Silent Cyber: Managing Risk When You Don’t Know the Risk

 by Brian McCarthy

Silent Cyber Isn’t New (Cybersecurity Risk Assessment)

No, Silent Cyber isn’t new at all, but we will be hearing a lot more about it moving into the near future. Right now, as this blog is written, insurance companies are trying to figure out how to compartmentalize the financial risk of cybersecurity risk, and as such, the payouts and premiums (Silent Cyber) as it relates to risk exposure. This is without a doubt a daunting task as cybersecurity takes on a whole-of-business approach as exposures are continually shown with our near-daily hacking stories. Moreover, we are far beyond securing email accounts. Cybersecurity is systemic throughout an organization’s total performance and represents the balance sheet at the end of the day. So, what is Silent Cyber? Let’s explore.

A Hypothetical (Silent Cyber Risk Assessment)

Let’s talk about a hydroelectric dam that provides electricity to 35,000 customers in the valley. The dam was built in the 1950s. Based on annual inspections, the Army Corps of Engineers and local government regulators and inspectors are deemed safe-to-operate and regular oversight. This dam is so well built and trouble-free that nobody would have thought of it to be a cybersecurity risk until today. As we add more PLCs and SCADA system controls to dams across the country, we also add additional attack surfaces that haven’t been part of the risk profile until recently. However, if a reservoir leveling gate was opened through a simple SCADA hack, what’s the downstream impact to those 35,000 customers in the valley? Industrial Controls remain largely insecure when looking at best practices, especially when society relies on such infrastructure to conduct daily life. I mean, remember when Iran hacked that little dam in New York in 2016? Don’t worry, I didn’t either.

Silent Cyber is The Elephant (Silent Cyber Insurance)

So, if you happen to be ABC Insurance Company, which was happy to write a general liability insurance policy on that hypothetical dam a few decades ago, and have enjoyed those renewals, has your policy kept up with the automation and digital controls inherent to today’s operations (Silent Cyber Insurance)? Does ABC Insurance even understand the risk of ensuring a dam with a cybersecurity policy, which is likely necessary to continue operations? After all, is ABC Insurance responsible for the dam or the entire valley if a USB stick compromised that dam (Cybersecurity Risk Assessment)? However, there is no time like the present.

7 Insurers form Company to Coordinate for Cybersecurity

Aren’t we in luck? Finally, seven prominent insurers see the risk, and the absolute wall of insolvency, and of course, the rewarding opportunity to make sense of all of this. AIG, AXIS, Beazley, Chubb, The Hartford, Liberty Mutual, and Travelers have formed a company to pool their data, and it’s refreshing to see some action. The new organization is called CyberAcuView, whose mission is as follows:

https://cyberacuview.com/about-us/

Someone pinch me, as we see a direct correlation in the interest of information sharing and standards for insurance organizations that we are currently seeing at the Department of Defense (DoD), the Defense Industrial Base (DIB), amongst other entities. To best identify risk, we must share information in a fast, if not live, environment. After the May 2021 Government Accountability Office (GOA) report on the cyber insurance market, it’s clear that the risk wasn’t properly presented as policies went out the door.

Insurers realize they aren’t capitalized for a massive cyber event and seek to manage risk, cash flow, and reserves. Banks realize that cybersecurity is a rating or measure to consider when providing funding to a business. Cyber practices matter to the banking balance sheet, which is representative of a pure ledger of risk. The government and financial markets see the challenge. Cybersecurity is taking the stage, along with the Securities and Exchange Commission (SEC) and their newest push for Environmental, Social, and Governance (ESG), (yes, cybersecurity will be governance in ESG). The supply chain sees that cybersecurity matters to business continuity, the balance sheet, and ultimately, to their customer base. The DoD sees that the supply chain is under tremendous pressure from hackers and nation-states without our best interests in mind. The DoD sees how National Security could be compromised by the smallest of chips, software, devices, IoT communications, 5G, and other new and fast-moving technologies, making procurement front and center in importance. The challenge we face here is large, complex, and daunting, but a challenge is an opportunity!

Lets Get to Work

Yes, we have a lot to do as people, employees, businesses, governments, and citizens of the United States to improve our cybersecurity risk profile. We also need to identify and measure cybersecurity risk in our businesses and our balance sheets, along with the newly activated Environmental, Social, and Governance (ESG) standards that are ever-changing but powerful. The regulations are coming; some are here now, but many forthcoming, where ignorance will no longer create bliss. Organizations need to adopt a cybersecurity framework, implement the right controls, tools, and competencies within the business, and identify and control risk in this quickly changing world of risk/reward balancing.

#ESG #SCRM #SilentCyber #RiskManagement #CyberAwareness