Your neighborhood is dark, darker than you’ve ever seen it. Rising up and above the houses, we see the lights of nearby neighborhoods flicker eerily, like gas lamps of centuries past. Up and up we go, seeing neighborhood after neighborhood, city after city, flicker and fade like ghosts in the night.
Then everything goes black.
This vision of critical energy infrastructure crippled from a series of cyberattacks might read like a Hollywood screenplay, but it’s actually pulled from the Connecticut Insurance Law Journal. This scenario sets the stage for the article, “Uncle Sam RE: Improving Cyber Hygiene and Increasing Confidence in the Cyber Insurance Ecosystem via Government Backstopping,” written by Bryan Cunningham, executive director of UCI’s Cybersecurity Policy and Research Institute (CPRI), and Shauhin Talesh, a UCI law professor and director of UCI’s Law and Graduate Studies Program.
Their article, based on in-depth interviews across the cyber insurance ecosystem, offers detailed draft legislation that leverages the cyber insurance industry to incentivize companies to strengthen their cybersecurity while also providing financial backstopping to prevent the collapse of the cyber ecosystem in a future catastrophic attack.
“I wanted to make the article as accessible as possible to non-lawyers, so it starts with a screenplay-like hypothetical,” explains Cunningham. “This paper is targeted at members of Congress, their legislative staff, journalists and just ordinary people, so I didn’t want it to be full of jargon and legalese.” Yet, as outlined in the article’s “Appendix B: Could It Happen?” he stresses that the hypothetical scenario is plausible.
“The paper is essentially making the case that we could have an event — and maybe Vladimir Putin is creating this right now — that so stresses the global capital for cyber insurance payouts that it breaks the system,” he says. “Before COVID-19, I don’t think most insurance companies thought there could be an event — or combination of events — that could cost trillions of dollars. Since then, and since some of the big cyberattacks like NotPetya [blamed on Russia in 2017], there is talk in the industry that maybe there could be such an event.”
Talk in the Cyber Insurance Industry
Another article by Cunningham and Talesh, appearing in the Utah Law Review, provides the empirical foundation for their legislative proposal provisions. That work, “The Technologization of Insurance: An Empirical Analysis of Big Data and Artificial Intelligence’s Impact on Cybersecurity and Privacy,” outlines in detail the state of the cyber industry based on interviews with more than 60 people across the cyber ecosystem, ranging from cyber insurance brokers, risk managers and underwriters to cyber insurance startups, cybersecurity lawyers, data brokers and forensics experts. Cunningham and Talesh, supported by UCI law students, also analyzed a database of insurance claims information and numerous cybersecurity policies to identify how technology influences the delivery of insurance.
“The [Technologization of Insurance] paper is mostly saying here’s what we learned from all of our interviews and all of our research and here is what hasn’t worked,” says Cunningham. “Then the [Uncle Sam] paper looks at how we can make [the ecosystem] work and presents an actual proposal to help improve cybersecurity and financially backstop the cyber insurance industry.” The latter paper offers a set of interconnected recommendations for public-private measures to support and stabilize the cyber insurance ecosystem while improving “cyber hygiene” — defined by the U.S. Government Accountability Office as “a set of practices for managing the most common and pervasive cybersecurity risks.”
Talesh, one of the leading insurance scholars in the country conducting empirical research on how insurance-as-regulation works in action, believes this research can impact not only our understanding of cyber insurance, but also the private role of insurers as regulators more broadly.
“Policymakers and, to some extent, the legal academy often discuss how private actors such as insurance companies play a critical role as regulators in society, arguing they are better situated and have better tools to regulate organizational behavior,” says Talesh. “However, our granular examination of the cybersecurity field suggests that such interventions are often ineffective and largely symbolic. This kind of rich qualitative research shines a light on where insurers fall short. Moreover, we offer a pathway for how both insurers and the government can improve cyber hygiene in society.”
The Catastrophic Cybersecurity Resilience Act
Cunningham and Talesh package their recommendations in draft legislation titled the Catastrophic Cybersecurity Resilience Act (CCRA). Under the proposed CCRA, any insurer who joins a new federal insurance backstopping program would have to:
- mandate that all purchasers of their cyber products maintain a baseline level of cyber hygiene;
- require those they insure to report cyber incidents to the government — under appropriate legal protections — in a timely manner;
- abide by newly created public “certifications of attribution” for cyberattacks; and
- agree to rarely (and only under narrow, specified conditions) enforce war exclusions in cyberattack insurance coverage decisions or litigation.
While these requirements would not be mandated directly to all companies, insurers meeting these requirements would have access to government funding above a certain amount of loss should a catastrophic event occur. “So, in return for getting access to this potential funding pool that might save your company down the road,” explains Cunningham, “the CCRA requires insurance companies to do and incentivize certain things to help make all of us more cyber secure.”
What is appealing about this approach is that it’s not a government mandate. “It’s the government telling your insurance company, ‘if you want this big benefit, you have to demand these cybersecurity measures,’ but the company could always say no [and] just take the risk of going bankrupt in the event of a true cyber catastrophe,” says Cunningham. Furthermore, he adds that any compliance monitoring would come from the private sector, not “Big Brother in Washington,” and could also be incentivized. “Very few people want the government monitoring everything they’re doing,” he says, “but you could theoretically have some tech companies willing to offer very low rates to clients who allow the company to monitor their compliance with CCRA.”
This work stems from a generous $1.4 million gift from the Herman P. & Sophia Taubman Foundation, given to CPRI in 2019 in support of securing the Internet of Everything (IoE). Cunningham’s goal was to apply an ecosystem of interrelated concepts focused on the technical aspects of security (led by Computer Science Professor Ian Harris), the policy perspective (led by Computer Science Professor Scott Jordan) and the legal and regulatory components (led by Cunningham and Talesh).
Cunningham’s collaboration with Talesh not only pushed forward one of CPRI’s central missions — enabling crossdisciplinary research and publications — but also resulted in exploring the emerging role of insurance companies as de facto cyber regulators, and the next steps are outlined in the paper proposing the CCRA. “We hope that one of the beneficial aspects of the Uncle Sam RE paper is that very rarely do you see academics actually write a piece of legislation, in a form that a Senator Feinstein or Representative Katie Porter could literally walk into the Senate or House and drop it as a bill for legislative debate,” says Cunningham. “That’s a huge advantage because writing legislation like this —especially the first draft — is complicated and requires a lot of expertise.”
This is where Cunningham’s background as a former White House lawyer and adviser comes into play. He served six years in the Clinton administration as a senior CIA officer and federal prosecutor and, as deputy legal adviser to the White House National Security Council for Condoleezza Rice, he drafted significant portions of the Homeland Security Act and related legislation and helped shepherd them through Congress. His familiarity with the process was critical in creating the proposed CCRA.
“It’s not in any way, shape or form perfect, but it’s a way to start the conversation,” he says, adding that, COVID-willing, he hopes to continue the conversation with an in-person conference at UCI in the fall. “We would set it up like a mock session of Congress, so we’d lead a legislative debate — or what they call a ‘markup,’ which is where you take a bill and you literally sit there and critique it.”
Of course, the ultimate goal would be for Congress to enact the legislation, encouraging companies to start shoring up U.S. cybersecurity before a truly catastrophic event. As Cunningham and Talesh point out in the article, “it seems likely we will face — sooner rather than later — a cyber reckoning (or a cyber ‘Pearl Harbor’ — pick your metaphor). More optimistically, by adequately preparing for that day, we can reduce the likelihood that it ever comes.”
— Shani Murray