Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and today I have the privilege to sit down with a longtime friend and colleague, Matt McCabe. Matt is a managing director at Guy Carpenter, and we're going to have a conversation around cyber and
insurance. And prior to Guy Carpenter, Matt served in various roles in the industry. And prior to all his industry roles, he Capitol Hill, where he was one of the staff leads for Peter King and the House Homeland Security Committee. He served in the Bush White House. And also, I just learned today, Southern District of New York. So stay tuned. Looking forward to our conversation today. Matt, thank you for joining us today.
It's a pleasure to be here. No, we literally just straight off a congressional hearing
around cyber and insurance and loved what you had to say. So really exc. To be able to dig a little deeper. Still feeling the tingles of an oversight hearing. Exactly, exactly. So I thought it might be helpful just because some of our viewers and listeners may not have a sense of what the cyber insurance market looks like, what it is, and sort of just give us a little bit of a level setting on where we are today. Sure. So cyber insurance as a product is about
25 years old. It was a product that evolved with, of course, the Internet and technical risks. And, you know, I think in very, very early days, it was more about the stability of websites and how they were carrying out and more or less an errors in omissions policy with the aggregation of data, data privacy really became an issue and cyber insurance started to take off as retailers and financial institutions became collectors of data who had to protect it and would face liability if there was an
unauthorized access to it. And then came the dawn of ransomware that made the value of cyber insurance relevant to a whole bunch. Exactly. Straight through the roof. Relevant to a whole bunch more sectors who weren't data aggregators, but realized that they now have a very real cyber risk that they had to defend against. You know, I often
say ransomware democratized cyber risk and cyber threats, because the reality is everyone's got a bull's eye on their target to one extent or another. So how would the insurance sector help all boats rise? What can you do to help, A, your clients and B, even though it's not your role to help the country, I think in the grand scheme it can. Yeah. There's no doubt that cyber insurance provides tools and incentives
that help companies prepare cyber cyber resiliency and to navigate through Cyber incidents, I think first, maybe just touching base on what cyber insurance covers. And I would split that into three different buckets. The first one is you've had a cyber incident and you've got out of pocket costs. That means hiring the experts for a forensic investigation, hiring
legal services. If you have a data breach, the privacy, privacy services that you have to give to your customers that you've collected data on, and that can be credit monitoring, that can be fraud protection. If you've had a ransomware incident, that can be the cost of the extortion. It's everything that happens in the aftermath of that cyber incident that you have to pay for. Second bucket would be you've had that cyber
incident and now your business is disrupted. It can be the income that you've lost and any extra expenses to keep your business going. So if you've had to bring on extra services to run your business manually, whatever that cost might be, it's very broad term, but whatever, the extra expense to continue your business can be covered by
cyber insurance. And then the third bucket would be litigation. If you're sued because of that, and this is of course very common with data privacy, if you're sued because of the cyber incident, then the policy will cover those costs as well. So it
covers a whole bunch of different areas. And the reality is, how is it different from a kinetic or a physical when you think about cyber. Yeah. Typically there are
exclusions in a cyber insurance policy that deal with property damage or bodily injury, because those already exist in other policies. So if you have a property policy and there's a cyber incident that leads to something like a fire or an explosion, the damage from that or the bodily injury from that should already be covered underneath that policy. This is really your digital risk that we're talking about. And the two come together.
They should, right? Yeah, yeah, yeah. And how big is the market right now? So
the estimate on global written premium for cyber insurance is about $15 billion. That doesn't make it one of the largest lines of insurance, but it is one of the fastest growing lines of insurance. And when both of us brought this up in different
ways in the hearing today, there are going to be exclusions with bad actors. So no business went into business thinking they had to defend themselves against foreign militaries, foreign intelligence services. But. But that is in part the reality today. How would you envision? Do we need something along the lines of the Terrorism Risk Insurance Act, TRIA, or a backstop of some sort for the federal government to step in if and when
and Only if and when a catastrophic incident occurs. What are your thoughts on that?
So we'd love to address that. But first, I'm going to be a bit of a myth killer. It is not the case that cyber insurance will not cover acts by nation states. As a matter of fact, cyber insurance routinely covers acts by nation states. There's just some acts that the magnitude of the losses is so great that the insurance industry simply is not in a position to observe that. And one of
those is the war exclusion. That if there is some type of armed conflict that cyber insurance is associated with, the expectation is that cyber insurance that you could picture the very origin of war exclusions was about the magnitude of losses and they exist on property policies and marine policies. And that's true for cyber insurance policies as well.
And that really brings us to the proposal for a federal framework about if there is a cyber insurance loss, an incident with the magnitude so great that it would be beyond the insurance industry's ability to cover. How are we going to respond to that as a nation? And I would say that it takes two different paths. One is that companies tend to be underinsured because of the size that the market still is. So there was some testimony at the hearing today that most companies are underinsured.
