Cyber Insurers Limit Financial Exposure While Risk Grows
Worries about the cyber insurance industry limiting coverage has the federal government asking whether it should provide a backstop or other mechanism for ensuring that catastrophic events don’t go uninsured.
The Department of Treasury and the Cybersecurity and Infrastructure Agency are soliciting comments through mid-November on whether the potential for ruinous financial exposure by insurers in the event of a catastrophic cyber attack on critical infrastructure should lead to a new federal approach.
The two agencies say they’re not committed to any particular method, and a change to the market such as federal willingness to shoulder the losses felt by insurers in the wake of an extremely large event would require legislation.
The request for comments comes weeks after a congressional study sounded alarms over cyber insurers limiting their financial exposure. The Government Accountability Office found that insurers have introduced new exclusions while lowering policy limits and charging higher premiums.
Those restrictions come even as the pace of cyber incidents is mounting, as is the perceived risk of digital attacks on critical infrastructure, whether because of the Russian invasion of Ukraine or a rise in internet-connected operational technology systems (see: Public Water Systems at Cybersecurity Risk, Lawmakers Hear).
As cyber risks grow, so have concerns that potential costs stemming from a catastrophic event mean insurance companies can’t adequately underwrite risk, said Anthony Dagostino, chief executive of cyber insurance and risk management provider Converge, in an email to Information Security Media Group. “A backstop could be helpful,” he said, adding that one shouldn’t stop companies from investing into cybersecurity or insurers from incentivizing better security.
A backstop of sorts exists for the cyber insurance market in the form of Terrorism Risk Insurance Program, but it hasn’t had a calming effect on the market.
The federal government has “sort of signaled, well, we think, you know, some of the existing backstops around terrorism risk or other things might apply in the event of a sufficiently serious cyberattack,” said Josephine Wolff, an associate professor of cybersecurity policy at Tuffts University in a podcast interview earlier this month.
The Terrorism Risk Insurance Program was never intended for cyber insurance, instead becoming law in the wake of the terrorist attacks of Sept. 11, 2001 to ensure the continuance of commercial property and casualty insurance coverage. Before any insurer could invoke federal help to pay insurees, Treasury must certify that the causing event was a terrorist attack and that resulting insurance losses add up to at least $5 million. To date, the program has yet to be triggered.
With reporting by ISMG’s Michael Novinson.