One way the Pentagon could improve the cybersecurity of its supply chain would be for standardized insurance policies that cover cyberattacks, according to a new report to be released today from the Foundation for the Defense of Democracies.
The report, titled “The Time for Cyber Insurance: Coverage Improves Supply Chain Resiliency,” stems from a tabletop exercise the thinktank and brokerage firm Lockton Companies held with former government officials and private sector leaders and using real-world cyber incidents.
“The most important finding from the exercise was that ubiquitous application of cyber business interruption (cyber BI) coverage across the Department of Defense’s (DoD’s) supply chain would materially improve supply chain resiliency and reduce unwanted supply chain behaviors throughout the DIB,” the report states.
Cyber disruptions can lead to a freeze in contractor operations, a failure to perform under contract or the need to find replacement parts to due to supply chain disruption. However, “due to a lack of Defense Federal Acquisition Regulation Supplement requirements, many critical DIB businesses still lack this important coverage,” the report states.
What’s more, traditional insurance models are based upon factors that don’t always apply to defense companies such as personally identifiable information or health information.
Thus, getting insurers, defense companies and the DoD itself on a level playing field is of the utmost importance, Trevor Logan, one of the report’s authors, told C4ISRNET.
He said a contractor may spend a lot of money on a cyber insurance policy only to later discover a breach wasn’t covered in the policy.
“That’s pretty scary stuff,” he said. “There’s not a standardization behind how this process is laid out, but it is ultimately what is going to get us better cybersecurity at the company level, which is better for all of us.”
The report recommends DoD study how cyber insurance across the industrial base improves the security and resiliency of the supply chain.
Logan said potential disruptions can hurt small and medium sized businesses the most because those companies may have to cease manufacturing when notifying the insurance broker of the cyber incident. This puts companies in a rough place putting in jeopardy their ability to fill contract requirements thus hurting the reliability DoD needs to get equipment, parts and systems to operators that need them.
Logan also noted that there needs to be greater clarity between how cyber insurance polices relate to the forthcoming Cybersecurity Maturity Model Certification (CMMC), a tiered cybersecurity framework that grades companies on a scale based on the level of classification and security that’s necessary for the work they’re performing.
“There are unclear and sometimes conflicting standards and models for cybersecurity, leaving companies – especially the small and medium-sized enterprises critical to the DIB – confused and uncertain,” one of the report’s key findings state. “Some insurance companies are seeking to underwrite to Cybersecurity Maturity Model Certification (CMMC) guidelines. DoD could advocate for this approach (or others) to be included in cyber insurance underwriting and could help socialize these guidelines to the broader DIB.”
He said clarifying how cyber insurance impacts underwriters’ assessments as it relates to CMMC compliance would be helpful.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.