CISA releases long-awaited plan for national cyber resilience

The federal Cybersecurity and Infrastructure Security Agency (CISA) in September released its 2023-2025 Strategic Plan, a response to the increasing vulnerability of U.S. infrastructure to cyberattacks. 

Key Takeaways

  • The plan proposes a framework for defining and managing the federal government’s role in mitigating cyber threats to national security. 
  • CISA aims to foster a cross-agency and “whole-of-nation” approach to risk management and resilience.  
  •  Implementation and outcomes can have implications for cyber insurance markets. 
  •  Two federal engagement requests have been issued to get feedback on creating a regulatory path forward. 

Cyber resilience in the current digital ecosystem requires a new mindset.

CISA’s plan arrives in a rapidly transforming threat landscape in which the cybersecurity mindset is duly shifting from “Are we vulnerable to attack?” to “When a breach happens, how can we spot it, contain the damage, and recover as fast as possible?”  

Businesses across all sectors have seen a rise in the frequency of breaches. Hackers are using sophisticated tactics to expand the reach of ransomware to third or fourth parties, such as supply-chain partners. Estimates of organizations attacked in the last year range from 60 percent to as high as 86 percent, probably because dormant ransomware can remain undetected for a while and many organizations are hesitant to publicize or div incidents. 

Organizations involved in critical infrastructure–such as the military, hospitals, financial institutions, and the supply chains providers–can be enticing targets for bad actors. The 2021 Internet Crime Report from the FBI reveals at least one organization in 14 of 16 critical infrastructure sectors experienced a ransomware attack that year. Data indicates that cyberattacks against US ports and terminals are increasing. 

In response to the rising threats, CISA Director Jen Easterly announced earlier this year, “We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim.”  

The “whole of nation” strategy – the agency’s first plan since its creation in 2018 – proposes a unity of effort framework, while drawing upon the CISA Strategic Intent from August 2019, to lay a foundation for the agency’s work ahead and incorporate four core goals:  

  • “Cyber defense against threats to National Critical Functions;  
  • Risk reduction and resilience; 
  • Operational collaboration using a “whole-of-nation” approach; and 
  • Agency unification.” 

Loss ratios for cyber insurance are down, but challenges are still mounting

Cost-effectiveness remains elusive, despite the growing demand for cyber risk coverage. Data from S&P Global indicates that after three years of steady climb, loss ratios decreased from 75% in 2020 to 65% in 2021. However, contributing factors continue to wreak havoc, including increased frequency and severity of cyber-attacks, rising associated breach costs and liabilities, and the lack of historical incident data necessary to assess and price risk. As liability coverage for critical infrastructure sectors poses further challenges to risk mitigation, some insurers opt out of providing coverage to these entities. 

To build a foundation for risk assessment, CISA aims to create a regulatory path for the data collection mandate of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The legislation prescribes reporting of major cybersecurity incidents (within 72 hours) and ransomware payments (within 24 hours of payment). However, not every organization in a critical sector will automatically be required to report, and a formal enforcement framework for those expected to comply appears to be yet undefined.  

CISA and FIO solicits feedback on forging a path towards national cyber resilience. 

To foster collaboration between the government and private sectors while facilitating the implementation of CIRCIA, CISA recently issued a Request for Information. The list of reporting parameters up for public commentary includes how organizations may be defined as a “covered entity” (thus required to report incidents) and constraints and best practices around sharing of incident information.  

Another example of the cross-agency and “whole-of-nation” effort outlined in CISA’s plan can be seen in a request for comment recently issued by the Department of the Treasury’s Federal Insurance Office (FIO). This public engagement sprang from a June 2022 GAO report recommendation. The FIO is asking for feedback on “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.” The agency welcomes information on gaps in other federal cyber risk initiatives, such as the SEC’s proposed cyber incident reporting rules, the Terrorism Risk Insurance Program (TRIP), and the CISA’s cyber incident reporting RFI. 

Triple-I remains committed to advancing Cyber Awareness and supporting conversation about pertinent insurance trends and issues. For further reading, see our Issues Brief and stay tuned to our blog. 

