The department is in a bit of an awkward position, tasked with supporting the industry while cautioning against ransomware payouts.
The Treasury Department is asking what the federal government might do to boost the insurance industry for cyber terrorism in an effort to assess the effectiveness of a national reinsurance program established in the wake of the 9/11 attacks.
A notice set to publish in the Federal Register Wednesday seeks comment within 45 days on “any potential changes to the [Terrorism Risk Insurance Act] or [Terrorism Risk Insurance Program] that would encourage the take up of insurance for cyber-related losses arising from acts of terrorism as defined under TRIA, including but not limited to the modification of the lines of insurance covered by TRIP and revisions to the current sharing mechanisms for cyber-related losses.”
The program was established to provide a backstop for insurers who were reluctant to risk selling coverage after the terrorist attacks of 2001. The law established a fund for the government to step in to help cover a qualified incident if damages exceed a specified amount.
Government watchdogs say they welcome Treasury’s collection of information on insurance for related cyberattacks.
A comprehensive review of the Treasury program is expected this spring, a Government Accountability Office official told Nextgov. “Obtaining complete information about cyber insurance and losses has been a persistent problem in overseeing TRIP. Gathering additional data about coverages and losses—including to ransomware—would help assess the adequacy of TRIP so this effort is a step in the right direction.”
Treasury is navigating a narrow course between trying to work with insurers to gather data on ransomware payments and warning insurance companies and other financial third parties that they run the risk of violating sanctions by making such payments—due to the probability of attacks being sponsored by adversarial regimes, such as Russia.
Testifying before the House Judiciary Committee Tuesday, Bryan Vorndran, assistant director of the FBI’s cyber division, fielded questions about how paying ransoms—particularly through the use of cyber insurance—impacts cybersecurity on the whole.
Vorndran reiterated the FBI’s position against banning ransom payments and said the danger of sanctions violations amid Russia’s invasion of Ukraine is another reason targeted entities should reach out to the bureau.
“When you look at [the Office of Foreign Assets Control]'s guidance, it specifically says one of the most important mitigation criteria is whether the victim the company has engaged federal law enforcement prior to paying the ransom,” he said. “The reason for that is that we can very much help that entity who's having a bad day, understand who they're paying, and whether that is a sanctioned entity.”