All posts by Tasha Williams

Insurance Industry

CISA releases long-awaited plan for national cyber resilience

Leave a comment

The federal Cybersecurity and Infrastructure Security Agency (CISA) in September released its 2023-2025 Strategic Plan, a response to the increasing vulnerability of U.S. infrastructure to cyberattacks. 

Key Takeaways

  • The plan proposes a framework for defining and managing the federal government’s role in mitigating cyber threats to national security. 
  • CISA aims to foster a cross-agency and “whole-of-nation” approach to risk management and resilience.  
  •  Implementation and outcomes can have implications for cyber insurance markets. 
  •  Two federal engagement requests have been issued to get feedback on creating a regulatory path forward. 

Cyber resilience in the current digital ecosystem requires a new mindset.

CISA’s plan arrives in a rapidly transforming threat landscape in which the cybersecurity mindset is duly shifting from “Are we vulnerable to attack?” to “When a breach happens, how can we spot it, contain the damage, and recover as fast as possible?”  

Businesses across all sectors have seen a rise in the frequency of breaches. Hackers are using sophisticated tactics to expand the reach of ransomware to third or fourth parties, such as supply-chain partners. Estimates of organizations attacked in the last year range from 60 percent to as high as 86 percent, probably because dormant ransomware can remain undetected for a while and many organizations are hesitant to publicize or div incidents. 

Organizations involved in critical infrastructure–such as the military, hospitals, financial institutions, and the supply chains providers–can be enticing targets for bad actors. The 2021 Internet Crime Report from the FBI reveals at least one organization in 14 of 16 critical infrastructure sectors experienced a ransomware attack that year. Data indicates that cyberattacks against US ports and terminals are increasing. 

In response to the rising threats, CISA Director Jen Easterly announced earlier this year, “We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim.”  

The “whole of nation” strategy – the agency’s first plan since its creation in 2018 – proposes a unity of effort framework, while drawing upon the CISA Strategic Intent from August 2019, to lay a foundation for the agency’s work ahead and incorporate four core goals:  

  • “Cyber defense against threats to National Critical Functions;  
  • Risk reduction and resilience; 
  • Operational collaboration using a “whole-of-nation” approach; and 
  • Agency unification.” 

Loss ratios for cyber insurance are down, but challenges are still mounting

Cost-effectiveness remains elusive, despite the growing demand for cyber risk coverage. Data from S&P Global indicates that after three years of steady climb, loss ratios decreased from 75% in 2020 to 65% in 2021. However, contributing factors continue to wreak havoc, including increased frequency and severity of cyber-attacks, rising associated breach costs and liabilities, and the lack of historical incident data necessary to assess and price risk. As liability coverage for critical infrastructure sectors poses further challenges to risk mitigation, some insurers opt out of providing coverage to these entities. 

To build a foundation for risk assessment, CISA aims to create a regulatory path for the data collection mandate of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The legislation prescribes reporting of major cybersecurity incidents (within 72 hours) and ransomware payments (within 24 hours of payment). However, not every organization in a critical sector will automatically be required to report, and a formal enforcement framework for those expected to comply appears to be yet undefined.  

CISA and FIO solicits feedback on forging a path towards national cyber resilience. 

To foster collaboration between the government and private sectors while facilitating the implementation of CIRCIA, CISA recently issued a Request for Information. The list of reporting parameters up for public commentary includes how organizations may be defined as a “covered entity” (thus required to report incidents) and constraints and best practices around sharing of incident information.  

Another example of the cross-agency and “whole-of-nation” effort outlined in CISA’s plan can be seen in a request for comment recently issued by the Department of the Treasury’s Federal Insurance Office (FIO). This public engagement sprang from a June 2022 GAO report recommendation. The FIO is asking for feedback on “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.” The agency welcomes information on gaps in other federal cyber risk initiatives, such as the SEC’s proposed cyber incident reporting rules, the Terrorism Risk Insurance Program (TRIP), and the CISA’s cyber incident reporting RFI. 

Triple-I remains committed to advancing Cyber Awareness and supporting conversation about pertinent insurance trends and issues. For further reading, see our Issues Brief and stay tuned to our blog. 

Insurance Industry

Report: Traditional Reinsurance Capital Declining

Leave a comment
Report: Traditional Reinsurance Capital Declining

By Max Dorfman, Research Writer, Triple-I

A recent AM Best report finds that traditional reinsurance capital will decrease by approximately $40 billion by the end of 2022, lowering the total to $435 billion. This 8.4 percent decline comes after substantial increases of 15.5 percent for 2019, 8.9 percent for 2020, and 10.7 percent in 2021. The figure incorporates the upturn of the underwriting market and the downturn of the capital and investment markets, with continued geopolitical unrest and the possible decline in global GDP also considered. 

“With interest rates on the rise and equity markets declining, we do anticipate a rather substantial mark-to-market loss in traditional reinsurance capital levels,” said Dan Hofmeister, Senior Financial Analyst at AM Best. Reinsurance capital, working in the opposite direction, has been boosted by underwriting results in spite of heightened catastrophe loss activity in the first half of the year, he said.

Additionally, the report includes a 10-year record of third-party reinsurance capital levels and a prediction that overall third-party capital will remain stable at approximately $95 billion for 2022 compared to $94 billion in 2021.

With traditional and third-party capital together, the report predicts a 6.7 percent decrease in reinsurance capital from both sources, which would constitute the first decline in a decade, as recorded by AM Best.

Florida is emblematic of these struggles

Declines in the U.S. equity market have created capital supply challenges for some insurance-linked securities funds. However, the AM Best report stated that the pullback of traditional reinsurance in catastrophe-exposed markets like Florida could create opportunities for Insurance-Linked Security (ILS) funds. The report states that ILS funds can take advantage of significant price increases and tighter terms and conditions, if traditional capacity is restricted.

Still, Florida continues to be a hotspot for property/casualty losses, with the Triple-I finding that the state’s insurance marketplace has been beset by severe levels of fraud and litigation, driving the homeowner’s insurance market’s crisis in the state. The analysis concluded that the annual cost of an average Florida homeowners insurance policy could increase to $4,231 in 2022.

Reinsurance capital then provides a significant proportion of these costs that are directed to attorney fees and adjusting firms. Additionally, fraud related to roof replacement claims and other construction related matters continue to increase the reinsurance bill in Florida.

“Floridians pay the highest homeowners insurance premiums in the nation for reasons having little to do with their exposure to hurricanes,” said Sean Kevelighan, CEO of Triple-I.

With the threat of decreased capital for reinsurers and the markets in places like Florida experiencing turmoil, reinsurers are actively reviewing their strategy.