“A.I. Take the Wheel!” Drivers Put Too Much Faith in Assist Features, IIHS Survey Suggests

Too many car owners are too comfortable leaving their vehicles’ driver-assist features in charge, potentially putting themselves and others at risk, according to the Insurance Institute for Highway Safety (IIHS).

IIHS said a survey of about 600 regular users of General Motors Super Cruise, Nissan/Infiniti ProPILOT Assist, and Tesla Autopilot found they were “more likely to perform non-driving-related activities like eating or texting while using their partial automation systems than while driving unassisted.”

“The big-picture message here is that the early adopters of these systems still have a poor understanding of the technology’s limits,” said IIHS President David Harkey.

The study reports that 53 percent of Super Cruise users, 42 percent of Tesla Autopilot users, and 12 percent of Nissan’s ProPilot Assist users were comfortable letting the system drive without watching what was happening on the road. Some even described being comfortable letting the vehicle drive during inclement weather.

These systems combine adaptive cruise control and lane-keeping systems, primarily to keep a car in a lane and following traffic on the highway. All require an attentive human driver to monitor the road and take full control when called for.

“None of the current systems is designed to replace a human driver or to make it safe for a driver to perform other activities that take their focus away from the road,” IIHS said in announcing the results of its survey.

While all three automakers caution drivers about the systems’ limits, confusion remains. Tesla’s driver-assist system, which it calls “full self-driving” has received much scrutiny over the years as auto safety experts say the name is misleading and risks worsening road safety.

The U.S.government has set no standards for these features, which are some of the newest technologies on vehicles today. A patchwork of state laws and voluntary federal guidelines is attempting to cover the testing and eventual deployment of autonomous vehicles in the United States. 

Learn More:

Background on: Self-driving cars and insurance

IICF Starts Ian Relief Fund

The insurance industry’s efforts on behalf of people struggling in the wake of disasters doesn’t end with paying policyholder claims.

The nonprofit Insurance Industry Charitable Foundation (IICF) has launched the IICF Hurricane Ian Relief Fund to support those in need in the wake of Hurricane Ian. Funds will benefit Team Rubicon, a nonprofit providing emergency response and relief throughout affected areas, and SW FL Emergency Relief Fund, which provides critical support to nonprofits and people in areas experiencing immediate need.

Through these nonprofits, IICF will provide funds for recovery support, temporary shelter and basic necessities, along with non-perishable food, toiletry items and diapers for children impacted by the storm.

“The insurance industry is rooted in helping others at their time of need,” said Bill Ross, CEO of IICF. “As tens of thousands of Floridians struggle to recover from the devastation of Hurricane Ian, we as an industry are moved to support those impacted through charitable giving.”

With the help of the insurance industry, IICF has been able to raise $2.3 million over the past few years to benefit nonprofits responding to disaster and pandemic needs across the United States and the United Kingdom. To donate to the current effort, please visit https://give.iicf.org/campaigns/23664-iicf-hurricane-ian-relief-fund.

Lawsuits Threaten
to Swell Ian’s Price tag

Litigation costs could add between $10 billion and $20 billion to insured losses from Hurricane Ian, adding to the woes of Florida’s already struggling homeowners’ insurance market, says Mark Friedlander Triple-I’s corporate communications director.

Early estimates put Ian’s insured losses above $50 billion.

“Based on the past history of lawsuits following Florida hurricanes and the state’s very litigious environment, we expect a large volume of lawsuits to be filed in the wake of Hurricane Ian,” Friedlander said in an interview with Insurance Business America.

Most suits are expected to involve the distinction between flood and windstorm losses. Standard homeowners’ policies exclude flood-related damage from coverage, but differentiating between wind and flood damage in the aftermath of a major hurricane can be challenging.

Flood insurance is available from FEMA’s National Flood Insurance Program, as well as from a growing number of private carriers.

Trial attorneys are “already on the ground” and soliciting business in some of the hardest hit areas, Friedlander said. “This will be a key element in the solvency of struggling regional insurers who are already facing financial challenges.”

