The federal Cybersecurity and Infrastructure Security Agency (CISA) in September released its 2023-2025 Strategic Plan, a response to the increasing vulnerability of U.S. infrastructure to cyberattacks.
- The plan proposes a framework for defining and managing the federal government’s role in mitigating cyber threats to national security.
- CISA aims to foster a cross-agency and “whole-of-nation” approach to risk management and resilience.
- Implementation and outcomes can have implications for cyber insurance markets.
- Two federal engagement requests have been issued to get feedback on creating a regulatory path forward.
Cyber resilience in the current digital ecosystem requires a new mindset.
CISA’s plan arrives in a rapidly transforming threat landscape in which the cybersecurity mindset is duly shifting from “Are we vulnerable to attack?” to “When a breach happens, how can we spot it, contain the damage, and recover as fast as possible?”
Businesses across all sectors have seen a rise in the frequency of breaches. Hackers are using sophisticated tactics to expand the reach of ransomware to third or fourth parties, such as supply-chain partners. Estimates of organizations attacked in the last year range from 60 percent to as high as 86 percent, probably because dormant ransomware can remain undetected for a while and many organizations are hesitant to publicize or div incidents.
Organizations involved in critical infrastructure–such as the military, hospitals, financial institutions, and the supply chains providers–can be enticing targets for bad actors. The 2021 Internet Crime Report from the FBI reveals at least one organization in 14 of 16 critical infrastructure sectors experienced a ransomware attack that year. Data indicates that cyberattacks against US ports and terminals are increasing.
In response to the rising threats, CISA Director Jen Easterly announced earlier this year, “We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim.”
The “whole of nation” strategy – the agency’s first plan since its creation in 2018 – proposes a unity of effort framework, while drawing upon the CISA Strategic Intent from August 2019, to lay a foundation for the agency’s work ahead and incorporate four core goals:
- “Cyber defense against threats to National Critical Functions;
- Risk reduction and resilience;
- Operational collaboration using a “whole-of-nation” approach; and
- Agency unification.”
Loss ratios for cyber insurance are down, but challenges are still mounting.
Cost-effectiveness remains elusive, despite the growing demand for cyber risk coverage. Data from S&P Global indicates that after three years of steady climb, loss ratios decreased from 75% in 2020 to 65% in 2021. However, contributing factors continue to wreak havoc, including increased frequency and severity of cyber-attacks, rising associated breach costs and liabilities, and the lack of historical incident data necessary to assess and price risk. As liability coverage for critical infrastructure sectors poses further challenges to risk mitigation, some insurers opt out of providing coverage to these entities.
To build a foundation for risk assessment, CISA aims to create a regulatory path for the data collection mandate of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The legislation prescribes reporting of major cybersecurity incidents (within 72 hours) and ransomware payments (within 24 hours of payment). However, not every organization in a critical sector will automatically be required to report, and a formal enforcement framework for those expected to comply appears to be yet undefined.
CISA and FIO solicits feedback on forging a path towards national cyber resilience.
To foster collaboration between the government and private sectors while facilitating the implementation of CIRCIA, CISA recently issued a Request for Information. The list of reporting parameters up for public commentary includes how organizations may be defined as a “covered entity” (thus required to report incidents) and constraints and best practices around sharing of incident information.
Another example of the cross-agency and “whole-of-nation” effort outlined in CISA’s plan can be seen in a request for comment recently issued by the Department of the Treasury’s Federal Insurance Office (FIO). This public engagement sprang from a June 2022 GAO report recommendation. The FIO is asking for feedback on “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.” The agency welcomes information on gaps in other federal cyber risk initiatives, such as the SEC’s proposed cyber incident reporting rules, the Terrorism Risk Insurance Program (TRIP), and the CISA’s cyber incident reporting RFI.
Triple-I remains committed to advancing Cyber Awareness and supporting conversation about pertinent insurance trends and issues. For further reading, see our Issues Brief and stay tuned to our blog.