kras99 - stock.adobe.com

CISA relaunches working group on cyber insurance, ransomware

Following a hiatus, the Cybersecurity Insurance and Data Analysis Working Group will relaunch in December to determine which security measures are most effective to reduce risk.

CISA announced that it's relaunching the Cybersecurity Insurance and Data Analysis Working Group amid surging cyber insurance premiums and an increasingly dangerous threat landscape.

In a blog post Monday, CISA Deputy Director Nitin Natarajan revealed that the agency reestablished the Cybersecurity Insurance and Data Analysis Working Group (CIDAWG) initiative last week during a conference on Catastrophic Cyber Risk and a Potential Federal Insurance Response. Originally created in 2014, CIDAWG comprised cybersecurity professionals who worked in a variety of critical infrastructure sectors as well as insurance companies and other private sector organizations. One goal of the initiative was to aggregate cybersecurity incident data that could be analyzed and shared among enterprises to reduce risks.

While data analysis will continue to be a main component, Natarajan said CIDAWG "will look very different" upon its relaunch in December. He said the working group will aid in determining the most effective security tools to defend against increasingly sophisticated attacks and help improve enterprises' security postures.

"The working group was re-established to create a venue for collaboration and forward progress with industry on topics where we have shared interests -- specifically, understanding what security controls are working most effectively to defend against cyber incidents," Natarajan said in the blog post.

Cyber insurance is an ongoing area of contention due to an imbalance in surging premiums and coverage reductions. While infosec experts agree that cyber-risk assessments required to obtain policies have led to improvements in enterprises' security postures, many companies don't have the resources to fulfill every demand.

In addition, a lack of sufficient data makes it difficult to quantify cyber-risk in a rapidly evolving threat landscape where attacks have become increasingly disruptive and costly.

"Our nation's critical infrastructure faces serious cyber risks, often accompanied by significant financial losses in the wake of a cyber incident," Natarajan wrote in the blog post. "The digital revolution has brought much good -- connecting humans around the globe in ways we never could before -- however, each new digital tool and platform represents another potential point of failure in an ever-expanding attack surface."

CIDAWG takes on ransomware

One of the most prominent threats Natarajan highlighted was ransomware. According to the FBI's "2022 Internet Crime Report," there was a 60% increase in ransomware attacks from 2018 to 2022. And the threat continued to worsen.

While ransomware activity dipped in 2022, it came roaring back this year with cybersecurity companies such as NCC Group reporting historic highs in monthly attacks. Not only did activity increase this year, but the threat also evolved. More and more ransomware groups resorted to extortion-only methods to pressure victims into paying the ransom. The extortion reached new levels with ransomware operators directly threatening friends, family members and customers of victim organizations. This also affected cyber insurers, which were forced to adapt to the shift.

Many high-profile cases this year such as the MoveIt Transfer product attacks saw zero ransomware deployment. More recently, CISA warned about a new dual ransomware attack trend where victim organizations get hit by two strains simultaneously or in proximity.

Cyber insurance plays a vital role in ransomware defense and recovery, but most importantly, in ransom payments. Natarajan warned that ransom demands are increasing, with some exceeding $1 million. Policies will often cover or reimburse enterprises for paying a ransom. That is also controversial because many infosec experts argue that paying ransoms leads to more attacks. However, many businesses can't afford the downtime ransomware can inflict.

On the other hand, insurers will typically negotiate for lower payments, which appears to be increasingly effective. Researchers combing sites on the dark web have observed ransomware operators expressing their frustrations over successful negotiations.

Over the past few years, CISA has dedicated initiatives to fighting ransomware. For example, the Joint Ransomware Task Force and StopRansomware.gov website were created in 2021 to provide more services, guidance and tools. Those initiatives also aimed to promote more transparency, as underreporting of attacks has been an ongoing problem. Natarajan urged entities to report any cyber attack, including ransomware, to the FBI or CISA "as quickly as possible."

However, Monday's announcement shows that the threat now requires an additional government approach.

"At its core, CIDAWG will be a key part of a larger effort by CISA and federal agency partners to combat ransomware," the blog post said.

Can CIDAWG reduce risk?

Natarajan explained that when the relaunch goes live, CIDAWG will work with Stanford University's Empirical Security Research Group to measure which cybersecurity controls are the most effective. The data analysis is intended to be used by insurers to quantify cyber-risk. CISA will use the information to determine the effectiveness of current efforts, such as the Secure by Design initiative.

While its ability to reduce risk will remain to be seen, Sezaneh Seymour, vice president and head of regulatory risk and policy at cyber insurer Coalition, said an important first step for CIDAWG will be defining the value it can add to the industry. Its role as a voluntary central data repository is one potential contribution, she added.

One problem area CIDAWG might address is the lack of historical data available for cyber insurance, which is an issue that's less prevalent for other insurance markets.

"That lack of historical data has led to pricing volatility. Reciprocal, anonymized data sharing under CIDAWG could help strengthen insights for both insurers and the federal government by augmenting the data accessible today and by acting as a repository for longitudinal data," Seymour said in a statement to TechTarget Editorial.

Dara Gibson, cyber insurability services leader at Optiv, also emphasized the role CIDAWG will have in data analytics and identifying methods and services to lower risk. She believes that the results of the collaborative study will provide businesses with effective methods that can be incorporated into risk management programs.

Gibson described cyber insurance as the "financial tool set to offset the cost of a cyber attack." It sets the stage for control mandates because required proactive cybersecurity measures can help mitigate financial fallout.

"Catastrophic cyber events will drain financial and cyber resources, so the results of CIDAWG working group will provide the nation with resources and concepts that businesses can invest in to be prepared for larger cyber events," Gibson said in a statement to TechTarget Editorial.

In addition to data collection, CIDAWG can potentially help reduce risk by getting enterprises on the same page when it comes to using effective security controls. Dan Palardy, lead actuary at Cowbell Cyber, said the relaunch of CIDAWG confirms what the various cyber insurance players have concluded based on the current landscape.

"Meaningful discussion regarding the trade of cyber insurance risk requires a more coordinated approach to cybersecurity standards of practice," Palardy said in an email to TechTarget Editorial. "Awareness, education and standardization of cybersecurity hygiene are still lacking, most often in the small business segment, and particularly in the uninsured market."

Securing small businesses is important, he said, because "their cybersecurity is vital to the economy." Palardy added that good cyber-hygiene knowledge needs to be extended to more entities to reduce the overall risk.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Risk management