Six Florida-based insurers have already failed this year. Florida accounts for 79 percent of all U.S. homeowners’ claims litigation despite representing only 9 percent of insurance claims, according to figures shared by the Florida governor’s office. Litigation has contributed to double-digit premium-rate increases for home insurance in recent years, with Florida’s average annual home-insurance premium of $4,231 being among the nation’s highest.

“Floridians are seeing homeowners’ insurance become costlier and scarcer because for years the state has been the home of too much litigation and too many fraudulent roof-replacement schemes,” Triple-I CEO Sean Kevelighan said. “These two factors contributed enormously to the net underwriting losses Florida’s homeowners’ insurers cumulatively incurred between 2017 and 2021.”

Trevor Burgess, CEO of Neptune Flood Insurance, a St. Petersburg, Fla.-based private flood insurer, said that in all locations pummeled by Ian, the percentage of homes covered by flood policies is down from five years ago. Friedlander told Fox Weather that, while more than 50 percent of properties along Florida’s western Gulf Coast are insured for flood, “inland…the take-up rates for flood insurance are below five percent.”

While Florida is at particularly severe and persistent risk of hurricane-related flooding, the protection gap is by no means unique to the Sunshine State. Inland flooding due to hurricanes is causing increased damage and losses nationwide – often in areas where homeowners tend not to buy flood insurance.

In the days after Hurricane Ida made landfall in August 2021, massive amounts of rain fell in inland, flooding subway lines and streets in New York and New Jersey. More than 40 people were killed in those states and Pennsylvania as basement apartments suddenly filled with water. In the hardest-hit areas, flood insurance take-up rates were under five percent.

Damaging floods that hit Eastern Kentucky in late July 2022 and led to the deaths of 38 people also were largely uninsured against. A mere 1 percent of properties in the counties most affected by the flooding have federal flood insurance.

“We’ve seen some pretty significant changes in the impact of flooding from hurricanes, very far inland,” Keith Wolfe, Swiss Re’s president for U.S. property and casualty, said in a recent Triple-I Executive Exchange. “Hurricanes have just behaved very differently in the past five years, once they come on shore, from what we’ve seen in the past 20.”

Thousands of Claims Experts Headed to Florida

Rohit Verma, Chief Executive Officer, Crawford & Company

By Rohit Verma, Chief Executive Officer, Crawford & Company

Hurricane Ian inflicted more damage in Florida and the Carolinas than last year’s Hurricane Ida did in Louisiana, in terms of the number of buildings, vehicles, and infrastructure affected. It is the main reason Ian’s insured losses are likely to exceed Ida’s $36 billion.

Ian’s flood-damage claims are expected to exceed claims for Ian-caused wind damage as a percentage of this $40 billion to $60 billion event, even though only about 18 percent of Florida homes carried flood insurance. Crawford & Company anticipates we will be handling a significant percentage of these flood claims. Dealing with both insured and uninsured losses is going to be especially challenging.

As routes are cleared to the communities of Fort Myers and Florida’s southwest coast, Crawford continues to evaluate the impact of the hurricane and to assist with the recovery. In our fastest ever ramp-up, thousands of Crawford’s adjusters are already deployed – our largest deployment in history at such an early stage – and we expect this number to increase in coming weeks.

This adjuster engagement is spread across our U.S. CAT team: managed repair network Contractor Connection, our loss-adjusting business; Crawford’s on-demand inspection service WeGoLook; and edjuster, the technology-driven field and desktop contents claims handling solutions provider Crawford acquired in August 2021.

Crawford Global Technical Services also is engaged with several clients who are still assessing the damage from Hurricane Ian, and we expect the volume of commercial claims to rise as they get reported.  Moreover, Crawford has fully operational support rooms in Gainesville, Tampa, Sunrise and Orlando, Florida.

Access remains challenging during the early stages of the response due to damaged infrastructure, but we have prioritized emergency mitigation services, board-up activities, and tree removal to help mitigate further damage and return homes and commercial buildings to a usable condition as quickly as possible.

