In the cyber insurance industry, there is a growing need for regulation and regulatory compliance.
In the state of Pennsylvania, and elsewhere, this stems largely from the insoluble difficulty in protecting the sensitive data of shoppers while they make purchases online.
As an online merchant, your customer's data is especially vulnerable as it moves through your servers and purchase portals.
The customer's data is especially vulnerable during information exchanges and there is no sure way to protect it in a world where cyber attacks are constantly evolving.
Now, because the customer's data is technically in your hands during these exchanges, the government can and often does hold the merchant responsible.
From a legal standpoint, this issue is similar to laws aimed at protecting people in public and private spaces.
When someone trips and gets hurt, for example, in a store, public space, or private property, the owner or responsible party for that property can be held liable for the injury.
In the state of Pennsylvania, online merchants are held responsible for their customer's data while making purchases online.
To further complicate things, (or help depending on your perspective), the White House has developed its own strategy to protect online purchasers on the federal level.
Here, we will discuss the White House Cybersecurity Strategy, potential and existing policies, and their impact on you and the people you serve.
Earlier this month, President Biden released the federal government's National Cybersecurity Strategy which is intended to describe the administration's policy on the defense of the nation's digital assets.
During the press conference on the subject, he delivered the following statement:
"Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.
[This Strategy,] recognizes that robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace."
Whitehouse.gov released the following in support of this statement:
"These principles have guided our effort to shift the responsibility to defend cyberspace from individuals, small businesses, state, and local governments to the organizations most capable of carrying that responsibility and best-positioned to reduce the risk for all of us - namely technology companies and the Federal Government.
They have also driven us to realign incentives to favor long-term investments in cybersecurity and resilience.
That requires us to strike a careful balance between defending ourselves against urgent threats today and simultaneously planning strategically for, and investing in a resilient digital future."
The strategy incorporates a general approach to cybersecurity and five digital security pillars discussed below.
Over the last year, professionals at the Office of the National Cyber Director (ONCD) have been working around the clock to coordinate the rollout of 69 initiatives laid out in the original version of the national cybersecurity effort documentation.
The federal government has made great progress in this endeavor, with no fewer than 20 having been designated as complete and effective at the time of this writing.
While the current version is yet to be fully outlined next year, the administration has released the five pillars of the program, as described below.
The five pillars make up the bulk of the plan as it has been presented to the public and they are as follows:
The ONCD and the Cybersecurity & Infrastructure Security Agency (CISA), working together, drafted a series of scenarios for critical service sectors outlining likely threats and security outcomes.
These service sectors include Water, Public Health and Healthcare, Maritime Transport, Chemical, and Commercial Facility sectors, and electoral services.
The first pillar is designed to enable these and other sectors to achieve actionable readiness to respond to malicious actors within cyberspace including theft, the actions of hostile nation-states, and other threat vectors both nationally and internationally.
The second pillar adds teeth to the policies outlined in the first by giving organizations the right to, tools for, and reasonable expectation of the disruption and dismantlement of a growing spectrum of threat actors and vectors.
These services and capabilities include deterrence and defense, engaging with malicious actors with the powers and authority already built into the Department of Justice.
Concurrently, the DOJ continues to build and upgrade its own capabilities to improve both the speed and scale of its existing cyber-threat disruption powers.
The third pillar aims to influence, shape, and guide market forces to promote data resilience and security.
The Office of Management and Budget proposed a series of changes in October 2023 to support these aims.
These include ways for the federal government to invest in Internet of Things (IoT) assets to establish "security by design."
This, to raise the bar for data security, affects the ways and the motivations for private sectors to sell assets to the government and consumers to improve the quality of security assets across industries, sectors, and populations.
The fourth pillar can be defined as an extension of the third, much as the second is an extension of the first.
It is designed to encourage investment in data-secure outcomes for the future.
The National Institute of Standards and Technology (NIST) is redoubling its efforts to compel the federal government to partner with industry in setting up multinational cybersecurity standards for new and developing organizations.
These efforts aim to instantiate a global culture of forward-thinking when it comes to data security.
This is considered to be essential, not only for national security but also for the maintenance of economic competitiveness globally.
