Experts Say More Collaboration Needed for Critical Infrastructure Cyber Risk
Insurers continue to grapple with elusive and ever changing cyber risks in the critical infrastructure sector, and Matthew McCabe, managing director for Guy Carpenter’s Cyber Center of Excellence, said he sees a three-party system emerging between insurers, policyholders, and the federal government.
“It’s going to have to take that kind of three-party system of understanding what the policyholder needs are, what the insurance industry is capable of doing, and where the appropriate place for the government to participate will be,” he said on an episode of The Insuring Cyber Podcast.
This comes as the U.S. House Homeland Security Committee’s Subcommittee on Cybersecurity and Infrastructure Protection held a June 27 hearing titled, “Sector Down, Ensuring Critical Infrastructure Resilience,” in which members of the critical infrastructure sector and insurers served as witnesses to give testimony.
McCabe was one of the insurance professionals in attendance. He said he sees public/private partnerships as the way forward for solving big issues like cyber risk, particularly in the critical infrastructure sector.
“The government just offers the capabilities at scale, which no other organization can. If you think about the history of accomplishments like federal highway systems or space exploration, you’re just able to get big things done when you talk on a government scale,” he said. “But from the insurance industry, we offer expertise. We offer assessment of risk. We offer quantification of risk impact, and we offer a knowledge of claims and coverage and wording.”
He said he believes a government-backed program led by the insurance industry could address some of the current gaps in coverage for cyber risks.
“I think from the government’s perspective, what they’re doing is having a conversation with industry and learning what they need to learn to see if a program is workable…that they could assist the industry in responding to catastrophic cyber events,” he said.
He viewed the recent hearing as another step on the way toward more public/private sector collaboration as cyber threats continue to grow.
“It’s a strange feeling to still be talking about the growth of cyber threats,” he said. “When you think back to 2017, we were talking about the growth of cyber threats.”
Years of Lessons From NetPetya
Indeed, the NotPetya malware attack that began in Ukraine in June 2017 had the insurance industry talking as it ultimately caused more than $10 billion in damage and wreaked havoc on major companies. Shipping company Maersk and pharmaceutical company Merck respectively lost up to $300 million and $870 million, according to reports.
Bloomberg reported in January of this year that Merck reportedly reached a deal with insurers over a closely-watched coverage dispute related to the massive cyber attack. The New Jersey Supreme Court in July 2023 agreed to hear the case after a state appeals court ruled months prior against eight insurers, finding that a hostile/warlike action exclusion in an all risks property insurance policy did not apply to the Russian-linked cyber attack.
While this particular attack took place seven years ago, McCabe said there’s still much to learn from NetPetya and the years that have followed as he sees these types of threats only becoming larger in scale.
“I like to think of cyber events emanating from nation states to be occurring on a constant continuum,” he said. “There have been two very important aspects that continue to grow, and that is the capabilities of our adversaries and the opportunities that we give them. We keep digitizing our infrastructure and attaching legacy systems to the internet, and that just provides wide-scale opportunities for adversaries to take advantage of.”
McCabe’s testimony during the June hearing focused largely on the role cyber insurance plays for organizations globally and how it can be incorporated into their risk management strategies.
“Cyber insurance serves as a point of annual assessment,” he said. “Cyber insurance will introduce risk engineering and incident response plans to companies, and that’s especially important for small and medium sized businesses.”
Critical Infrastructure Risks for SMEs
Jack Kudale, founder and CEO of InsurTech Cowbell, also gave witness testimony at the hearing. He agreed that SMEs are often the most vulnerable targets for these critical infrastructure cyber threats, as everything trickles down.
“Just to round out the last couple months, the Change Healthcare attack had an impact on about 900,000 physicians,” he said on The Insuring Cyber Podcast. “Similarly with CDK Global, 15,000 auto dealers had to use pen and pencil to do transactions when it came to buying or selling a car.”
He was referring to a February cyber attack that caused Change Healthcare—a subsidiary of the global health company, UnitedHealth—to go offline. Later in June, CDK Global — a major car dealership software company utilized by thousands of dealers nationwide – experienced a cyber attack that resulted in a multi-day system shutdown. Kudale said both of these attacks illustrate the supply chain threat that SMEs face when they’re depending on larger partners.
“This flows down, right?” he said. “The 15,000 auto dealers, the 900,000 physicians, the pharmacies, the hospitals, the laboratories, all of them are small businesses that suffered because of an incident that took place at a larger partner.”
He believes this is the tip of the iceberg when it comes to these threats.
“The exposure and the potential of supply chain incidents that can have an impact, the widespread nature of this exposure, could be much bigger,” he said, adding that “if a small business is under threat of a cyber attack, it would be very difficult for them to open their doors on Monday morning.”
For this reason, Cowbell has a focus exclusively on this space, providing risk assessment for global SMEs and continuous monitoring of their cyber posture at a granular level.
