Skip to content

On-Demand Webinar:
The Impacts of Cyber Insurance on The DIB

Discussion of cyber insurance and the very real threats that contractors are facing as it relates to security standards such as NIST 800-171 and CMMC 2.0.



Recorded On:
Wednesday, May 4, 2022
11:00 AM CDT

With international cybersecurity crime at an all-time-high, the DoD supply chain, or the Defense Industrial Base (DIB) is a major target for cyber warfare because of organizations' possession of sensitive data such as Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), Controlled Defense Information (CDI), International Traffic in Arms Regulation (ITAR) data, and more; the lack thereof meeting current cybersecurity mandates such as NIST 800-171 and the upcoming CMMC 2.0 could potentially set the stage for the increase in an international threat landscape.

In this webinar, Robert Metzger (Renowned attorney and industry thought-leader), Jacob Horne, and Scott Edwards discuss the very real threats that contractors are facing as it relates to security standards such as NIST 800-171 and CMMC 2.0 and how organizations should be focusing on strong cybersecurity postures in order to secure or maintain existing cyber insurance policies. The lack of insurance coverage in the event of cyberattacks such as ransomware and other major cyber threats is an issue that organizations that are failing to address federal cyber mandates could be facing sooner rather than later.

Presenters talk through how technical standards such as NIST 800-171 and those within CMMC 2.0 could set organizations up for success when considering insurance policies to protect their businesses in the Defense Industrial Base.

Watch On Demand

The Impacts of Cyber Insurance on The DIB Q&A

Speakers are not offering legal advice through these answers. Anyone who seeks legal advice should consult their own lawyer. Anyone who needs details as to cyber coverage should consult with their insurance broker.


  1. Is there an insurance requirement in CMMC 2. If there was would this force companies compliance and put verification of compliance of CMMC on insurance companies reducing workload on government?


Bob: There is no insurance requirement in CMMC 2.0. As things stand, insurance companies cannot consider a CMMC assessment as demonstration or proof of adequate security – since the CMMC regulations are not final and CMMC C3PAO assessments have not started. It would be ill-advised, IMO, to force DIB suppliers to have insurance because many companies could not get it and therefore would be excluded from the DIB.


  1. Under CMMC 2.0. Is there any requirement for cyber insurance? I noted at the last Town Hall with the AB that Matt. T. mentioned the requirement for C3PAOs and RPOs to have at least $1 mil in cyber liability insurance.


Bob: There is no requirement in CMMC 2.0. However, as a matter of business prudent liability insurance should be obtained by companies who provide cyber services or counseling, such as RPOs, or who are C3POs. I believe that such insurance would be for claims regarding the adequacy of their professional services, rather than to pay for cyber breach costs of their clients. The agreements between such service providers and their clients should include provisions to limit the liability of the service provider.


  1. It appears that the insurance companies are raising the bar so high that it is going to price most MSPs out of the market. an analogy like with CMMC, if the DoD raise the bar so high that most small shops drop out, then there will be so few companies in the DIB to service the DoD


Bob: I don’t have knowledge of the availability of cyber insurance to MSPs. However, I can see that insurers would be wary of a MSP seeks coverage against the “third party loss” of the MSP’s client. That is why MSPs and other service providers should use contractual terms to exclude and/or limit their liability to such claims.


  1. What do you consider the most compelling reason for cyber insurance? Pay a ransom? Legal support? Forensic support? Negotiations? All of the above? Seems execs get too near-sighted on payment of a ransom; but the other benefits seem to outweigh the payment.


Bob: The most compelling reason is to have a source of funds to pay for the many types of costs that result when a breach or ransomware attack occurs. These include both first party and third party costs. First party costs, otherwise incurred by the insured, include forensics, legal and supporting costs to deal with a ransomware attacker, payment of an amount demanded by the attacker (if allowed under applicable laws and permitted by the policy), system restoration, and business interruption costs. Third party claims include those which may be made by persons or companies whose data is compromised and can include claims arising from privacy obligations under state laws, GDPR claims, potentially, regulatory claims and penalties, and other forms of liability as may be claimed by third parties who assert injury. What is actually payable depends on the specifics of the insurance policy, and there will be withholds or retentions that the insured must pay itself before the coverage kicks in. Yes, costs in addition to the ransomware extortion payment can greatly exceed the amount of the ransomware itself.


  1. How would you choose a more secure MSP to work with?


MSP Alliance Cyber Verify certification seems to be the only industry audit methodology


  1. How does increasing 3rd party liability (tort) affect cyber insurance coverage?


Bob: That depends upon the terms or nature of the 3d party liability (tort) coverage. Some such policies may exclude losses due to cyber events. I would not assume that cyber events are covered under such a policy unless this is evident from close reading of the policy. My sense is that the present practice is that cyber policies are written separately from general liability or other enterprise insurance.


  1. Is there any DOD specific ransom data? As an industry, I have not seen data specific to this category.


Bob: I am not aware of any. It is a good question. However, as a general proposition, the “quality” of data on ransomware attacks is uncertain. Many companies decide not to report ransomware to anyone if there is no legal or contractual reason to do so.