As we get further into the restoration process, claims inflation and supply chain issues are likely to impact the industry’s response to Hurricane Ian. There will be intense demand for building materials.

Our immediate focus now is to help those who experienced devastating losses and restore lives, businesses, and communities affected by the hurricane.

Peril in Perspective:
New Book Untangles Disaster Risk for Lay
and Professional Readers

From the first sentence of the first chapter of her new book – Understanding Disaster Insurance: New Tools for a More Resilient Future – Carolyn Kousky nails it: “When it comes to disasters, record-breaking is the new normal.”

Kousky, associate vice president for economics and policy at the Environmental Defense Fund and a Triple-I non-resident scholar, is not engaging in hyperbole when she writes:

“The past few years have seen the largest wildfires on record in places across the globe, from California to Australia. We have seen the earliest formed hurricanes, the strongest storms, the most storms in a year, and the deadliest storm surges. We’ve seen record-breaking rainfall. We’ve experienced the hottest summers, the hottest days, and the hottest nights. We’ve also seen a pandemic sweep the globe, as well as the largest and most sophisticated cyberattack to date.”

If you’re a regular reader of the Triple-I Blog and the Resilience Blog on Triple-I’s Resilience Accelerator website, you’ve already had a sampling of the “new normal” Kousky describes. She is well qualified to explain these complex risks, having previously served as director of policy research and engagement and as executive director of the University of Pennsylvania’s Wharton Risk Center.

Kousky’s academic work goes deep into disaster insurance markets, disaster finance, climate risk management, and policy approaches for increasing resilience. She has published numerous articles, reports, and book chapters on the economics and policy of climate risk and is frequently cited in mainstream and business media.

And she can write, which — as anyone who has slogged through as many academic papers and insurance trade publications as I have can tell you – is a major differentiator.

Kousky has managed to produce something of a unicorn: a book on disaster insurance that anyone who cares about understanding our increasingly interconnected and disaster-prone world can read and learn from. Rather than dive straight into the deep weeds of modeling, pricing, and reserving, Kousky begins by clearly describing the global disaster landscape, articulating the threats and their costs, and explaining what insurance is – and, perhaps most important, what it isn’t – in terms the lay reader can easily identify with:

“By making regular premium payments – certain small losses – insureds are then protected against big losses by receiving compensation when those losses occur. In this way, you can think of insurance as moving money from the good times, when there are no disasters, to the bad times when a disaster happens. You pay a bit in the good times to receive money in the bad times.”

As to what insurance is not, Kousky writes:

“Insurance is not risk reduction…. It needs to go hand in hand with investments to actually reduce risks. At a household level, it could be upgrading to a fortified roof if you live on the hurricane-prone coast… When risks are reduced, insurance is cheaper, such that risk reduction is a critical complement to insurance. We need both.”

When she does get into the taller grass of insurance market structures and operations, regulations, and technically complex aspects of risk transfer beyond insurance, Kousky gives the reader fair warning.

Insurance professionals might choose to skip over some of the familiar industry history and fundamentals, but I found them interesting and – again, a tribute to Kousky’s writing – not at all painful. Her elaboration on the five “ideal criteria for insurability” and discussion of “thin-tail” versus “fat-tail” risks provides a helpful touchstone for insurance generalists like me.

“Insurability is not a yes/no proposition, but a spectrum,” Kousky reminds us, “from easier-to-insure risks, like auto collisions, to difficult-to-insure risks, like destructive earthquakes and hurricanes, to the almost-impossible-to-insure risks, like war.”

Untangling and quantifying these perils and developing strategies to address them will be at the heart of risk management in a warmer, wetter, increasingly chaotic world.

Kousky’s book does a solid job of describing what is being done, what’s working and what isn’t; the challenges of insurance availability and affordability; the opportunities and limitations of risk-transfer mechanisms; the importance of markets, public policy, and individual initiative; and the promise of innovation.

That is no small accomplishment.

