target. Their 10-K report illustrates they have $44M in coverage but loosely phrased the language to indicate until all the facts are in, that payout may not transpire.
Why is this so challenging? Insurance underwriters advise they don’t have enough data. The U.S. Government is reluctant to apply statutory limitations on liability as they did with the SAFETY ACT. This ultimately results in significant challenges for driving forward progress. In interviews with members of DHS, it was illustrated they view challenges with defining backstops or limits on liability because how do you define what the limits will be?
While I do agree they have a point, I do not agree this is a deal breaker. Do I think the threat and risk associated with a cyber-attack on PEPCO is similar as an attack against Tysons Corner Mall, “no”. Heck, it is not even the same sport! While we all hate to hear the carrot or stick argument, we have to focus on how you incentivize industry to reduce their risk by mitigating or transfer it.
Perhaps a meeting of the mind takes place where DHS facilitates through the White House a tiered approach that can tailor levels of risk by each critical infrastructure. To reduce the risk of stagnation, the Government cannot evaluate all critical infrastructures as having similar exposure to risk.
The risk of a cyber-attack against a utility provider has a higher likelihood of causing significant damage versus a cyber-attack that negatively impacts industrial control systems at a shopping mall. The Government must agree to a tiered approach enabling statutory authority to be objective and defendable.
Tier I – Limitation on liability = $50M
- Emergency Services
Tier II – Limitation on liability = $10M
- Financial Services
- Defense Industrial Base
- Information Technology
Tier III -Limitation on liability = $5M
- Commercial Facilities
- Critical Manufacturing
- Government Facilities
- Food and Agriculture
By applying these three tiers, the Government can assert a prudent and reasonable threshold for liability based on the likelihood of an event, the type of event, and compensating controls consistent with each Tier. As an example, Healthcare is closely monitored and highly regulated by Health and Human Services Office for Civil Rights imposing heavy financial sanction when violations are identified. Financial Services is consistently hit hard on an annual basis. However, these institutions are very robust, highly adaptive, and already apply significant resources to threat detection and threat mitigation strategies.
Establishing statutory limitations on civil liability is just one component in assuring forward progress and demonstrating success. The cybersecurity insurance industry has been well established for years but only recently has it seen sizeable growth. In a recent study, 73% of respondents advise legal defense costs were the primary claim filed. In interviews with some of the larger insurance providers. This market still is not mature and the coverage associated with each policy varies significantly. This issue is exacerbated further by the limits the insurer places on the policy.
If the Government is prepared to implement caps on civil liability, the insurance industry must also make investments in redefining not only how much risk they except in dollars, but also in terms of “scope”. Too many factors are analyzed in this actuarial science ranging from non-payment for claims of terrorism to third party-liability. Sizable third-party market exists to cover losses suffered by a company’s customers.
However, first-party policies that address direct harms to companies themselves remain expensive, rare, and largely unattractive. Observers blame several factors for this phenomenon, including:
- a lack of actuarial data which results in high premiums for first-party policies that many can’t afford
- the widespread, mistaken belief that standard corporate insurance policies and/or general liability policies already cover most cyber risks
- fear that a so-called “cyber hurricane” will overwhelm carriers who might otherwise enter the market before they build up sufficient reserves to cover large losses.
Traditional insurance coverage issues such as moral hazard and adverse selection likewise play a part in discouraging market entry by these carriers. On average, $20 million in coverage will potentially cost an insured party greater than $100 thousand dollars. The insurance industry is business and cost justified in expanding their scope of coverage for what the $20 million will specifically address.
As an industry, insurance underwriters’ must evaluate the risk of paying out a claim. To date, the insurance industry uses a questionnaire that relies exclusively on self-attestation or a high-level security assessment. If some insurers are paying out to approximately 50% of their customers, then the industry should reevaluate how it establishes a benchmark for cyber risk.
Since the Government has a stake in the success of insurance companies providing a viable risk transference model, the insurance industry should use NIST Special Publication 800-53 as guidance. To date, out our 237 controls defined under Revision 4, the insurance industry’s questionnaire only addresses 48 controls.
A number of which only loosely align to the intent of the 800-53 control. Approaches now exist where security assessments can quantify the risk of technical and operational findings that present the highest likelihood for causing security event and adjacent risk of a formal sanction or litigation.
Since the fear of potential litigation and its associated costs represents the single greatest justification for cybersecurity insurance, insurers must be able to effectively measure risk in terms of their clients’ exposure to litigant action. Part of this analysis should carefully evaluate the standard of care for each insured party. Because the legal threshold for meeting the intent of the standard of care relies on two factors, due diligence and due care, the ability to effectively demonstrate risk mitigation strategies is essential.
If an insurance provider is aware of technical (cyber) or operational threats that cause risk to the insurer through due diligence efforts, there is business case for enabling a discount for the coverage if the insurer can demonstrate what was done to apply due care thus lowering the likelihood of paying a claim and meeting the legal threshold of the standard of care.
The U.S. Government can enhance this concept through the incorporation of the directive set forth under Executive Order 13636 for “Information Sharing”. Since an insurance provider can only evaluate a risk profile for what is “known” or “reasonably anticipated”, there is a justification that having access to information which is actionable and mitigates cyber or operational risk, that a carrier should hold these clients in higher regard and enable discounted coverage.
