Businesses risk ‘catastrophic financial loss’ from cyberattacks, US watchdog warns

A government watchdog has warned that private insurance companies are increasingly backing out of covering damages from major cyberattacks — leaving American businesses facing “catastrophic financial loss” unless another insurance model can be found.

The growing challenge of covering cyber risk is outlined in a new report from the Government Accountability Office (GAO), which calls for a government assessment of whether a federal cyber insurance option is needed.

The report draws on threat assessments from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Justice to quantify the risk of cyberattacks on critical infrastructure, identifying vulnerable technologies that might be attacked and a range of threat actors capable of exploiting them.

Citing an annual threat assessment released by the ODNI, the report finds that hacking groups linked to Russia, China, Iran, and North Korea pose the greatest threat to US infrastructure — along with certain non-state actors like organized cybercriminal gangs.

Given the wide and increasingly skilled range of actors willing to target US entities, the number of cyber incidents is rising at an alarming rate.

“Although federal agencies do not have a comprehensive inventory of cybersecurity incidents,” the report reads, “several key federal and industry sources show (1) an increase in most types of cyberattacks across the United States— including those affecting critical infrastructure, and (2) significant and increasing costs for cyberattacks.”

In 2016, US businesses and public bodies were hit with a total of 19,060 incidents in the four major categories — ransomware, data breaches, business email compromise, and denial of service attacks — with a total cost of $470 million, per a GAO analysis of FBI reports. In 2021, there were 26,074 incidents, and the total cost was close to $2.6 billion.

The report also cites specific incidents that have had a spillover effect on the wider economy, notably the cyberattack on the Colonial Pipeline that took a 5,500-mile-long fuel transporting operation offline. In that attack, the pipeline operator paid a ransom of $4.4 million to the hackers — despite advice from law enforcement agencies that ransom demands should always be rejected.

Spooked by the possibility of having to cover such large losses, private insurers are backing out of the market by excluding some of the most high-level cyberattacks from being covered by insurance policies. While data breaches and ransomware attacks are generally still covered, the report finds that “private insurers have been taking steps to limit their potential losses from systemic cyber events,” declining to cover losses incurred by acts of cyber warfare or deliberate infrastructure targeting.

According to the US Department of the Treasury, some insurers have also been mitigating their exposure by lowering the maximum amount that a policy will pay out in the case of a cyberattack and / or increasing premiums in an attempt to protect themselves from losses. There’s further evidence that some insurance companies are pulling back from coverage in infrastructure sectors entirely, the GAO found, judging the risk of attack as too high.

Overall, the GAO report suggests that CISA and the Federal Insurance Office undertake an assessment into whether the above factors necessitate a federal insurance response along the lines of FDIC insurance for bank deposits and the National Flood Insurance Program.

Repost: Original Source and Author Link


Ban facial recognition in Europe, says EU privacy watchdog

Join Transform 2021 this July 12-16. Register for the AI event of the year.

(Reuters) — Facial recognition should be banned in Europe because of its “deep and non-democratic intrusion” into people’s private lives, EU privacy watchdog the European Data Protection Supervisor (EDPS) said on Friday.

The comments come two days after the European Commission proposed draft rules that would allow facial recognition to be used to search for missing children or criminals and in cases of terrorist attacks.

The draft rules, which need to be thrashed out with EU countries and the European Parliament, are an attempt by the Commission to set global rules for artificial intelligence, a technology dominated by China and the United States.

The privacy watchdog said it regretted that the Commission had not heeded its earlier call to ban facial recognition in public spaces.

“A stricter approach is necessary given that remote biometric identification, where AI may contribute to unprecedented developments, presents extremely high risks of deep and non-democratic intrusion into individuals’ private lives,” it said in a statement.

“The EDPS will focus in particular on setting precise boundaries for those tools and systems which may present risks for the fundamental rights to data protection and privacy.”

The Commission’s proposals have drawn criticism from civil rights groups, concerned about loopholes that may allow authoritarian governments to abuse AI to clamp down on people’s rights.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Repost: Original Source and Author Link