Insight by Summit 7 Systems

Cyber insurance is no longer the answer; look to NIST 800-171 and CMMC 2.0 to mitigate cyber risk

As the cyber threat to both the public and private sectors continues to grow, many contractors in the Defense Industrial Base have looked to cyber insurance as the easiest path to mitigating that risk. This has become increasingly difficult as both the threat and the nature of cyber insurance itself continue to evolve. This leaves contractors with what seems like a choice: Either focus on what feels like a distinct set of cyber regulations and...

READ MORE

As the cyber threat to both the public and private sectors continues to grow, many contractors in the Defense Industrial Base have looked to cyber insurance as the easiest path to mitigating that risk. This has become increasingly difficult as both the threat and the nature of cyber insurance itself continue to evolve. This leaves contractors with what seems like a choice: Either focus on what feels like a distinct set of cyber regulations and requirements, or expand their aperture to think about mitigating risk. However, the reality is that these two choices may have more overlap than most people realize.

“Intuitively, on the surface, cyber insurance feels like a much smarter way. The problem is, that security doesn’t really work the way that traditional risk works,” said Jacob Horne, chief cybersecurity evangelist at Summit 7, following a recent webinar with other industry thought leaders. “The way insurance policies were being written, an of aggregated risk in the ecosystem, ad the types of coverages that were being granted, led to a situation where there was a lotnd when something like ransomware outbreaks or other large incidents occur, the insurance coverage has started to kind of ‘break down,’ if you will.”

For example, Horne said, attribution plays a large part in the cyber insurance process. But when nation-state actors get involved, attribution becomes a much trickier business with geopolitical, diplomatic and even legal implications. Not only are federal agencies more hesitant to point the finger definitively at near-peer adversaries, but there are also a number of legal questions around what constitutes an act of war in the cyber domain, because insurance companies don’t cover acts of war. Until Congress or the courts set some boundaries or legal precedent, the issue will remain murky.

Another issue is that many companies do not get enough insurance coverage. Most companies do not advertise the details of their cyber breaches or recovery process for obvious reasons. But Horne said studies have shown that the average cost of recovery for a ransomware breach is roughly in the low millions; most contractors only have coverage for around $500 thousand to $1 million. And coverage amounts are actually getting smaller as the requirements for insurance simultaneously become more onerous. This makes it extremely tough when the majority of companies, for example in the Defense Industrial Base are small businesses without the resources or the expertise to implement stringent cyber standards in-house.

And that, of course, assumes there are standards at all.

“As of right now, there really is no standard that the insurance companies use to evaluate companies for coverage,” Horne said. “There is a landscape of different frameworks — compliance frameworks, control frameworks — out there. The Defense Department is leading the way for companies that are downstream in the federal government; the National Institute of Standards and Technology Special Publication 800-171 is the standard the DoD is requiring companies to implement.”

DoD’s Cybersecurity Maturity Model Certification requires contractors who want to work with the DoD to implement the standards set out in NIST 800-171. It’s important to make the distinction that CMMC 2.0 is not a different framework. It is simply a requirement for contractors to adopt the framework, and a third-party assessment process to verify that adoption.

But NIST 800-171 was never intended to be a tutorial of how to establish a security program. Herein lies the problem.

“As we [Summit 7] have found out over the last several years, most of the companies in the DIB, and most of the companies downstream from the federal government, are small businesses that do not have information security programs. So they are being required to implement something that assumes you had a program. It is almost like starting on third base in baseball terms,” Horne said.

NIST 800-171 does map very heavily with other cybersecurity frameworks, many of which are based on the NIST technical controls. The 800-171 framework was designed as a starting point, and is certainly not a waste of time for contractors to implement. For small companies that are most likely already outsourcing their managed IT services, it is probably a good idea for them to outsource security as well to get a leg up on these efforts by implementing the standards already in place.

The key, Horne said, is to ask a service provider about NIST 800-171A. This is a separate document, essentially a checklist for assessment day. A security provider should be able to  map their solution functionality to NIST 800-171A in a shared responsibility matrix, explicitly showing which controls their services satisfy. This level of granularity can help organizations ensure that they are meeting the requirements for NIST 800-171, CMMC 2.0 and cyber insurance all at once, while drastically improving their security posture.

“The general trend for cyber insurance is that it is becoming less and less of the easy button that IT people have thought it to be,” Horne said. “Now that that alternative is eroding in its effectiveness, contractors have to go back to implementation management with NIST 800-171. Under the hood, it’s all very similar. New and old frameworks and requirements — they are all pretty universal.”