The Biden Administration is increasingly prioritizing growing ransomware threats as a risk management problem, according to guests on the latest episode of The Insuring Cyber Podcast.
This comes as four insurance firms — Travelers, Coalition, Resilience Cyber Solutions and Vantage Group— were among the participants in the White House summit on cybersecurity in August along with technology firms and Biden Administration officials. The aim was to discuss how these groups can work more closely together to improve the nation’s cybersecurity, particularly as U.S. public and private sector entities increasingly face cyber attacks.
“Wasn’t it interesting that the very first question by the President to that group of executives … was to a cyber insurance executive about this?” said Chris Finan, chief operating officer at ActZero, an artificial intelligence-driven cybersecurity start-up. “So if that doesn’t demonstrate, I think, the importance of this and getting it right … I don’t know what will. I was very pleased with that focus by the President. It does seem to be priority. I felt they had the right people around the table.”
Finan has more than a decade of experience working in cybersecurity and previously served in the Obama Administration as the director for cybersecurity legislation and policy on the National Security Council staff in the White House. He said he hopes to see momentum building toward a more standardized framework to measure risk as ransomware threats continue to grow, with AM Best recently reporting that ransomware now accounts for 75% of all cyber insurance claims.
“I think we can expect further actions from the administration, NIST (The National Institute of Standards and Technology) and DHS (The U.S. Department of Homeland Security) to now promulgate more sophisticated security standards, particularly ones that are more focused on ransomware controls,” he said.
Joshua Motta, CEO and co-founder of cyber insurance and security provider Coalition, agreed.
“I think that the government is acutely aware of how large of a threat [ransomware] is to the U.S. economy, and they’re taking actions,” he said.
Coalition was one of the four insurance companies invited to meet with President Biden at the summit.
“I think they were really looking at the insurance industry to be a driving force for setting those standards, for making sure that businesses have the appropriate minimum controls and hygiene in place and using the industry as a force to really try and incentivize the adoption and awareness of this problem,” he said. “That insurers were even invited is important to take stock of, and I think it’s indicative of the fact that [the federal government] views this as a risk management problem.”
He said that since insurance companies work to quickly respond to market forces and have a financial incentive to protect customers, the industry can be used as a mechanism to enforce cybersecurity hygiene.
“There’s very much asymmetry between the people who are attacking businesses, who only have to get it right once, and those who are trying to defend themselves who have to be right all the time,” he said. “And I think that the administration, the government, realizes that insurance companies can act like private regulators in a sense.”
Finan said he hopes to see a convergence between the public and private sectors on a set of ransomware controls and a framework to measure whether those controls are effective. In turn, he said this can create efficiencies in data collection and measurement that will help the insurance industry transfer risks smartly and efficiently.
“It starts at the c-suite. Is this a priority? Are you measuring it? Are you holding people accountable?” he said.
Motta added that although security took the backseat in software development for quite some time, businesses are now realizing they need to find better ways to protect themselves, particularly during the pandemic shift to digital for many working environments.
“I think most businesses are coming to the realization that they’re digital businesses, irrespective of what industry they’re in, when they were founded, whether they are technology companies or not,” he said. “If they’re dependent on a working computer and internet connection, they have cyber risk. They have technological risk.”
This is where the public and private sectors can come together to help organizations navigate their own cyber risks, Motta said.
“Unfortunately, many are not in the best position to figure out how to do that,” he said. “They’re busy enough trying to navigate a pandemic and keep their business going and focus on their core operations. Becoming an expert in cybersecurity and how to defend themselves is a daunting challenge, right?”
Finan agreed, adding that there is a lot of value in implementing best practices and a framework to measure and understand the effectiveness of risk management programs and reduce risk overtime.
“I think the thing that really stands out to me is that there are no magic bullets,” he said. “A lot of this is just really hard.”
To find out what else Joshua and Chris had to say, check out the most recent episode of The Insuring Cyber Podcast. Be sure to check back for new episodes publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.
Was this article valuable?
Here are more articles you may enjoy.