Cybersecurity Insurance and Data Analysis Working Group Re-Envisioned to Help Drive Down Cyber Risk


By Nitin Natarajan, Deputy Director, Cybersecurity and Infrastructure Security Agency

Last Friday, I had the pleasure of joining the Treasury Federal Insurance Office and the New York University Stern School of Business’ Volatility and Risk Institute at their conference on Catastrophic Cyber Risk and a Potential Federal Insurance Response, where I announced that CISA will relaunch the Cybersecurity Insurance and Data Analysis Working Group (CIDAWG).

For those familiar with the original CIDAWG created in 2014, this new iteration will look very different.   The working group was re-established to create a venue for collaboration and forward progress with industry on topics where we have shared interests–specifically, understanding what security controls are working most effectively to defend against cyber incidents. This will help organizations to better understand where to invest resources and will allow the government to ensure our future investments are making the greatest impacts. To put it simply, we want to understand what “good” looks like.

Our nation’s critical infrastructure faces serious cyber risks, often accompanied by significant financial losses in the wake of a cyber incident. The digital revolution has brought much good—connecting humans around the globe in ways we never could before— however, each new digital tool and platform represents another potential point of failure in an ever-expanding attack surface.  

Take ransomware as an example. Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. The monetary value of ransom demands has increased, with some demands exceeding $1 million. Additionally, according to the FBI’s 2022 Internet Crime Report, there was a 60%  increase in ransomware attack complaints (from 1,493 in 2018 to 2,385 in 2022), with ransomware losses exceeding $34.3 million. This is a lower bound that does not include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services. With respect to cyber incidents broadly, the FBI report showed a 49% increase in losses from $6.9 billion to $10.3 billion over the same period.

To address this crisis, we need to understand how to effectively combat the threat. That’s where the CIDAWG comes in. When we re-launch the CIDAWG in December, the working group will partner with Stanford’s Empirical Security Research Group, a research lab in Stanford’s Computer Science Department, with the intent to correlate data with cybersecurity controls to understand their effectiveness. CISA will ask working group members to collaborate with Stanford to improve analysis of the aggregated, anonymized loss data and link it with controls effectiveness. This analysis will be a resource both for insurers to inform their risk analysis and for CISA to better understand whether efforts like the Cyber Performance Goals (CPGs) and the Secure by Design initiative are translating to reduced cyber risk exposure for organizations that adopt them.

At its core, CIDAWG will be a key part of a larger effort by CISA and federal agency partners to combat ransomware. CISA has many tools to support this effort, including the Joint Ransomware Task Force, the Ransomware Vulnerability Warning Pilot, and the Pre-Ransomware Notification Initiative.  The Pre-Ransomware Notification Initiative receives tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity that can lead to early notifications to head off potential attacks.

In addition, CISA continues to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which directs CISA to issue regulations requiring covered entities to report to CISA covered cyber incidents within 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred and report ransom payments within 24 hours after the payment has been made. It’s critically important that entities report cyber intrusions, including ransomware incidents, to CISA or the FBI as quickly as possible. Reporting incidents allows CISA to quickly share information that can protect other organizations, limiting the ability of malicious actors to use the same techniques to execute multiple intrusions.

In short, achieving the goal of driving down cyber risk, as stated in the National Cybersecurity Strategy, requires coordinated action across the United States Government, the private sector, and American society. Everybody has a role to play in cybersecurity…and we need everybody to play their role. I look forward to relaunching CIDAWG and working with our partners in the coming months to help collectively drive down cyber risk, improve the threat landscape, and prevent future cyberattacks.