As cyberattacks pose an increasing threat to the real estate industry and the U.S. economy, the government is seeking input from policyholders, critical infrastructure owners, and operators on a potential federal response for catastrophic cyber incidents, including whether a national cyber reinsurance program is warranted. (Treasury Department Notice, Sept. 29 and NextGov, Sept. 28)
Response to Catastrophic Cyber Attacks
- The Treasury Department’s Federal Insurance Office (FIO) and the Cybersecurity and Infrastructure Security Agency (CISA) are seeking comments by Nov. 14 on the structure and scope of a federal response. (FIO request for comments and Inside Cybersecurity, Sept. 12)
- The FIO-CISA request for comments follows a June Government Accountability Office (GAO) recommendation that the federal government assess the need for a potential insurance backstop for cyberattacks. (GAO, Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks, June 21)
- Cyber insurance is a growing market, with approximately $4 billion in direct premiums written in 2020. (FIO’s Effectiveness of the Terrorism Risk Insurance Program, June 2022)
- Lloyd’s of London announced in August that it is set to introduce cyber insurance exclusions for coverage on “catastrophic” state-backed attacks from 2023. (Lloyd’s Market Bulletin, Aug. 16 and Industrial Cyber, Aug. 18)
Terrorism & Cybersecurity
- The Roundtable and its partners in the Coalition to Insure Against Terrorism (CIAT) have raised concerns about the need for effective insurance products to help manage the risks of catastrophic cyberattacks. (CIAT comment letter on the 2022 Report on the Effectiveness of the Terrorism Risk Insurance, May 16)
- Insurers and the federal government’s Terrorism Risk Insurance Program (TRIP) may not cover the expanding range of such losses. For example, TRIP may only cover cyberattacks if they can be considered “terrorism” under its defined program criteria. (Roundtable Weekly, June 24)
- Separately, CISA is requesting input on the implementation of cyber incident reporting requirements (due Nov. 14). CISA is also hosting a series of public listening sessions in cities throughout the nation as an additional means of gathering stakeholder responses on definitions for the proposed rules, the form and content of reports, enforcement procedures, and information protection policies. (Federal Register and Notice of Public Listening Sessions, Sept. 12)
Cybersecurity has long been a focus of The Roundtable’s Homeland Security Task Force (HSTF) and the Real Estate Information Sharing and Analysis Center. Cybersecurity issues and CRE will be discussed during the next HSTF meeting on Jan. 25, 2023—held in conjunction with The Roundtable’s State of the Industry meeting. (Roundtable Meeting Calendar)
# # #