If you look at what their high end event could be from a cyber insurance event, they just, it's not perhaps ascertainable for them for one reason or another to get enough insurance to cover that limit. It might be that sure, the insurance is out there, but at some point you reach limits to such a height that it just becomes financially unreasonable to make that economic risk transfer. The second part of that though is the uninsured loss. And that's when we start talking about the war exclusion.
And the second exclusion that's relevant to this is attacks against critical infrastructure. So you could see if there were telecommunications providers that were brought down and therefore there's no Internet access throughout the country. Or you could see if there are power utilities that are brought down. Everybody relies on power. There's a whole bunch of these single point of failures that will often be collected within a critical infrastructure exclusion simply because the
magnitude of that loss is just too great. And all of our infrastructures, the interdependency
is a bit of a challenge as well. Do we have the actuarials to even ask the smart. Do we know enough to ask the smart questions at this point?
You know, the insurance industry sure tries. I mean, there's constantly tracking of aggregation of limits being put out because it's their economic livelihood. So there's examination for single points of failure. There's constant critique of if there was a systemic event that impacted multiple insureds in one fell swoop, what would be the bottom line? And there's, of course, the industry I work in, the reinsurance market that is supposed to help insurance companies
manage their own risk exposure by further distributing that risk. But there's also just the recognition that works through exclusions that there are some risks that cannot be matured. Which
in a kinetic environment exists too. Yes, doesn't it? Yeah, I mean, but I think
it goes. It certainly exists in the kinetic environment, but it's the realization, and you know, from the Tallinn manual, that cyber operations can reach a point where the impact is as great as kinetic warfare. And therefore the concept of cyber warfare is born.
So, like, take Volt Typhoon, something that's on the top of a lot of people's minds right now. How would we, how should we think about that from an insurance perspective? Because they were critical infrastructures that could be stymied in the event of a national crisis or emergency or something popping in Taiwan. Yeah. So like every claim in
the insurance industry, it depends on what happens and how it happens. For the scenario that you're putting forth, let's say that there is a conflict in Southeast Asia and critical infrastructure in the United States is targeted to impede our military response to project power, deploy. Forces, whatever it may be. I think for the most part, the insurance industry would consider that a cyber operation as part of war and would tend to
exclude that. I don't want to. I don't want to say that that's the universal throughout the insurance industry, but that would be the majority opinion and. It'S the real
world we live in today. And this is sort of. And please dispel any myths I put here, but in the grand scheme of things, you would love to see where government can bring to the fight what it does best. And that's largely intelligence and that's largely going to be on the response side and what have you. And
then what industry can do best. And if you look at previous models, whether it's anti piracy or even security, the insurance sector played a big role in raising all boats and then anything above and beyond that, that's the area where perhaps it's beyond any company's wherewithal to address. Does that sort of make sense here? Yeah. This is
a good time to bring out the story of Benjamin Franklin's insurance company that he associated with fire risk in Philadelphia. And how they required certain standards for building. Just
building codes. Yeah, we're in firefighting mode. We're not doing fire prevention enough in my eyes. Maybe that's changing thanks to some of the work you guys are proposing. You
know, the fire prevention for the cybersecurity story is really about what companies do every day. And a lot of that does get built into the insurance underwriting of saying, what are you doing? How are you protecting yourselves? And as there was discussion at the hearing that there comes a point, for example, when ransomware was peaking in 2019, that potentially companies would be deemed uninsurable if they weren't fulfilling some security standards. And
some of those big ones you can picture were Multi Factor Authentication or edr. Some of these just basic essentials that you're not going to be able to get a policy because we consider you too high of a risk. Do you deny policies? I'm a broker, so I don't deny. You don't. But industry companies take a pass. Absolutely. It's. There's not a price for everything. But we are getting to the point that
we have enough to paint a picture of what we know and don't know. Is that fair? Because I mean, when you look at. It's been a tough year for. From a supply chain. A tough decade from a supply chain perspective in a post Covid environment. And then you had literally the proliferation and I do think it's had epidemic proportions of ransomware. But I think it started. It's pretty leveling out right now. Yes. No, I think that the insurance industry is doing a great job appreciating the
threat. They've learned a lot of lessons over the last decade and they're writing to it maturely. But to get a little Rumsfeldian to. You, there's the unknown, unknown known
unknowns. And then there's the unknown unknowns. And we get into the catastrophic talk. We
have to think about what are the unknown unknowns, how large of a catastrophic incident could we have? And that's kind of a concept of our actuarial imagination at this point. We have to draw up those scenarios, just like we did in the early days of homeland Security, of what are the catastrophic scenarios that could happen next to the country and how do we prepare for that? You raise a great point. And
some shared scar tissue we have going back many years. But what would this framework backstop whatever terminology we want to. What would it look like and what would it take for it to succeed? Yeah, the devil is in the details and there's not
