The US Treasury Department is seeking public comment on the need and scope of a potential federal insurance response to catastrophic cyber incidents, similar to that introduced for terrorism insurance after the September 11, 2001 attacks.
In its call for comment, the agency is soliciting public comment by November 14, 2022 on whether critical infrastructure risks resulting from catastrophic cyberattacks “justify a federal insurance response.” The request, released by the Federal Insurance Office (FIO) at the U.S. Treasury Department, follows a June 2022 report by the Government Accountability Office (GAO) that recommended that the FIO and the Department’s Cybersecurity and Infrastructure Security Agency (CISA) of Homeland Security Collectively assess the issue and secure public comment on cyber insurance and catastrophic cyber incidents.
The request noted the increasingly significant frequency and severity of cyberattacks on critical infrastructure, the impact of which “can spill over from the initial target to economically connected businesses – thereby magnifying the damage to the economy.” It also noted that the ability of the private cybersecurity market to absorb such losses – estimated at up to $1 trillion per event in the United States – is limited. See GAO report on 25.
The parallels to the terrorism insurance market are clear. In response to the September 11 attacks, many insurers began including explicit terrorism exclusions in their policies. The US government responded by introducing the Terrorism Risk Insurance Act (TRIA) to help stabilize the market. TRIA created the Terrorism Risk Insurance Program (TRIP) as a temporary means of splitting public and private compensation for certain insured losses from certified acts of terrorism. The Treasury manages the TRIP program, which is authorized through 2027 and capped at $100 billion per year in government support. TRIP has yet to be triggered.
The GAO report found that cyber insurers have limited their exposure to systemic cyber incidents in a variety of ways, including lowering policy limits, creating higher premium rates, excluding potential systemic events, and capping coverage for critical infrastructure . The report recommended considering a federal catastrophic cyber risk insurance solution and asking the FIO and CISA for public comment on it.
The request for comment
The request is seeking comments on “the risks of catastrophic cyber incidents to critical infrastructure, the potential quantification of such risks, the extent of existing private market insurance coverage for such risks, whether a federal insurance response is warranted, and the nature of such a response.” Federal Insurance Wanted Response should be structured if warranted.” It acknowledges that most insurance regulation occurs at the state level, but cites several federal insurance programs, including TRIP, the National Flood Insurance Program and the Federal Crop Insurance Program, where residual markets have been created and commitments in some cases to be spread across the industry fashion. In addition, the request considers whether a federal response should be outside of, or interact with, TRIP or be part of TRIP.
The motion highlights several topics of discussion, including:
- What is a “catastrophic” event?: What types of “catastrophic” cyber incidents might warrant a federal insurance response, and how should the FIO define “catastrophic”? FIO notes that “catastrophic” typically refers to the magnitude of the loss, its spread across multiple organizations, and the level of critical services affected.
- Measurement of financial and insured losses: What level of financial losses should be considered “catastrophic”?
- Cyber security measures: Which cybersecurity measures would most effectively reduce the catastrophic cyber incidents?
- Current reporting: What insurance coverage is currently in place for catastrophic cyber incidents?
- Structure of the federal response: What structures should be considered by the FIO and CISA for a possible federal insurance response?
Comments are due by November 14, 2022. Insurers should closely monitor developments in this area and consider submitting comments as appropriate. Your Sidley team can help you with this.