In Figure 1, a lifecycle illustrates how insurance carriers currently evaluate rates. can provide reduce rates to organizations that apply enhanced risk assessment:
In Figure 2, a benchmark for tort reform to incentivize Critical Infrastructure to engage and meet the intent of EO 13636 and PDD-21
In Figure 3, a lifecycle illustrates how insurance carriers. can provide reduce rates to organizations that apply enhanced risk assessments in addition to working with Government:
Tiered Pricing Model
- Cost of coverage minus 10% for applying risk and analytics minus 10% for Critical Infrastructure and Key Resources (CIKR) Information sharing
- Cost of coverage minus 10% for applying risk and analytics minus
- Cost of coverage with no discounts
Scenario Example For Utility Provider
- Organization: Northern Virginia Electric Cooperative (NOVEC)
- Location: Northern Virginia
- Service: Electricity to more than 1 million customers from Leesburg, VA to Stafford, VA
- NOVEC under these recommendations would be considered a Tier I Critical Infrastructure with a defined limitation of liability no greater than $50 million.
NOVEC deploys smart grid features that are Internet Protocol (IP) based. The remote terminal units (RTU) and main terminal unit (MTU) seamlessly interconnect for remote command and control to drive greater effectiveness and operational efficiencies from generation to distribution. A breach is successful which directly impacts the transmission capability of NOVEC.
In Figure 4, the presumption concludes that administrative rights have been compromised and thus allowing a NOVEC asset to unwillingly override operational protocols suspending service by hijacking the applications running the transmission network:
From the time of discovery to the time law enforcement can respond, identify, remediate, stabilize, and restore continuity is 10 hours. The security event happens on the coldest or hottest recorded day for the year. The end-result is a total of 50 injuries and 3 deaths due to environmental exposure.
Because a law enforcement agency responded, the response and subsequent investigation are publicly accessible under the Freedom of Information Act (FOIA). The law enforcement relations developed via the CIKR information-sharing program enabled faster recovery, thus reducing lost opportunity costs (revenue not generated through energy consumption) and overhead associated with incident response.
A class action lawsuit is brought against NOVEC. Per statutory limitation, NOVEC is being sued for $50 million dollars in compensatory damage in U.S. Federal Court Northern District of Virginia. In the course of discovery and interrogatories, Plaintiff is willing to settle because NOVEC maintained a very high standard for the “standard of care” through risk analysis, mitigation strategies (including information sharing). No claim of negligence is established thus negating the likelihood for successfully rendering a verdict where punitive damages are awarded.
Using the 2/3 rule (Defined as the statistically average settlement for a civil suit is 2/3 the amount in the original damage claim), the claim is settled for $33.3 million. NOVEC sustained $10M in legal fees defending their position. A total claim of $43.3 Million is submitted and covered by the insurance carrier. The cost of the policy is $325,000.00 minus 10% (Risk Reduction Techniques) = $292,500.00 minus 10% (CIKR Information Sharing) = $262,750.00.
The program saved NOVEC $62,250.00 in premiums. Quantitative assessment cost $50,000.00 equating to a Total Cost of Ownership (TCO) savings of $12,250.00 or 24%. This scenario is designed to illustrate a Critical Infrastructure’s worst-case scenario where the loss of human life occurs from a cyber-attack. What must also be evaluated by underwriters is the number of incidents thwarted by the CIKR information-sharing program.
After each year of implementation, the U.S. Government should work with insurance carriers to give an annual debrief of what was accomplished at a high-level (non-classified) to demonstrate how the program mitigates risks to their customers thus lowering their likelihood for paying a claim. The insured party realizes a savings making participation business and cost justified.
The Government can demonstrate public/private collaboration driving cost savings to critical infrastructure, enhancing their cyber intelligence footprint, and by backstopping through statutory authority, help insurance carriers better gauge coverage requirements, which are more objective in interpretation and will better demonstrate the likelihood of paying a claim.
Generally speaking, the way to drive progress is through consensus and I look to my fellow practitioners to continue to fight the good fight in raising awareness and enhance our national security posture through a more pragmatic approach to cyber risk evaluation.
About the Author: Carter Schoenberg has more than 19 years of combined law enforcement, cyber intelligence and cyber security experience. Starting his professional career in law enforcement as a homicide detective, Carter moved into the private sector working with the ISS X-Force working on daily threat and reconnaissance reports for the ISAC community and DHS. After leaving ISS, Carter worked with the Motorola Security Services Division spearheading a new method of assessing risk by evaluating the actual costs of security events. In 2010, Carter acted as the lead Information Systems Security officer for the US Immigration and Customs Enforcement (ICE) Cyber Crimes Center before taking on his current role as the Technical Director for CALIBRE Systems’ Cyber Security Services in addition to teaching cybercrime, terrorism and white collar crime at the undergraduate level. He has authored several white papers on cyber risk and litigation as well as an accomplished speaker at events like SecureWorld Expo, ISSA, InfoSEC World and in September, will be speaking at the ISC2 Security Congress.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Attention General Counsel: Do You Know Your DDoS from Your APT?
- Target and the Security Liability Blame Game
- Board Dynamics: Do BoDs Understand the Impact of Cyber Attacks?
- The Role of Security in Creating a Standard of Due Care
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock