Saturday, June 10, 2023

How Biden's Backstop Plan Can Make Cyber Insurance Available To All

 


As I keep saying, there is no doubt that the Cyber world is an ever changing and dynamic one.  It could even be changing literally on a minute-by-minute basis.  It’s because of this, and the overload of information that comes, which makes it difficult for both individuals and businesses alike to try to keep with the latest, and protect themselves the best way that they can.

But some good news here is that businesses can be protected to varying degrees financially, with the help of Cyber Security Insurance.  Simply put, this means that if your business has been hit with a security breach, then technically you can file a claim, and get some sort of payout from it, in order to help you bounce back. 

But remember, getting Cyber Insurance is not as simple as that.  It is nowhere near like purchasing card insurance.  For example, when you first file an application with a carrier, you must have to prove to them first that you have taken all of the steps first to be proactive about protecting your business. 

This is very often demonstrated by completing a questionnaire, and having a third party assess the fact that everything is true.

This of course can take quite a bit of time, especially if you don’t have the controls in place, which is very often true of the SMB owner.  Once you get approved, then of course you have to pay your monthly or annual premiums.  This can be an expensive chore, depending upon how big your business is, and the kind of industry that you are in. 

Finally, keep in mind that if you do file a claim, there is no guarantee that you will get a payout of any kind.  The reason for this is that insurance carriers have really cracked down, especially when it comes to Ransomware payments. 

Not only this, even if you have never filed a claim, an insurance company can still always audit you to make sure that you are compliant with your agreement. 

This convoluted circle has been getting worse lately, and because of it, many business owners of today (and even individuals) are finding it harder to get a good, comprehensive policy.  Some good news here is that the Biden Administration has taken a stance to make this easier to attain, with their recent National Cybersecurity Strategy. 

More information about this can be seen at the link below:

https://www.darkreading.com/ics-ot/bidens-cybersecurity-strategy-calls-for-software-liability-tighter-critical-infastructure-security

But they have actually gone one step further ahead of this.  For example, do you remember the horrific days of 9/11, and the WTC buildings collapsing?  Well, that same fear still exists, but not on the physical level like that.  Now, the fear is that of a huge and massive Cyberattack against the United States, brought on by nation state actors. 

One such scenario could be where the Critical Infrastructures are totally wiped out in all of the major US cities, such as Chicago, Los Angeles, NYC, etc.

The main problem here is that these are old, legacy based systems.  Not only would it take a very long time to bring these systems back online, but it would also be a very expensive proposition as well.  This is where the Biden Administration would also step in.  In their plan, they have called for what is known as a “Cyber Insurance Backstop”.

Although I am not familiar with all of the details into it, the basic thrust here is that should the US fall victim to nationwide Cyber-attack, the Federal Government would step in, and provide whatever financial assistance is needed in order for the nation to recover as quickly as possible. 

In a way, this is also analogous to the situation back in the 08-09 recession where they also stepped in to bail out the big banks and other financial institutions.  An article from the Wall Street Journal about this can be seen at the link below:

https://www.wsj.com/articles/u-s-government-to-explore-cyber-insurance-backstop-ddc94c11

Although there are those critics who fear government intervention (not trying to get political here), but who would not want this kind of assistance?  As a private US citizen, I know that I would want to have it!!! 

As stated earlier, although the details of it are still in the works, there are some huge benefits into having a national plan like, some of which are as follows:

*There will be less burden on the insurance carriers.  In the event of a national Cyber-attack, it will be this group that will be called to act first.  But given the fact that they do have limited resources as well, they will need that extra surge of money from the Federal Government so that they don’t go broke as well.  In other words, there would be a transference of risk, which would be hugely beneficial to all.

*In the event of a wide scale Cyber disaster, the Federal Government can out more money into the market, so that there will not be a demise of our financial infrastructure.  I am thinking that this would happen in a manner similar to that when COVID-19 hit, and the Trump Administration back then literally signed into law the law the allocation for trillions of dollars.  Of course, there will be side effects from all of this down the road, as we are seeing now with inflation.

*A centralization to Cyber efforts and initiatives.  After 9/11, the Bush Administration created the Department of Homeland Security (DHS).  This was done in an effort to centralize all of the information and intelligence coming in about terrorist activities.  The same needs to be done for Cyber, in that a Department of Cybersecurity needs to be created.  With this kind of centralization, there is a greater chance that insurance policies will contain clearer language, and  making it available for everybody (kind of like Obama Care).  It is hoped that this effort will cut down on the sheer number of frivolous lawsuits that are occurring today.

My Thoughts On This:

Al though I am by no means a Cyber Insurance expert, I have written whitepapers and articles about it, so I do know something about it.  Heck, I even have had people ask me questions about it.  Yes, the Cyber landscape is complex one, but how recovery to an attack does not have to be. 

In this country, insurance companies are often both loved and hated, in the sense that most of your claims will get paid, but not all of them.

With this backstop strategy, there will be some guarantees now that full payments and restitution can be made.  After all, if the Federal Government can provide this kind of assistance to victims hit by natural disasters (such as hurricanes, floods, fire, etc.) why can’t this  be applied to the Cyber world as well?

It can be, and it will.  The only question now is when.

 

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...