In the final pillar, the White House establishes an initiative to foster global partnerships in the interest of shared data security goals.
To this end, the State Department's Bureau of Cyberspace and Digital Policy was established last year.
This agency is working to create and bolster global coalitions to establish and bolster group efforts to counteract bad actors in our collective shared digital space.
A federal cyber insurance backstop can be described as publicly funded insurance protection aimed at sustaining critical capabilities and resources in the event of a broad, sweeping, and catastrophic cyber attack.
The idea has been both lauded and criticized for a wide range of reasons.
But as the risks and the general cybersecurity landscape continue to shift toward more wide-ranging threat types, more and more experts in the field are beginning to back the idea.
Indeed, there is growing optimism for a federal emergency fund aimed at rescuing the economy from the effects crippling cyber attacks.
According to John Sakellariadis of Politico, a federal cybersecurity insurance backstop may accomplish far more than is immediately obvious.
He claims that such a fund would be useful for guarding against far more than sweeping emergencies only.
The leading argument for such a fund is the need for protections that the private market cannot provide.
Private insurers, this line of reasoning continues, not only cannot pay to cover some kinds of harm but outright refuse to cover many more.
The federal backstop would have no, or at least far less, discretion in such matters.
Those who suffer from sweeping cyber attacks would benefit from the coverage far more readily and be much less likely to fail to qualify.
This would create a generalized safety net for businesses of all kinds and sizes as well as for private citizens.
This program falls under the 3rd pillar of the White House cybersecurity strategy, Shape Market Forces to Drive Security and Resilience.
That being the case, it would meet the definition of investing in a more resilient digital infrastructure in the future.
Its overall purpose, even without massive cyber attacks, is to make cyber insurance more available and affordable across the board.
According to the Acting National Cyber Director, Kemba Walden the federal backstop, "Reimagines America's cyber social contract."
She goes on to say, "It will re-balance the responsibilities for managing cyber risk onto those who are most able to bear it."
Under the legal provisions of the policy, lawmakers would have the ability to adjust the requirements for private insurers to qualify for the support it provides.
By adjusting government support through an insurance provider's compliance with federal standards, the White House plans to make cyber insurance protections more readily available to those who both need it most and who are least able to afford it on their own.
Senior policy researcher at RAND, Sasha Romanosky, who researches the idea, said that the initiative may "help the cyber insurance market reduce risk and provide information that we currently lack, and serve as a useful forcing function for companies."
In short, the backstop could compel cyber insurance providers to offer coverage when it otherwise would not.
Short of the statement outlining the third pillar of the White House's cybersecurity strategy, little else has been said on the topic other than that mentioned here.
The administration is still working to garner public and private support for the idea.
Sakellariadis writes, "The Treasury Department closed a public comment period on the fund in December after the idea found its way into the inaugural report of the Cyberspace Solarium Commission.
Lawmakers and officials from the executive branch still have a lot to iron out.
They might choose a version of the program that is less ambitious than the highly qualified backstop in the short term."
He further quotes Romanosky as saying, "'There's impetus to create something. Lawmakers could advance something simple now and revise it later on.'"
So far, the five pillars of the proposed initiative are the clearest parts of the White House's cybersecurity strategy as it stands.
These points clearly define goals and clarify the thinking behind the effort to put something to this effect on the law books.
At present, the greatest barrier to all of this is resistance from the cyber insurance industry itself.
Insurers want to retain the freedom to offer insurance to those they choose and exclude those they consider to be too great a risk.
Their resistance could be mitigated should the federal government choose to use the backstop fund to support elevated coverage requirements for businesses.
Because the insurance industry has a powerful lobbying influence, this could be a likely outcome.
In the final analysis, small and medium-sized businesses stand to gain the benefits of the five pillars themselves, whether or not the backstop goes into effect.
Any efforts that go into the pillars will offer organizations clear guidance on how to collaborate on cybersecurity collectively.
This promise is an effective extension of existing NIST guidelines, placing businesses like yours ahead of where they were before.
Like you, we will wait and continue to hope that support in the form of the federal cybersecurity backstop will manifest in a way that helps insurance providers as well as those they serve.