“This actually helps us provide real time insights and recommendations to our policyholders so that they can help improve their cyber posture,” he said. “Our mission is to serve the small to medium sized enterprises to increase the adoption of the global SMEs when it comes to their cyber resiliency.”
He added that things like incident response plans, multifactor authentication, and tested backup plans are essential for SMEs.
“Simple measures are really mission critical for small businesses,” he said. “They’re one click away from being a successful business or going out of business… and I think as an insurer, our job is to make sure we protect our policyholders and help them before the incident actually takes place.”
Kudale saw the hearing as a step in the right direction for private companies and the federal government to develop a closer collaboration.
“The fact that the legislative body was looking to get inputs from folks like private companies and entrepreneurs like ourself, that’s a good start that there is a willingness from both the private and the public sectors to work together,” he said. “I think I would repeat what I said when I began the journey at Cowbell: Cyber risk is the greatest threat to our economy.”
Policyholders as Part of the Equation
This means insurance needs to play a role in responding to these threats with precision of underwriting and managing of risk, which means taking the policyholder into consideration, he said. However, some on the policyholder side have called into question how well the industry is balancing that role.
“I would say that in my experience, [insurers] are not necessarily grasping these risks that well because they’re not really engaged in taking on much of the investigation and adjustment process when a claim actually comes in,” said Jillian Raines, partner at law firm Cohen Ziffer Frenchman & McKenna, on The Insuring Cyber Podcast. “They’re trying to shift a lot of that burden back to the insured and the policyholder, which in some instances makes sense. It’s the policyholder’s systems. It’s the policyholder’s business. They’re the experts when it comes to what went wrong.”
However, Raines expressed concern that cyber policies are being designed in a way that is overly burdensome to policyholders.
“The private market seems to be designing policies that essentially just say, ‘Hey. In short, we hope you don’t have loss, but if you do, it’s your obligation to show us what went wrong, figure out what happened, put better procedures in place next time if you want the coverage to continue, and if you don’t do those things on certain time frames, you risk not actually getting your claim paid,'” she said.
She sees a need for the insurance industry to evolve in its understanding of how coverage can work as the risks become more advanced. McCabe agreed that more collaboration is necessary between insurers and policyholders to make this happen.
“I think that the enemy of a policyholder is any kind of ambiguity in the way that the policy is written [instead of] actually identifying that line of where coverage ends and the gap begins,” he said.
This ties to his idea of a three-party system of collaboration.
“I think that very importantly, tied into the conversation with the federal government right now with the insurance industry, should be the policyholder perspective of where can the insurance industry take its bite of the risk? And how far can you take that? And where does the government need to then step in?” he said. “That can be at a financial threshold where when there’s a cyber event of a catastrophic nature that has losses of a certain magnitude, regardless of the source of that, regardless of the motivation or the attribution of the threat actor, that backstop could respond.”
Raines said the good news is that she hasn’t seen what she would categorize as a catastrophic loss affecting policyholders yet.
“I have not seen, thankfully, any of my policyholder clients in the critical infrastructure sector actually experiencing those catastrophic losses that everybody is afraid of,” she said. “That said, there has been, in my experience, quite a bit of heightened attention wanting to really understand if that catastrophic cyber breach comes, what does our insurance portfolio really provide?”
She said policyholders are seeking more clarity of coverage to understand how it responds and how they can better learn to manage their risk if they don’t have anticipated coverage.
“We’re seeing a lot of attention, and it’s attention not just within risk management teams or treasury teams or even legal teams,” she said. “It’s attention up to the highest level of decision makers who are trying to really understand what the private coverage they purchased will respond to.”
McCabe said there is consensus in the insurance industry across many lines of coverage that some types of perils have consequences so large that the magnitude of losses can’t be absorbed. He pointed to outages of power utilities or telecommunication companies as an example, in which the cascading losses could reach a magnitude beyond the scope of insurance coverage. For those, a conversation between the federal government and private industry, as well as policyholders, will need to be ongoing.
“I think that from the industry’s and from the government’s perspective, there’s already been a realization that, for any type of catastrophic incident, it’s the role of the government to step in and provide certainty in times of uncertainty,” he said. “Regarding cyber adversaries, of course, they always have a head start in that they only have to succeed once and they’ve accomplished their goal. Cyber defenders have to prevent everything, and that’s always an impossible task. We’re never going to get to a state of zero cyber threats, but that’s where the point comes in of building resiliency that you can respond and recover to cyber threats more quickly, more rapidly, and more successfully.”
To hear the full conversation with Matthew McCabe, Jack Kudale, and Jillian Raines, check out the rest of this episode of The Insuring Cyber Podcast titled, From Main Street to Capitol Hill, Insurance Pros Discuss Critical Infrastructure Resilience, at insurancejournal.tv or wherever you get your podcasts.