This week President Joseph Biden pledged his cabinet’s support in countering the advance of cybersecurity threats with a summit that included the who’s who of tech, insurance, and other industries.
On Aug. 25, administration officials joined representatives of private-sector companies in meeting discussions covering the digital integrity of industries from insurance and finance to education and tech. Three parallel discussions tackled prominent areas of concern, aimed at beginning a conversation for how to set and encourage cybersecurity standards.
The summit aimed to protect infrastructure and business interests from threats such as the ransomware takeover of the Colonial Pipeline company, which had an outsized effect as rumors of gas shortages spurred panicked travelers into artificially creating actual gas shortages (facepalm emoji, America).
Russian hackers continue to pose shadowy threats to election security, and the Colonial Pipeline CEO’s solution was a $4 million payout in the recent oil pipeline takeover. These anecdotes are part of a larger pattern that make it increasingly clear that the Biden Administration’s infrastructure goals are linked to the ability of all industries to combat digital threats.
As technology connects us and everything from public drinking water to the air freshener in your home gets microchipped, digital threats take on renewed seriousness.
The Biden Administration referred to the day as a “call to action” in a background press briefing. While officials didn’t give the impression that everyone will walk away from the meeting with marching orders, the collaboration is a step toward setting standards and best practices that can shore up an admittedly spotty security system.
Administration officials planned the summit in part to deepen the public-private partnership served by the National Institute of Standards and Technology (NIST). Key topics included “new guidelines for building secure technology and assessing the security of technology, including open-source software,” according to a White House cybersecurity summit fact sheet.
Among the companies represented in the summit:
Representatives met with the president and then broke off into smaller meetings with cabinet and national security team members for informal discussions, which staffers summarized for a presidential briefing later. Many participating companies announced pledges to help move the needle on NIST security goals.
“Most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone so I’ve invited you all here today because you have the power, the capacity, and the responsibility – I believe – to raise the bar on cybersecurity,” said Biden in a press conference at the cybersecurity summit.
Biden’s sentiment was echoed by the insurance participants, with Vantage CEO Greg Hendrick saying to BusinessWire, “The insurance industry can play a vital role by bringing a more risk-based approach to providing coverage and pricing of cyber insurance … While the federal government is prioritizing and elevating cybersecurity like never before, the private sector should be taking the same approach.”
The summit was also an opportunity for Biden’s team to trumpet other steps they’ve taken in digital safety, such as influencing NATO policy. As was covered humorously in a John Oliver bit on ransomware (and less humorously by actual journalists), one problem in targeting cybercriminals is that they’re frequently from other countries or use foreign servers, muddying the waters of jurisdiction. If cybercriminals face no repercussions in their home nations, what hope is there to end the practices of ransomware and data hostage-taking?
“Because cybersecurity’s a global issue, we’ve also rallied G7 countries to hold nations who harbor ransomware criminals accountable,” Biden said, directly calling on Vladimir Putin and Russia to join the fight against cybercrime.
Another difficulty facing American cybersecurity goals was heavy in the summit, with no easy fix in sight: About half a million cybersecurity positions remain unfilled. There are simply not enough people to support an already-too-frail industry. Participants floated increased pay and other recruiting efforts, with the education participants leaning heavily into the idea of “reskilling” workers whose fields are otherwise in decline.
Of course, this shortage disproportionately affects small businesses across the country. This fact was highlighted by Alan Schnitzer, CEO of The Travelers Companies, Inc., in a statement issued through BusinessWire following the conference.
“According to the Travelers Risk Index, which surveys U.S. business leaders, cyber risk is the number one concern across companies of all sizes,” said Schnitzer. “At Travelers, we see firsthand the devastating effects that a breach can have on a business, and we understand that even small changes can have a big impact on data security.”
So, the bit you were probably looking for: What has insurance got to do with it? Aside from ensuring that large-dollar slices of the economy protect themselves and consumers, much of the discussion includes the property and casualty (P&C) sector of the industry.
Cybersecurity insurance has existed for years as a P&C contract, but industry insiders agree many contracts are out of touch with tech changes. In this way, P&C insurers are set up to pay out for the costs of “implied” or “assumed” coverage – coverage that isn’t in the contract but isn’t not in the contract. On the flip side, the insureds also often don’t understand what is in their contract (or not) and because they have insurance, don’t take basic precautions to protect themselves and their consumers.
These basic precautions – things like password-protected servers or two-factor authentication – are cyber hygiene. Like a shower and good old toothbrushing (looking at you, Ashton Kutcher), these are the digital practices all businesses should consider standard, routine.
Resilience and Coalition, two of the participating cyber insurance providers, pledged to forgo issuing policies to businesses that don’t have decent cyber hygiene. Pledges like this are an entry point to changing the culture of cybersecurity.
“So, if a company is willing to adhere to the minimum standards, they’ll have insurance, and if not, they’ll have to identify those gaps so they can get to that baseline,” Vishaal Hariprasad, CEO of Resilience Cyber Insurance Solutions said to Reuters.
“When technology solutions are paired with the right incentives and the right support, the results are clear: Coalition policyholders reported one-third the frequency of claims as the broader cyber insurance market in 2020,” said Joshua Motta, CEO of Coalition, in a LinkedIn post. “Coalition, together with the broader cyber insurance industry, can play a fundamental role in increasing cybersecurity hygiene at scale and offer a critical lifeline to companies caught in the crosshairs of criminals.”
The industry-specific point to remember here is, while having insurance is a public good, it doesn’t absolve you of your own responsibility. Having dental insurance doesn’t mean you shouldn’t brush those chompers, and having cyber insurance isn’t a replacement for basic cyber hygiene.