A Government Accountability Office report on the Treasury Department’s role in shaping the market for cybersecurity insurance is expected next spring.
The Government Accountability Office expressed support for the Treasury Department expanding the amount of information it collects from insurance providers regarding cybersecurity claims under a program that allows the government to assist with payouts to policyholders in the case of a catastrophic event.
Treasury’s Federal Insurance Office on Friday issued a Federal Register notice seeking comment on new cybersecurity worksheets participants must submit under the Terrorism Risk Insurance Program. TRIP was created under statute to help insurance companies remain viable after the attacks of 9/11 when it was difficult to find companies willing to bear the risk of such losses going forward.
“As GAO has reported before, obtaining complete information about cyber insurance and losses has been a persistent problem in overseeing the Terrorism Risk Insurance Program (TRIP),” John Pendleton, director of financial markets and community investment for GAO told Nextgov. “Gathering additional data about coverages and losses—including to ransomware—would help assess the adequacy of TRIP so this effort is a step in the right direction.”
Cybersecurity insurance has long been seen as a non-regulatory, market-based way to improve the defenses of private sector entities. But it has also been controversial amid ambiguous policy definitions, and a lack of data to inform sound pricing schemes. The rise of ransomware brought more attention to the industry as some policy makers expressed concern payouts from insurance companies were providing an unhelpful incentive to malicious actors. But as perpetrators asked for higher and higher ransoms, the insurance industry also seemed to welcome the government’s involvement toward producing better actuarial models.
“Without comprehensive, high-quality data on cyber losses, it can be difficult to estimate potential losses from cyberattacks and price policies accordingly,” reads the report GAO released in May under the National Defense Authorization Act of 2021. “Some industry participants said federal and state governments and industry could collaborate to collect and share incident data to assess risk and develop cyber insurance products.”
In that report, GAO teased coming work specifically around TRIP.
“Our broader review of TRIP is ongoing and we anticipate completing our report in the spring of 2022,” Pendleton said.
Treasury is navigating a narrow course between trying to work with insurers to gather data on ransomware payments and warning insurance companies and other financial third parties that they run the risk of violating sanctions by making such payments—due to the probability of attacks being sponsored by adversarial regimes like North Korea and Iran.
”The cyber insurance market continues to grow and evolve, and cyber-related losses (particularly with regard to ransomware) have increased significantly over the past few years,” reads Treasury’s request for comment. “In view of recent market developments and the important role of cyber insurance in the Program, Treasury would like to obtain more detailed information relating to the availability and affordability of such coverage in the market.”
Treasury noted that states, which are responsible for regulating the insurance industry, will also separately seek comment on the proposal through the National Association of Insurance Commissioners.
Comments to Treasury are due within 60 days of the notice being published.
And one cyber insurance company—Resilience, which was among those present at a White House event this summer with representatives from industries the administration considers crucial to advancing cybersecurity—is already weighing in.
“This proposal could enable both insurers, as well as the federal government, to obtain a better understanding of insurance coverage for cyber threats, across businesses of all sizes,” Amy Chang, head of risk and response at Resilience, told Nextgov. “To the extent that aggregated data and trends become public, it would provide the insurance market with useful context on cyber insurance solutions and claims data. Ultimately, insurers can use this data to better respond to the continuous evolution of those threats and provide more refined and protective solutions to American businesses."