A Cyber COFR?

While Russia continues to wage war in Ukraine, sectors of U.S. critical infrastructure could increasingly become targets of Russian cyber aggression. As noted by John Dermody, former deputy legal advisor to the National Security Council, “Past incidents demonstrate that Russia, whether by itself or acting through proxies, may target the private sector to exert pressure in the middle of an international standoff.” This comes on the heels of a banner year for malicious cyber activity, with annual global damages measured in trillions of dollars. In particular, the most common attack vector was through compromised credentials due to an increasing reliance on cloud computing and remote access. The adoption of cloud computing and remote work increased productivity, but they introduced several vulnerabilities to an already risk-prone system. In an increasingly complex operating environment with advanced threats, critical infrastructure sectors could benefit from a regime that enables the ability to monetize cyber risks while also incentivizing development of standards, cross-sector information sharing, and response capabilities to build resiliency.

Many offensive-minded threat actors and criminals utilize ransomware to disrupt operations for financial gain. They assess their targets through two lenses: (1) operational imperative—they look for institutions or organizations whose business models or services require that they remain operational, such as education, health care, utilities, transportation, or financial sectors; and (2) low resourcing—they try to identify targets with limited capability and capacity to defend against and respond to an attack. Beyond ransomware, cyber threat actors seek to exploit the uneven playing field that exists in cyberspace, so the challenge to policymakers and corporate boards of directors remains: How can they level the field and build their resiliency? Federal regulation is certainly an option, but the regulatory process is slow, and finding the right balance between prescriptive and effective performance-based regulation is challenging. Another option is to look for examples in other sectors of the economy that faced unique or novel threats and how the risks were mitigated.

Lessons from OPA-90

In March 1989, Exxon Valdez ran aground while transiting Prince William Sound, spilling roughly 11 million gallons of crude oil. In response to the severity of that disaster, and recognizing the frequency of spills, Congress quickly drafted the Oil Pollution Act of 1990 (OPA-90), and President Bush signed it into law. The law was transformational in how it monetized and transferred operational risk through legislation. Previously, insurance was portrayed as a market alternative to regulation, however, in the case of OPA-90, legislation created a market for insurance to then serve in a way as an alternative to regulation. OPA-90 unified disparate liability provisions from various existing laws, and created a freestanding and comprehensive liability regime that identified the responsible party (RP) and held the RP accountable for three classes of costs: response and cleanup costs, damages to private property, and damages to public natural resources. This “polluter pays” regime was on display during the Deepwater Horizon response, where British Petroleum quickly accepted the designation as the RP and committed to pay for the cleanup and claims beyond the statutory limits of liability. In addition to requiring RPs to cover response costs, OPA-90’s natural resource damage provisions were an innovative and effective way to deter marine pollution and provide for the restoration of injured ecological resources.

The federal regulations developed under OPA-90 specified applicability, requirements of a complaint certificate of financial responsibility (COFR), minimum coverage amounts, and enforcement procedures. The relatively strict financial requirements imposed on marine transporters helped ensure that polluters, rather than the public, paid if damage was caused. Oil pollution liability differs from other forms of liability in that the full cost burden falls on the RP regardless of whether the spill was the result of negligence, intentional activity, or an accident.

When OPA-90 became law, vocal corners of the oil industry widely criticized the liability regime. They warned that the law would threaten oil supplies to the United States. They feared the financial risk to shippers would scare away suppliers and fundamentally change the petroleum supply chain. They claimed this would drive up oil prices, hurting the American economy. Despite the hype, their fears did not come to fruition. The flow of imported oil was not reduced, though in the early years following OPA-90’s passage, several oil companies shifted their oil shipments from their own fleets to chartered vessels. Many also initially shied away from deliveries of crude and heavy fuels because they were difficult to clean in the event of a spill. OPA-90 was a catalyst to drive industry to develop and exercise more comprehensive in-house inspection regimes on their vessels as well as improved engagement and oversight of their chartered vessels. Though not solely attributed to the extensive liability provisions assigned to the RP within OPA-90, in the first 20 years since the law’s passage, oil spills from domestic tank barges plummeted by 99.6 percent. These results were even more impressive because they were achieved within the context of an expanding economy that featured increased offshore oil production and transportation in the United States. As noted in a 2010 hearing before the Senate Committee on Environment and Public Works, small and medium sized companies transport a majority of petroleum through the United States. For them, COFRs and insurance are affordable because of mutual insurance and reinsurance. Individual owners’ claims are not secured by a single insurer but are spread across a collection of insurers. The key is identifying the right limit of liability that sufficiently covers most losses but does not place insurance out of reach.

Cyber Insurance?

