As cyberattacks continue to surge at a rapid pace, the US government is mulling over the creation of counterproductive incentives to help private insurance firms cover some of the costs related to catastrophic cyber incidents under the federal cyber insurance program.
Last month, the Treasury Department and Cybersecurity and Infrastructure Security Agency (CISA) asked the representatives of multiple organizations to contemplate the requirement of a cyber insurance program and, if so, how such a program should be enforced across the country.
Earlier this year in June, the Government Accountability Office (GAO) published a report advising Federal Insurance Office (FIO) and CISA to conduct a joint assessment to examine the federal government’s role in cyber insurance.
The move comes after multiple private insurers were spooked by the possibility of having to cover such large losses and backed out of the market by excluding some of the most high-level cyberattacks from being covered by insurance policies. Currently, the U.S. government does not have a federally backed cyber insurance program to deal with destructive cyberattacks.
“I think what you’re seeing is the government sort of thinking about this from their side … if they should be doing more to help companies that are hit and, if so, how should they define what the thresholds are. They’re clearly evaluating that and trying to think carefully about it right now,” stated Josephine Wolff, an associate professor of cybersecurity policy at the Tufts University Fletcher School.
The rapid surge in cyber incidents
Cyber attacks, specifically ransomware, have disrupted critical services and businesses globally, including schools, government offices, hospitals, emergency services, transportation, energy, and food firms. Reported ransomware payments in the United States reached over $590 million in 2021, compared to a total of $416 million in 2020. Just this summer, ransomware attacks rose 47 percent from June to July, according to a report published by cybersecurity firm NCC Group.
According to the most recent IBM Cost of a Data Breach report, each public sector incident costs $2.07 million on average.
The cyberattack on the Colonial Pipeline that took a 5,500-mile-long fuel transporting operation offline had a spillover effect on the wider economy. The pipeline operator paid a ransom of $4.4 million to the hackers — despite advice from law enforcement agencies that ransom demands should always be rejected.
According to the FBI and many other agencies, paying ransoms encourages attackers to launch further cyber attacks. Some suggestions for organizations from the FBI include:
• Keep all operating systems and software up to date
• Enforce a user training program and phishing exercises
• Employ strong, unique passwords for all accounts with password logins
• Enable multi-factor authentication (MFA) for as many services as possible
• Maintain offline (i.e., physically separate) backups of data, and examine backup and restoration frequently
• Ensure all backup data is encrypted and immutable