Ransomware attacks on municipalities, software suppliers and, perhaps most alarmingly, the United States’ critical infrastructure highlight the urgent need for a comprehensive response from government, the insurance industry and companies, according to Aon’s Catherine Mulligan and James Trainor.
While ransomware attacks increased 485 percent in 2020, often with multi-million-dollar demands, the attack vectors have remained largely unchanged.
Basic cybersecurity controls would have prevented most attacks. Increased risk management at the enterprise level across all sectors must be reinforced by strong public policy, a robust cyber insurance market and partnership between government and private industry.
The foundation for this approach is already in place. In March 2020, the Cyberspace Solarium Commission issued a report about how the federal government and private industry could better address cyber risk. In May 2021, the Biden administration issued an executive order to modernise cybersecurity defences across the federal government, critical infrastructure and technology suppliers. With bipartisan support, both Congress and the White House recognise the need for significant changes to the current way of doing business. As leaders in risk management, we recommend a three-pronged approach that critical infrastructure and the government can leverage to help reduce risk: consequences, capital and collaboration.
Consequences: the response of the US government and its foreign partners to malicious cyber actors should be similar to efforts to combat terrorism over the past two decades. Nothing short of a relentless pursuit of these criminal actors will stop their insidious attacks on the world economy. For decades, nation states have allowed hackers to conduct attacks against industries around the world but only if their own companies were excluded. This form of cyber material support emboldens ransomware and provides a haven for cyber criminals, spies and terrorists.
Various consequences could be levied on cyber actors and nation states that enable them. Through international cooperation, the US government and its allies should pursue the adversary through sanctions, indictments, arrests, seizing of financial assets and disrupting and eliminating the infrastructure used to launch attacks. We urge the Biden administration and Congress to work together to ensure our law enforcement, military and other government agencies have the appropriate legal authorities and resources to better address this new dimension of crime and warfare.
Capital: financial resources can provide a backstop to the cyber insurance market, allowing for the ongoing development and use of meaningful insurance products and risk management tools. The cyber insurance market, which has matured into a $7.5bn industry globally, has responded to thousands of cyber claims in its 20-year history, covering incident response costs, business interruption and cyber extortion. The rise in ransomware claims has unsettled the insurance market, causing some to question whether cyber is an insurable risk.
Cyber insurance premiums are anticipated to increase by 20-50 percent in 2021. This potential systemic exposure has led (re)insurance executives to comment that cyber risk is ultimately too big for the traditional market to shoulder. As malware proliferation and other hazards put pressure on traditional markets, reliance on a federal backstop in the event of a catastrophic event could become more pronounced. To halt this trend, we call for the Biden administration and Congress to consider creating a cyber program modelled after the Terrorism Risk Insurance Act. Such a program would build capacity in the insurance market after the catastrophic losses due to ransomware payments in 2020.
Collaboration: while public and private sector partners have made some progress in this area, there is still much more work that needs to be done. There are numerous information-sharing platforms, including the National Cyber Forensic Training Alliance, Cyber Threat Alliance and the Financial Services Information Sharing and Analysis Center (FS-ISAC). These entities share valuable threat intelligence to help better protect industries from the growing cyber peril. Reducing barriers to share information and leveraging the technical and threat expertise from the federal government are all positive steps that can improve cyber resiliency.
This three-pronged approach of consequences, capital and collaboration, undertaken through public/private partnership, is necessary to help disrupt the rise in cybercrime and bolster the cyber insurance industry’s ability to cover the risk. More frequent and proactive technical operations similar to what we saw in April 2021 with the Microsoft Exchange vulnerability are necessary to disarm the cyber adversary. The proliferation of cryptocurrencies and their role in cybercrime is another area to explore to impede these cyber criminals from exploiting financial networks for criminal purposes. Improved data sets, such as aggregated and anonymised cyber incident reporting, would support the insurance industry in creating relevant products and track long-term profitability. We strongly believe a call to action to focus the nation on the existential cyber threat is crucial to lower cyber risk for our country, businesses and the American people.
Catherine A. Mulligan is global head of cyber for Aon’s Reinsurance Solutions, and James Trainor is senior vice president at Aon Cyber Solutions and former assistant director of the FBI’s Cyber Division.