  1. Are there any known cases of breaches on insurance companies where a hacker gets policy amounts for clients and then target those clients for their published insured amounts?


Bob: I am not aware of any. But a sophisticated hacker, which performs reconnaissance on the target before the attack, definitely could know which business relationships (customers) are most important to the company it attacks. I have heard of instances where a customer is informed that their data has been hacked, increasing pressure on the attacked company to pay. What a hacker learns in an attack on one company certainly could inform its decisions about other companies to attack and what to demand.


  1. Does / would cyber insurance cover both an incident (say stolen data) AND a GDPR suit? Or would that be two different insurance plans.


That depends on the terms of the policy. A policy can include both. If a US company has no EU information or business, its policy might exclude GDPR liability but include US privacy obligations such as notification of breach and identity protection.


  1. Are you seeing any companies getting in trouble for not checking the denied parties/entity list when paying a ransom?


This is a different domain – but, yes, companies do face exposure, to the FinCEN and OFAC units of the Department of the Treasury, and possibly to the Department of Justice, if they pay or facilitate payment to an entity on the denied parties list. Companies are strongly advised to use available forensics and data intelligence services to avoid any payments to any entity on such list, and to report as required under the applicable regulations.


  1. I'm seeing "insurance as a service" discussed recently - is this the future?


Bob: I’m not aware of this. For cyber insurance to be available, a carrier or underwriter must decide to extend coverage, under what terms, and enter into a contract of insurance with the particular enterprise to be covered.


  1. Is there a repository of diligence questions used by carriers?


Bob: I am not aware of such a repository. What I’ve seen indicates considerable variety among questions and approach to cyber diligence.



  1. Are you seeing any insurance discounts for any frameworks/certifications?


Bob: I am not aware of any. However, I would think that frameworks and certifications would make it more likely that a company could get insurance and should affect the premiums paid.


  1. Any concern of brokers being impersonated to gather data? Since so much of the data is sensitive, should we be performing supplier risk assessments or is it enough to do standard diligence and just contact the provider directly to see if they are authorized.


Bob: it makes sense to do diligence on the broker and to carefully manage system access, and what information about networks and systems, is provided to a broker. They should be asked to demonstrate bone fides.


  1. I have a client who says he is receiving more and more audit requests from clients, but many of the audits come directly from the auditor, not the client, so they are suspicious of the source. Any suggestions for handling auditors?


Bob: I don’t have knowledge of these circumstances. However, it is possible that client auditors will ask their audit clients questions about the cyber or supply chain security of key supply chain participants of the client.


  1. Do we 'assume' that insurance companies are hiring certified auditors or how else would we (DiB) trust an insurance monitoring?


Bob: right now, there is no reason to “assume” that any cyber review by an insurance company is “qualified.” However, I have seen instances where the entity doing the cyber review is identified and where their credentials can be viewed.

Relevant Videos & Blogs


Bob Metzger


Bob is a Shareholder, Attorney, and head of the DC Office for Rogers Joseph O'Donnel aka RJO where he leads a team of more than 8 attorneys. He is most notably a coauthor of the MITRE "Deliver Uncompromised" Report. Bob is recognized for subject area leadership in cyber, supply chain and related security matters. Chambers USA 2020 ranked Bob top amongst his peers – Nationwide and said that he is “routinely called upon by clients in cybersecurity matters, assisting clients with high-stakes contract procurements, litigation and compliance issues.” He is a graduate of Georgetown University Law Center and was a Research Fellow at Harvard University's Center for Science & International Affairs (now "Belfer Center") at the Kennedy School of Government.

Jacob Horne


Jacob Horne is Managing Partner at DefCERT where he specializes in DFARS and CMMC compliance for companies in the DIB. As a former NSA intelligence analyst and U.S. Navy cryptologic technician, Jacob has over 14 years of experience in offensive and defensive cybersecurity operations. As a civilian he has led Governance, Risk, and Compliance teams at AT&T, Northrop Grumman, and the NIST Manufacturing Extension Partnership. He has developed and taught numerous cybersecurity training programs for organizations including the NSA National Crypotologic School, UCLA, and UC Irvine. Jacob has a master’s degree in cybersecurity risk and strategy from the NYU School of Law and is an MBA candidate at the UC Irvine Paul Merage School of Business. Jacob is a CMMC Provisional Instructor Candidate, CISSP and CDPSE.

Scott Edwards


Scott Edwards is CEO of Summit 7 Systems and brings 20+ years of experience providing thought leadership around Security and Compliance and Cloud Services as a national speaker. This though leadership has resulted in him being invited to participate in CMMC working groups and speak at other conferences throughout the DoD community. Before S7, Scott spent 6+ years working as a Senior Computer Engineer and NASA Datacenter Chief Engineer. Scott is a graduate of the US Military Academy, West Point and obtained a Master of Science in Computer Science from James Madison University.