Workers Comp:
A Strong Line Rebounds From Pandemic Pressure

Max Dorfman, Research Writer, Triple-I

The workers compensation field is “responding and adapting remarkably well to economic changes,” according to Donna Glenn, chief actuary, National Council on Compensation Insurance (NCCI). “The pandemic brought new occupational illnesses into the system, but it was offset by a reduction of other types of claims back in 2020.”

Glenn made her comments in a new Executive Exchange with Triple-I CEO Sean Kevelighan. She noted that the workers comp industry was in a strong position before the pandemic and, consequently, in its aftermath. This includes seven years of underwriting profitability.

“Strong employment and wages are on the rise, fueling the workers comp system,” Glenn said. “The strength of the labor market is awesome.”

Kevelighan and Glenn noted that changing labor patterns will also affect workers comp claims frequency.

“Frequency declined in 2020 because of the business shutdowns,” Glenn said. “When workers returned, claims activity came back. However, remote work is decreasing overall claim frequency. This is the new normal.”

They also discussed the potential for rising medical costs.

“Medical costs have been fairly stable, but some are talking about medical costs exploding out of control again,” Kevelighan said.

“Medical prices are up,” Glenn agreed, adding that medical inflation “is tame compared to general inflation. The medical industry has benefited from regulation, including medical fee schedules, treatment guidelines and prescription drug formularies, which contribute significantly to the cost-control system in workers comp.”

Further, fewer procedures are happening in hospitals.  Instead, they’re happening in an outpatient environment or ambulatory service center.

Glenn observed that physical therapy and the decrease in use of opioids has also helped. However, she signaled that there may be emerging issues with mental health.

“PTSD, particularly with first responders, comes up with workers comp,” she said. “But mental health is much broader than PTSD. We have to be very mindful of how we take care of workers.”

Kia, Hyundai Vehicles Stolen at Record Rates

Max Dorfman, Research Writer, Triple-I

Bargain-priced Kia and Hyundai vehicles have begun being targeted for theft at rates similar to muscle cars and SUVs, the Highway Loss Data Institute (HLDI) has reported, based on an analysis of 2021 insurance claims. The spike is due, in part, to the fact that the models being stolen don’t have electronic immoblizers that stop thieves from bypassing the ignition.

“Car theft spiked during the pandemic,” said Matt Moore, HLDI senior vice president. “These numbers tell us that some vehicles may be targeted because they’re fast or worth a lot of money and others because they’re easy to steal.”

Ignition immobilizers are standard equipment on almost all vehicles of that vintage made by other companies. They were standard on 62 percent of models of other manufacturers in model year 2000. By model year 2015, immobilizers were standard on 96 percent of other vehicles, but were only standard on 26 percent of Hyundai and Kia vehicle models.

“If it doesn’t have an immobilizer, it does make it somewhat easier to steal,” said Darrell Russell, a former auto theft investigator who is now director of operations, vehicles, at the National Insurance Crime Bureau (NICB).

In Wisconsin, which was affected by these thefts earlier than most, losses from Hyundai-Kia thefts grew more than 30 times from the 2019 level.

Motor vehicle theft continues to be a major issue

In 2020, the FBI found that $7.4 billion was lost to motor vehicle theft, with the average dollar loss per theft at $9,166. A total of 810,400 vehicles were stolen that year. The number of vehicles stolen was up 11.8 percent in 2020, from 724,872 in 2019. The NICB says the pandemic, economic downturn, loss of juvenile outreach programs, and public safety budgetary and resource limitations were key factors in the increase of motor vehicles stolen in 2020.

Preventive measures are important

The NICB recommends a layered approach to prevent vehicles from being stolen that includes:

  • Always locking your doors and removing your keys from the ignition;
  • Using visible or audible devices, like alarms and steering column brake locks;
  • Installing a vehicle immobilizer, like a kill switch or smart key; and
  • Investing in a tracking system.

Chubb Study Parses Insurance-Buying Behavior By Generation

Millennial and Generation Z consumers are more likely than Baby Boomers or Gen-Xers to seek insurance advice from an agent or broker, according to recent findings by Chubb.

