Revisiting the Digital Pearl Harbor Clause
Paul J. M.
Executive Decision Support | Creative Force Multiplier | Unconventional Problem Solver | Cyber Nerd | OSINT Enthusiast | Lifelong Learner
Much of the recently published National Cybersecurity Strategy ushers in changes welcomed by cyber security practitioners. Public-Private partnerships, focused efforts to defeat ransomware and other forms of cybercrime, integration of both threat-sharing as well as disruption capabilities are all great additions to National Policy. With that as a primer, why is Strategic Objective 3.6 – Explore a Federal Cyber Insurance Backstop worth writing about?
Bottom-Line-Up-Front (BLUF) or Too Long, Didn’t Read (TLDR): If cyber risks are not clearly understood, a cyber insurance backstop would represent the willful transference of vicarious liability without the associated cyber insurer’s risk being evaluated by the Federal Government. Put simply, if the Federal Government offers any type of financial backstop for cyber insurers it will likely incentivize them to relax the level due diligence performed before issuing a policy.
If we do not learn from history we are doomed to repeat it. In order to allow risk transference at a systematic level, all parties involved must be aware and fully understand the risk(s) being transferred. A recent example is the subprime mortgage crisis which occurred due to institutional failure to understand certain mortgage-derived instruments and their associated risk. This event proves that even the largest markets are dependent on the underlying asset quality and available liquidity.
Unlike banking investments – which are fairly straight-forward and static, cyber risk quantification is – more nebulous and divergent. Most organizations do not have a clear understanding of cyber risks as they relate to operational, financial, reputational or other types of organizational impact. At best, this is a qualitative or subjective effort to compare dis-similar risks and then translate them into terms that business stakeholders can understand.
If we agree that well-defined cyber-risk-quantification is not currently a reality, it is safe to also assume that if a parent organization does not understand the cyber risk inherent in their business model, it is impossible for the insurer to have that understanding. If that is the reality and a backstop is still offered, there is a fundamental disconnect. It is therefore critical that signals management and incentivization are explored to identify the cyber-risk-related behaviors likely to manifest.
At present there is no standing Federal backstop/indemnity for cyber insurance companies. Providers are forced to perform due diligence in creative and non-standardized ways in order to accurately quantify an organization’s cyber related risks. This approach is far from optimal and is largely the reason many cyber insurance providers are beginning to curtail the types of cyber insurance they offer. The reasoning is simple – without clearly understanding the scope of risk, it is impossible to quote an accurate policy premium.
If this were to change and the cyber insurance provider is offered a financial backstop from the Federal Government, cyber insurance providers’ liability would be reduced. As a result their due diligence would likely decrease and they would become more liberal in issuing policies.
Recommended by LinkedIn
What would right look like?
1) Establish a systematic and consistent way to quantify cyber risk:
2) Determine the appropriate risk owners for the identified concerns
3) At the organization level, have healthy discussions about risk appetite and how much of certain types of risk the organization is willing to carry
4) Embed risk awareness in the company’s strategic, operational and tactical decision-making processes
5) Build a risk-appropriate culture and organizational governance model
The full national cybersecurity strategy is available from the White House website (PDF).
If this post was of interest, please check out Nisos.com for more content.
Your thesis is sound, Paul J. M. I'd add that there is a historical aspect to federal insurance programs such as the National Flood Insurance Program (which I realize is different in many respects to being a reinsurer, but bear with me for a moment). The NFIP used insure all-comers and pay flood claims willy-nilly, but eventually the program realized it was paying the same claimant for the same flood-prone property over multiple years. In the meanwhile, the insured took no (or only minimal) steps to mitigate risk. This has changed: now the NFIP avoids bad or repeat risks. But it's hard to get the moral equivalent of satellite imagery to survey a cyber failure. Without data to develop actuarials (maybe cyber-quantified risk analysis? say hello FAIR!), I really can't see how any government could become a reinsurer (even if it's a backstop-of-last-resort) without a big risk of being fiscally irresponsible by taking on really bad risks.