In June 2017, the world's most destructive malware attack was launched, firing the starting gun on a new era of state-backed cyber warfare and with implications that continue to reverberate around the insurance industry today. In a landmark legal case finally settled last year, insurance underwriters for the pharmaceutical giant Merck were required to help cover losses to the tune of
From an insurance perspective, the decision has redefined the definition of war carve-outs and exclusions. In response, there's been a movement by the insurance industry to shift risk to the asset owners and the insured organizations. Lloyds of London, for example, explicitly excludes liability for losses arising from any state-backed cyberattack in addition to any war exclusion.
Determining if a cyberattack is state-sponsored as opposed to a criminal attack is a notoriously challenging issue. The outcome is an increasing number of cases of litigation between the insured and the insurance companies, cases that can take years to resolve. Ultimately, though, while asset owners are accepting more cybersecurity risk, the changing landscape has a substantial impact on insurance profitability, given losses may not be adequately factored into insurance premiums, and it is therefore already negatively affecting insurance companies.
Responding to the changing cybersecurity landscape
In 2021, the Biden White House issued an executive order mandating that security be built into all software from the ground up for federal contractors, including suppliers of commercial-off-the-shelf software providers.
The U.S. Security Exchange Commission as of last December requires all publicly listed companies to conduct cybersecurity risk assessments and to disclose those risk assessments in annual 10K filings if there is a material impact. In addition, if there is a material incident or a breach, public companies are also required to disclose that within a certain time limit.
Even more broadly, in the European Union in March this year legislatively approved the introduction of the Cyber Resilience Act (CRA). A first of its kind legislation, the CRA introduces mandatory cybersecurity requirements for most products with digital elements. Regardless of where these digital products are manufactured, CRA compliance must be met when manufacturers sell or introduce products into the EU. And there are punitive fines for non-compliance. Furthermore, these devices are set to become far more common in future networks as smart cities evolve, for example.
The new directive follows the EU NIS2 Directive, which came into force in 2023, and itself modernized the existing cybersecurity legal framework in response to an increasingly digital world and the evolving cybersecurity threat landscape. The agreement reached is now subject to formal approval by the European Parliament and the European Council, a move anticipated to take place later this year. Impacted businesses will not only have to take appropriate security measures but also notify relevant national authorities of serious incidents.
With current and future cyber security legislation enveloping organizations and their supply chains, insurance companies servicing entities on both sides of the Atlantic must nonetheless now consider how their clients meet cybersecurity standards in order to establish the appropriate premiums.
Assessing client cybersecurity risk
Given changing customer risk profiles and new regulatory rulings pointing to increased customer risk for insurance companies, new methods are needed to assess potential insurance exposure.
The importance of knowing what assets are in play and, in particular, the risk to those assets cannot be overstated. For instance, utility companies have multiple kinds of software and operating systems. That might include commercial offerings such as power monitoring and control applications but will invariably include many others. While approximately 20% or 30% of the source code inherent in these applications is proprietary, the bulk of the application code is open source. Assessing the vulnerabilities associated with the underlying code is extremely challenging. This exposes the end user to cybersecurity dangers involving potential insecure configurations, hard-coded credentials, cryptographic materials and other weaknesses. From a utility perspective, assessing these supply chain risks is so far removed from core competencies as to be almost impossible, but nevertheless exposes the utility to potential cyber exploit. The risk can be contained through a solutions and best practice approach known as Software Bill of Materials (SBOM).
SBOM provides an inventory of all components used within a software product or application. When used with Software Composition Analysis (SCA), an automated testing process that evaluates security, license compliance and code quality, organizations can identify vulnerabilities and prioritize remediation efforts across their digital asset base. SBOMs with SCA analysis would also provide insurance companies with additional risk insight to their insured clients, and provide context to determine insurance premiums.
A second key aspect insurance companies need to assess client cybersecurity risk involves 'Target State.' This concept helps identify the security requirements for each organization — based on regulatory framework, organizational goals and risk appetite — and simultaneously helps evaluate maturity to match the threat landscape. For insurance companies, maturity evaluations can support progress toward a desired Target State by identifying areas of weakness. Models such as the Cybersecurity Capability Maturity Model (C2M2) or the Capability Maturity Model Integration (CMMI) enable an evaluation of client cybersecurity implementation and, furthermore, allow priorities for improvement to be established.
Clearly, if an entity has less maturity, then that may have an impact on risk and, in turn, the cost of insurance. While insurance companies already look at the maturity of cybersecurity controls to determine insurance premiums, this process needs to be enhanced given the increasing threat landscape. Within the context of the growing influence of measures such as the CRA, insurance providers should redouble their efforts to implement substantial measures to assess and evaluate client cybersecurity risk. Tools such as SBOM and other kinds of risk analysis approaches are a vital first step.
For more information on cybersecurity issues, see: