How insurance could be the fulcrum for a private-public cybersecurity standards partnership.
Successful cyberattacks, particularly ransomware attacks, are increasing in frequency and severity. The total cost of cybercrime in the U.S. alone has increased annually from $1.4 billion in 2017 to $4.2 billion in 2020. The average cost of a data breach for a company was $4.24 million in 2021. This is almost certainly a low number, as in most cases there's no requirement to report cyberattacks and, in many cases, there are financial and reputational reasons to not report them.
In addition to “traditional" cybercrime, American businesses are left undefended by the U.S. government against cyberattacks from adversarial nation-states who target them by doctrine and practice. Government protection alone is not feasible due to a lack of resources and legal and privacy reasons created by the private sector's large attack surface.
Many cyberattacks launched by nation-states are not sophisticated. They can be defended against by commercially available techniques. The analogy is that many attacks are more like burglary than airstrikes. Companies and individuals routinely defend themselves against common theft and they are rated by their insurance company by the measures they take.
Large companies should similarly be held to certain minimum standards of cybersecurity to guard the data they hold. When faced with unsophisticated attacks, even from nation-states, they should simply not be allowed to write off massive data losses without consequence because they failed to take minimal precautions.
Why Existing Solutions Aren't Solving the Problem
Cybersecurity technology is better than it's ever been and more money is being spent on technology for cybersecurity than ever. Yet, successful attacks are increasing. The problem is about 85% of successful attacks do not start off as technical in nature—they start by targeting people. Modern cybersecurity issues are human issues. However, the vast majority of cybersecurity spending is on technical solutions.
Simply put, there's no national force to persuade companies to take the steps to adopt cybersecurity practices. The push to adopt these measures is often outweighed by a range of other factors, such as a lack of confidence about what standards should be used; faulty cost-benefit analysis; and concern about the cost of solutions.
In free societies, it is justifiably hard to mandate private companies and groups to do things. Laws to require companies and organizations to report attacks and losses would cover only a fraction of all affected companies and would likely meet with minimal compliance. Additionally, Congress is too slow to pass laws in the rapidly changing cybersecurity space and state government legislation only covers a sliver of companies in their state. Further, a patchwork of standards would be difficult for companies to implement. Invariably, as with tax rates, there would be a race to the bottom for states to compete for corporate residency by minimizing cybersecurity standards.
Companies incorrectly assess their own risk levels. Additionally, they see the relatively minor legal consequences of being unprepared for a cyberattack and choose not to prepare. They also tend to mistakenly believe the reputational and financial costs of an attack are less than defending against one.
New government cybersecurity bodies seeking to form public-private partnerships, such as the Cybersecurity and Infrastructure Security Agency (CISA), are excellent at examining cybersecurity problems and promulgating solutions to the private sector. The problem is their pronouncements have little influence in motivating corporations and groups to actually adopt their findings.
A Potential Solution: A Cybersecurity Insurance Institute
A single nonprofit institute, funded by insurance companies as well as government grants, is an ideal solution to both determining the best practices for private-sector cybersecurity and providing the means to broadly implement these solutions, which could be modeled after the approach of Underwriters Laboratories (UL).
UL is an independent, nonprofit safety science research institute that shares its findings broadly throughout the industry. Its revenue is from “grants, the licensing of standards documents and the business activities of UL Inc., our wholly owned subsidiary, which conducts testing, verification and certification, and provides training and advisory services, along with data-driven reporting and decision-making tools for customers around the world."
No one makes anyone purchase a UL-approved surge protector for their laptop, but it's likely that no store would sell one without UL certification. Thus, the world is safer by the free market rather than by legal mandate.
A cyber insurance institute would be the focal point of public-private partnerships. It would receive timely information from government knowledge of cyber adversaries. It would hire former government officials with experience in relevant cyber areas. It would also do its own research into cybersecurity practices. These resources would be shared with the member insurance firms and sold to or shared with other clients.
The advantage of an insurance institute for cybersecurity standards would be that it would wield the market power of the insurance industry. As the baseline standard for companies, the insurance industry could more accurately and consistently price risk. Companies with strong cybersecurity practices would benefit from lower premiums. Insurance underwriters would benefit from lower payouts because of fewer and less damaging cyber breaches. Companies refusing to implement baseline security practices would pay higher rates, or be ineligible for cyber insurance.
Security standards that any public-private partnership agrees to could be used as a measure of quality to differentiate products, whether hardware or software. This would create another voluntary incentive for companies to create more secure products, as consumers would likely prefer devices or software that met these standards. Corporations with good cybersecurity practices noted in their S-1 forms prior to going public could receive much greater financial backing than those with negative cybersecurity indicators.
Cyber insurance can be a market maker: Companies routinely adhere to fire and safety standards not due to concerns over infrequent government inspections, but because of their concern that, after an incident, insurance companies are guaranteed to investigate.
Mark C. Elliott is a former CIA operations officer and CEO of Comar Cyber, which offers cybersecurity training.