After SolarWinds, Companies Turn to Insurers, Not Feds, for Protection

The United States' cybersecurity infrastructure is still reeling from one of the worst digital intrusions in the nation's history uncovered late last year. But as a new administration scrambles to shore up its digital defense, industry leaders are turning to private insurers, not the federal government, for protection.

Like an uninsured driver, companies lacking adequate safeguards have become too great a risk. Meanwhile, hacking hazards have continued to grow more sophisticated over the years, with even more moving parts than the average vehicle. Most companies and consumers alike aren't even aware of the countless ways in which they may be targeted, much less how to protect themselves.

"My theory is there are only two kinds of corporations: those that have been breached, and those that will be breached," Mario Vitale, CEO of Resilience Cyber Insurance Solutions insurance firm, told Newsweek.

Vitale described the hacking as "an emerging peril" akin to more familiar risks covered by insurance policies, such as fire, flood and earthquake. And a while a cyber event is no "Act of God," it can be equally unpredictable, even for experts.

"What I've noticed is different about this peril is that the security protections that you need to build it, virus protections, but also tools and techniques and codes and firewalls, backing up data, all that needs to be refreshed almost annually," Vitale said.

The definition of an industry standard in this case, he said, is ever-changing and updating. And while the idea of cyber insurance companies dates back about a decade, he explained, it's only now that the concept is only now beginning to pick up and "it's going very rapidly."

But the threat it seeks to counter is moving even quicker, outpacing public awareness. As such, the chances grow more likely of another serious incident that could affect an entire supply chain, and a nation.

"Everyone is linked today, and so you're only as good as your weakest link," Raj Shah, chairman of cybersecurity insurance firm Resilience, told Newsweek.

Shah described "a strong movement" of companies, especially large ones, who are now requiring their suppliers meet minimum levels of cyber insurance for both security and financial reasons. Despite the enormity of the risk involved, it's an area where there are few government mandates, which has compelled the private sector to take action.

"In the absence of the government solving the problem or having regulatory change," he said, "private companies are taking that into their own hands."

hacking, keyboard
In this photo illustration a young man types on an illuminated computer keyboard typically favored by computer coders on January 25 in Berlin, Germany. 2020 saw a sharp rise in global cybercrime that was in part driven by the jump in online retailing that ensued during national lockdowns as governments sought to rein in the coronavirus pandemic. Sean Gallup/Getty Images

The mass digitization of data is not a new phenomenon, and neither are efforts to steal or manipulate it. Individuals and entities, private and state-sponsored, have for decades played cat-and-mouse games over online information, from personal passwords to nuclear centrifuges.

But never has it been so dangerous to run a seemingly innocuous operation that could endanger not only one's own company but a vast network of equally unsuspecting victims.

It's been about a year since products of leading software company SolarWinds are believed to have first been infiltrated with Trojan malware. Upon discovery of the breach months later, it triggered a crisis that affected various agencies of the U.S. government and scores of Fortune 500 companies, among other institutions.

The U.S. has blamed Russia for that incident, a charge vehemently denied by Moscow.

A range of U.S. federal agencies stepped in upon the suspicion of a foreign government sneaking into some of the country's most prominent agencies and firms. In reality, it's getting easier for even less-equipped enemy actors to stage attacks of unprecedented magnitude.

"You need a solution that can move as fast as the bad guys, and so this is why I think at least in the near-term, the solution is going to come from the private sector in the form of this new type of insurance," Shah said. "Hopefully, over time, the government will be able to provide more assistance, provide more intelligence. There's a lot of reform and change that needs to happen, both legislatively and technically, for that to become reality."

But Washington has yet to catch up, despite areas of potential private-public sector cooperation.

"There are real, meaningful, impactful ways the government can start to harness this problem, and the government is 10 years behind the times," Shawn Henry, president and chief security officer of cybersecurity company CrowdStrike, told Newsweek.

Henry, a former FBI executive assistant director, has spent the better part of his career sounding the alarm on cyber threats and their capacity to disrupt the livelihood of countries, companies and citizens. He said it's "maddening" to be reciting some of the same concerns after not only 10 years, but 20.

It's a threat that's intangible for most people, he acknowledges, but it has the capacity to ruin careers and lives all the same.

"The average American isn't going to take this seriously, until they can't charge their iPhone for three or four days," Henry said. "Then they're going to take it seriously because it's personally impacting them. But it's so hard to quantify for the average person, I don't think they see it or understand it. It's impacting the economy. It's impacting the government's ability to do its job in other areas, it's impacting national security."

Holes in cybersecurity even extend to critical infrastructure. Authorities are investigating an incident just last month in which an unidentified hacker electronically manipulated the water treatment system of the city of Oldsmar, Florida, increasing the factor of sodium hydroxide, or lye, by a factor of 100. The act of sabotage was thwarted by a worker who caught the move.

Henry hopes the White House will take measures to educate on the importance of good cybersecurity practices.

"I think that there's a lot that the executive branch can do to help people get their arms around it and to help develop a culture of security and getting people to understand the risk that they face," Henry said, "to get people to understand the national security implications of these types of attacks. We haven't done enough as a country, to frame that, and to execute upon it, and I think that we absolutely, positively need to do it."

Others even in the insurance business saw a need for more executive or legislative action to promote better cyber awareness in tandem with the surge in popularity of their industry.

"While I do believe that the cyber insurance market has a positive effect on buyers, I don't believe that the insurance industry can be the sole mechanism for improving cybersecurity standards," David Wasson, Cyber Practice Leader at Hays Companies told Newsweek. "I do think there are some ways that they can complement or supplement each other for the overall good though."

And there are signs Washington has begun to heed the call.

fireeye, microsoft, solarwinds, congress
FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft President Brad Smith testify during a Senate Intelligence Committee hearing on Capitol Hill on February 23, in Washington, D.C. The hearing focused on the 2020 cyberattack that resulted in a series of data breaches within several agencies and departments in the U.S. federal government. Drew Angerer/Getty Images

One way in which the government has taken the initiative is with the establishment in 2018 of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. CISA was among the first agencies to respond to the SolarWinds attack, and it's since sought a more proactive role.

"Cybersecurity is a shared responsibility for which both the public and private sectors have a role to play," a CISA spokesperson told Newsweek. "CISA provides voluntary programs and services across government and critical infrastructure based on a comprehensive understanding of the evolving risk environment to help organizations manage risk and protect their networks."

This blend of public and private participation is envisioned to act as a multi-tiered shield against cyber attacks.

"We encourage organizations to implement a layered defense, utilizing resources from the federal government, commercial vendors, or their own capabilities," the CISA spokesperson said. "While organizations outside of the federal government work with CISA on a voluntary basis, many in the public and private sectors choose to do so because they find value in the exchange of information and support and services we provide."

Companies are becoming increasingly cognizant of the impalpable yet consequential threats they face from potential cyber attacks. They are seeking security, a service the government alone cannot provide.

"There is certainly a growing realization that you have to have good security around data, or many companies do run the risk of being financially liable," Cyber Threat Alliance President and CEO Michael Daniel told Newsweek.

He laid out what he called a "triangle" of the cyber defense factors: privacy, security and safety, the things "people care about."

Without the proper investment of attention and resources, all three are at risk, and he hoped cyber insurance could be part of the solution.

"Certainly there's the promise of insurance helping to drive better adoption of cybersecurity practices," Daniel said. "And I certainly think that needs to be a part of any effort to raise the level of cybersecurity across our digital ecosystem."