Navigating the Complex Landscape of Cybersecurity and Insurance: Are Federal Backstops the Solution?

Navigating the Complex Landscape of Cybersecurity and Insurance: Are Federal Backstops the Solution?

The Growing Need for Federal Cybersecurity Insurance Mechanisms

Two U.S. agencies, the Federal Insurance Office (FIO) and the Cybersecurity and Infrastructure Security Agency (CISA), are exploring the potential need for a federal mechanism to address the growing cybersecurity threat to critical infrastructure. This move highlights the increasing complexity and interrelatedness of risks facing governments, businesses, and communities today. The Government Accountability Office (GAO) recently recommended that FIO and CISA take this action, acknowledging their efforts to understand the financial implications of growing cybersecurity risks but noting the absence of a federal insurance mechanism.

Insurance Image

Limitations of Current Insurance Models

The GAO report emphasizes that both cyber insurance and the Terrorism Risk Insurance Program (TRIP) are limited in their ability to cover catastrophic losses from systemic cyberattacks. While cyber insurance can offset costs from common risks like data breaches and ransomware, private insurers are increasingly limiting their exposure to systemic cyber events. Insurers are excluding coverage for losses from cyber warfare and infrastructure outages, and cyberattacks may not meet TRIP's criteria to be certified as terrorism.

Insurance Image

Comparing Cybersecurity Preparedness to Pre-9/11 Terrorism Coverage

The comparison of U.S. cybersecurity preparedness today to its readiness for terrorist acts prior to 9/11 is striking. Before 9/11, terrorism coverage was included in most commercial property policies. Afterward, insurers began excluding terrorist acts, leading to the establishment of the Terrorism Risk Insurance Act (TRIA), which created TRIP as a temporary system of shared public and private compensation for certain insured losses from a certified act of terrorism. The GAO's recommendation for a similar solution for cyber risk underscores the potential insufficiency of traditional risk-transfer products to address increasingly complex and costly threats.

Insurance Image

In conclusion, while many states are taking steps to anticipate and mitigate risks, much work remains to change behaviors, best practices, and public policies to reduce risks and improve the availability and affordability of coverage. Readers are advised to stay informed about the evolving landscape of cybersecurity and insurance, consider the potential benefits and limitations of federal backstops, and engage with industry experts to better understand their risk management strategies.