Though many insurers offer cyber policies and riders, few cybersecurity policies provide policyholders with coverage from the physical impacts of a cyber incident, nor do they provide insurance to protect the public from the effects of a cyber disruption. Just as a ship spilling oil has public consequences, so too does the loss of utility or critical infrastructure. Since 2012, the Cybersecurity Infrastructure Security Agency (CISA) has engaged critical infrastructure owners and operators, the insurance industry, chief information security officers, risk managers, and academia to analyze the insurance market’s potential for encouraging businesses to improve their cybersecurity in exchange for lower premiums. Despite over three decades of data and experiences, insurers and reinsurers maintain some concerns about capacity within the insurance market for comprehensive cyber coverage. Should the trendline of cybercrime and attacks continue to climb, the result could likely be an increase in the demand for coverage, which could exhaust available capacity. Increased demand, coupled with increased potential payouts, could drive up the cost of insurance. The higher costs could disadvantage smaller operators.

Despite those concerns, Vishaal Hariprasad, the CEO of cyber insurance company Resilience, has been bullish about the role the insurance market should play in building improved cyber defense and operational resiliency. In a White House discussion on ransomware, Hariprasad said, “The insurance industry is uniquely positioned to have a mutual stake in the fight against ransomware. We want our companies to be stronger, more cyber resilient, when partnered with us. If our clients get hit, the insurance pays that loss. Our client’s cyber risk is our cyber risk.”

To manage that risk, the insurance industry has several tools at its disposal. Like the marine insurance industry did with tank ships and barges after OPA-90, the insurance industry can put financial incentives in place to change operators’ behavior towards prevention, preparedness, and resilience. Specifically, they can establish and regularly update security standards for their policyholders to follow, and they can do this at a much more rapid pace than government rulemaking. Insurers can take steps to curb and disincentivize ransomware targeting their policyholders. Targets are often chosen not for who they are, but for what cyber vulnerabilities they possess and their need to continue to operate. Victims with good cyber insurance may pay less in ransom because the insurers provide technical and legal experts to help identify the best method of recovery through forensic services, incident response, legal expertise, repairs, and recovery. A hardening and maturing cyber insurance market will steadily raise the bar for cybersecurity across all industries. Responsible cyber insurance can both insure and secure, by transferring and mitigating risk through incentives that keep insured operators up to date with an ever-changing threat landscape. Further, cyber insurers can help organizations identify external risks. According to Annie McIntyre of the energy services company EverLine, cyber insurers are looking increasingly at third party vendors and supply chain connection points for vulnerabilities. They are identifying cyber vulnerabilities not only within the insured company, but also within the vendors who support and equip the critical infrastructure systems. According to Tim Finan, senior cyber broker at Willis Towers Watson, insurers are mandating their insured to have multiple cyber controls in place, and they are requiring the insured to develop and exercise comprehensive response plans, business continuity plans, and network segmentation before agreeing to cover ransomware. Individual insurers are taking these preventative steps to both help protect their policy holders and buy-down risk. With adequate market incentives, these measures could be spread across a much larger insurance pool and by many more insurers, at scale.

A Mandate?

OPA-90 was transformational in how it monetized and transferred risk through a unified liability regime, because it mandated that companies moving petroleum products across U.S. waters maintain adequate insurance. This leveled the playing field across shipping companies and created a viable market base for insurers. The same concept could be applied to cyber insurance. Congress could pass legislation requiring critical infrastructure organizations to carry appropriate cyber insurance policies. CISA should oversee compliance with this requirement by validating each company’s cyber COFR, much like how the Coast Guard, through the National Pollution Funds Center, validates commercial shipping COFRs.

OPA-90 created a market opportunity for the private sector to develop and employ extensive oil spill response capabilities. (OSROs) entered the market and provided services to enable industry responses to spills. Should Congress require critical infrastructure companies to carry cyber insurance, a similar market would develop for private sector cyber response organizations () to provide comprehensive cyber incident response services. Much like the Coast Guard certifies OSROs, CISA should be designated the certification authority for CyROs.

Despite the best layered defenses, cyber incidents will happen. However, lessons from how the U.S. public and private sectors responded to the Exxon Valdez can help chart a path forward to build resilience in the sectors of the economy most at risk to cyber incidents due to their need to maintain operations. In March, President Biden signed the Strengthening American Cybersecurity Act of 2022, which placed new requirements on reporting cyber incidents. This law is a key step in enhanced information sharing to bolster cyber defenses. However, this is not a panacea. To complement CISA’s authorities, mandatory cyber insurance for critical infrastructure organizations can provide a private sector, market-driven incentive for the for the full gambit of cyber preparedness—not just reporting, but also prevention, response, and continuity of operations.

Brian McSorley is a military fellow in the International Security Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2022 by the Center for Strategic and International Studies. All rights reserved.