cohesion in the market about what those details should be. It's not like we have a piece of legislation that's on that you're responding to. But I do think that there are some key components that most in the industry would agree to. One would be that attribution really shouldn't be part of it because it's always going to be argued and it's relatively irrelevant. Right. If we've had a cyber incident of such a great magnitude, the impact is there. At the end of the day, who cares if
we can link it back to a nation state or not? We still have the problem that we have to deal with. You know, a lot of comparisons go between TRIA and the framework that is currently being discussed for proposal. You know, TRIA responded to a very specific set of circumstances following 9 11, where it needed to happen in order to get building in urban areas back on track. Whereas here we're kind of going through a planning exercise. Right. Eisenhower said that plans are useless, but. Planning,
exercise, planning is indispensable. Yeah. So I would say for certainly myself, and I think
that's reflected within industry, this would really be a voluntary program that we're not forcing insurers into it. Insurers who don't want to be a part of it shouldn't have to be a part of it. It shouldn't be a hard handed government effort. But I think what we are looking at is the government has a role and it has a role in several different types of risks. Terrorism one, floods another, nuclear is another, where it becomes the reinsurer of last resort that there are some problems so
big only the government can handle it. And what we have the imagination to say now is cyber is going to be one of those issues, or at least it could be one of those issues. So let's plan how that looks like. And part of that planning is going to be is industry going to have a share of that risk, Is it going to still remain on our books or are the covered
companies going to be sharing in that risk? And there's setting the ceiling of okay, you're going to have to pay losses up to such an amount, but beyond that, what we would call the loss ratio percentage. That's where the federal framework would kick in. That would be the backstop support and the government would have to absorb costs.
And the benefit ultimately would be, as I see it, this is not an insurance industry issue, this is a national economic security issue that if you don't have some mechanism for risk sharing, ultimately this risk, this potential impact Lands on the companies, lands on the private sector, lands on US businesses. So let's start that planning now. So they're not facing a catastrophic loss if we have this event and they. Are on
the front lines. They never signed up to be on the front lines. And you know, you brought up President Eisenhower. I'll bring in, bring in President Kennedy. This, his statement was the time to fix your roof is when it's sunny, not when it's raining. And the reality is we need to have these conversations. We shouldn't be having the conversations after potentially something catastrophic occurs. Right. Yeah. There's no building resistance after the
fact or building resilience after the fact. The time to do it is now. And ultimately, if we were to have the incident, the government would be involved. And we saw that with the pandemic, that there was a response. But if you're doing it after the fact, it's a hurried response. It tends to increase the risk of waste, fraud and abuse. So what's. And missteps. Yeah. And actually not solving the right problem
at the time. Yep, yep. Whereas if we can leverage the mechanisms in the insurance industry that about claims handling, about how you assess exposure, about where loss ratios should be, we have the opportunity to preplan and we have. The potential to have a
really rich picture to see where things are and aren't being addressed. You know, you're a good policy guy at heart. I know now you're an executive, but truth is, you've been a public servant for a good chunk of your life and a darn good one. So do you think that this actually could also be not only good for business, but good for our policy and our national security? Yeah, certainly CISA has
had some interest in this concept and discussed. Great. How can we work with you so that we can include information sharing and what you're observing and how we can build that into the national resilience? I mean, the entire concept of this is to build national resilience. It's not a gift for any industry. It's just the government saying that there is going to be a guarantee if this incident happens. And based on
that, go ahead and. Set your risk management strategy, which leads to stability. Right. That's
what people are looking. Because often you look at the a crisis, the fear is sometimes even worse than the crisis itself. Yeah. And to the market. And can have a run on the market. Right. Yeah. It's bringing certainty to times of uncertainty. Matt, what questions didn't I ask that I should have asked? Well, first of all, I
do want to say thank you for your comments on being a good public servant, because as you know, once you wear the federal stripes, you never lose them in your heart. So I think a good question is, why is this attention being drawn to cyber insurance? It's very rare that you see federal policymakers summon other lines of insurance up and wonder how can DNO solve boardroom problems or how can director and
a mission. Right. So, I mean, I think that the crucial aspect of this is that cyber insurance is really dealing with an emerging risk and a constantly changing risk. The threat vector's always changing. We've got to pivot, we've got lessons learned. And overall, I think that it's great thing that cyber insurance is being brought into this conversation
because it's a discussion between industry and government. And the insurance industry realizes as much as anybody else that it's going to be a partnership that's actually going to be able to mitigate the risk. And no one can go it alone in this one.
Matt, thank you for your time today. I know it's been a busy day. We just testified. Thank you for your service over the years and really appreciate it. So thank you. It's always a pleasure. It's good to see you. Thank.