The US Government Accountability Office (GAO) recommended in a June 21 report that the federal government should assess the need for a potential insurance backstop for cyberattacks on critical infrastructure. (GAO summary “Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks”) Growing Cyber Threats

• With the growing proliferation of cyberattacks, the challenge of mitigating and managing this expanding risk poses an increasing challenge to the U.S. economy and real estate.
• Insurers and the government's terrorism risk insurance program originally established under the Terrorism Risk Insurance Act (TRIA) may not be able to cover the expanding range of such losses. For example, TRIA may only cover cyberattacks if they can be considered "terrorism" under its defined program criteria.
• TRIA was reauthorized in 2019 and extended for seven years through 2027. The legislation included a request for a study on evolving cyber terrorism risks. (Coalition to Insure Against Terrorism)
• The Roundtable has raised concerns about the need for policyholders to have access to effective insurance products to help manage the risks of catastrophic cyberattacks—particularly in the context of TRIA-backed coverage for cyber terrorism attacks. (See May 16, 2022 joint comment letter on “2022 Report on the Effectiveness of the Terrorism Risk Insurance Program”)
• This month’s GAO report acknowledges that although some cyber incident costs are covered in part by the private cyber insurance market, growing cyber threats have created uncertainty in this evolving market.
• The report also notes that cyber incidents can spill over from the initial target to economically linked firms, thereby magnifying damage and threats to the overall economy. “Cyber insurance and the Terrorism Risk Insurance Program (TRIP)—the government backstop for losses from terrorism—are both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks,” the report adds. (See report summary)

Federal Insurance Backstop

• Federal agencies “have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response,” the report states.
• GAO states a government study that addresses a federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants.
• The report concludes that the Department of the Treasury’s Federal Insurance Office (FIO) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) should jointly assess the cyberattack risks that warrant a federal insurance response, and inform Congress of the results of their assessment.

The Roundtable’s Homeland Security Task Force discussed the issue of cybersecurity and a potential federal backstop during its June 17 meeting, held in conjunction with The Roundtable’s 2022 Annual Meeting. (Roundtable Weekly, June 17) #  #  #