The Chubb study explores attitudes about insurance-related matters across five generations of affluent and high net worth consumers in the U.S. and Canada. Its findings reveal differences in:

  • How each generation searches for and purchases insurance;
  • What they look for in an insurance carrier;
  • Their current coverages;
  • The kinds of media they trust most; and
  • How they currently engage with insurance agents.

Majorities of Gen Z and Millennial respondents (53 percent for both) appreciate having their agent or broker educate them on how insurance products and services can match their long-term goals, compared with about 40 percent each for Gen X and Baby Boomers. Unsurprisingly, the study also found that younger generations are more likely to use social media reviews when choosing an agent or broker to advise them. Most Gen Z (94 percent) and Millennial (89 percent) respondents said they rely on social media reviews, compared with 64 percent for Gen-Xers and 56 percent for Baby Boomers.

This quantitative study was being released in conjunction with additional research that agents and brokers can use to tailor their engagement with each of these generations to build greater trust, connection and credibility.

“It’s critical in today’s competitive business environment that we understand the dynamics of catering to different generations, with each evaluating and purchasing insurance very differently,” said Ana Robic, vice president, Chubb Group and Division President, Chubb North America Personal Risk Services. “We encourage our distribution partners to dive into what we’ve made available – and along with us – harness these insights to meet the unique risk management needs of our mutual clients across generations.” 

PFAS-Related Litigation May Signal an Emerging Liability for Insurers

Max Dorfman, Research Writer, Triple-I

Per- and Polyfluoroalkyl Substances (PFAS)—a varied group of human-made chemicals used in an array of consumer and industrial products—present a new potential liability for insurers, as U.S. regulatory activity continues to change, with lawsuit outcomes indicating this is an issue that will continue to develop.

PFAS, which have existed since the 1930s, are creating concern because of how ubiquitous they are, as well as their potential to harm people’s lives. They are used in everything from Teflon coatings to food packaging to firefighting foam, due to their capacity to resist oil and moisture. These qualities are also potentially damaging because they often stay in the human body, never entirely breaking down.

Though studies surrounding PFAS are not conclusive, they have been connected to cancer, pregnancy-induced hypertension, and thyroid disease. Their pervasiveness means everyone likely has some amount of PFAS in their blood stream. There is fear about their presence in water supplies, as well.

“PFAS are water soluble and dissolve readily in soil,” said Cindy Wilk, Global Environmental Liability Expert, Allianz Risk Consulting at AGCS. “An industrial accident or firefighting incident can result in their release into water sources, making local communities vulnerable, but PFAS can also migrate quickly through groundwater pathways to contaminate areas far from their original source.”

PFAS litigation continues to rise

PFAS litigation has seen tremendous growth over the past 20 years, beginning with a lawsuit filed against DuPont, the company that makes Teflon. DuPont was accused of contaminating water from a plant in West Virginia—resulting in a settlement to provide up to $235 million for medical monitoring of over 70,000 people. Several similar lawsuits have followed.

As of 2021, more than 5,000 PFAS-related complaints have been filed in 40 courts, with 193 defendants in 82 industries.

Additionally, in 2021, the PFAS Action Act passed the House and set the Environmental Protection Agency (EPA) on the recent course toward developing new PFAS standards. The act does not include a liability exception for water-wastewater utilities, despite the fact that these entities are not the source of PFAS, thus causing concern that they will be the target of civil litigation

How can insurers respond?

Although the Insurance Services Office (ISO) has not produced a PFAS-specific exclusion for commercial liability policies, work is being done on a draft exclusion, which could be published in late 2022. With that process still underway, several PFAS-related exclusions are circulating, some as a modification to the Total Pollution Exclusion or by establishing a stand-alone PFAS exclusion. Still, insurers must be wary of the potential liabilities, as the Biden Administration’s regulatory focus on PFAS could lead to increased litigation.

Reinsurer Gen Re recommends that insurers:

  • Take inventory of previously underwritten risks;
  • Carefully consider new risks at submissions; and
  • Keep abreast of PFAS, both as to scientific developments and the litigation that it spawns.

Latest research and analysis