With cyber attacks, the cybersecurity executive order, and Senate confirmations dominating the news, a crucial development has flown under the radar: the National Institute of Standards and Technology’s (NIST’s) preliminary draft NISTIR 8374 offering guidelines to help organizations manage ransomware risk.
This draft framework is extremely important, as ransomware attacks have increased in frequency and intensity over the past few years. To put it in perspective, the global cost of ransomware attacks is expected to exceed $256B within the next 10 years, and the U.S. Department of Justice has recently decided to treat ransomware like terrorism.
Ransomware’s Effect on Cyber Insurance
Right now, it’s nearly impossible for companies to obtain meaningful cyber insurance, which was traditionally used as a risk management tool for low frequency, high impact events. Today’s high frequency, high impact ransomware attacks are crippling the insurance industry. As a result, cyber insurance has shown itself an unsustainable business, with many insurance companies either increasing carve outs and exclusions or eliminating coverage entirely.
As a risk management tool, cyber insurance is becoming less accessible. Without insurance as a safety net, organizations that lack minimum cybersecurity standards (e.g. multifactor authentication [MFA], data backup and restore procedures, and incident response processes) are left completely exposed. To that point, Security Boulevard reported that MFA would have prevented the recent Colonial Pipeline breach.
Standardizing the Insurance Industry
This new NIST standard could make a big difference, by:
- Helping companies prepare for ransomware attacks, and
- Giving insurance carriers the evidence needed to provide coverage.
Using the NIST standard as a baseline, insurance companies could adopt a consistent framework that defines what is required for organizations to qualify for, and maintain, cyber insurance coverage.
With a framework in place, we could use the associated set of standards to measure how effective our cybersecurity practices are, and make universal adjustments to improve cyber readiness across the board. Over time, measuring against consistent standards will allow the insurance industry to establish a set of much-needed actuarial data, similar to what exists for other forms of insurance.
Telos to Support NIST’s Preliminary Draft NISTIR 8374
Thank you, NIST, for being proactive and offering expert guidelines that can, at the very least, help organizations take the necessary steps to protect themselves against the crippling effects of ransomware. At Telos, we are committed to supporting the development and evolution of this new standard, and are currently taking steps to operationalize this standard via our Xacta® platform.