GAO: Potential Federal Cyber Insurance Program Should Avoid Moral Hazard

The Treasury Department’s Federal Insurance Office and the Cybersecurity and Infrastructure Security Agency should consider the danger of creating counterproductive incentives while examining the need for a federal cyber insurance program, according to the Government Accountability Office. 

“CISA and FIO should jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response,” the agency reported Tuesday.

The GAO report, which was initially forecast to be published over a year ago, studied whether Treasury’s Terrorism Risk Insurance Program should be expanded to cover the fallout from cybersecurity incidents. It stems from a remit in the National Defense Authorization Act to report on the state of the larger cyber insurance market, which has long been viewed as a non-regulatory way to drive improvements in organizations defenses.

GAO pointed to work it did creating a framework on how federal funds from the Troubled Asset Relief Program, or TARP, should be used to assist private sector entities, saying it could guide the design of a potential federal cyber insurance program.  

“The framework notes the need to define the problem, mitigate moral hazard (that the existence of a federal backstop could result in entities taking greater risks), and protect taxpayer interests,” GAO wrote in the report published Tuesday. “Consistent with these elements, any federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants.”

The role of private cyber insurers has been on a roller coaster of U.S. policy considerations, with the war in Ukraine providing the most recent bit of whiplash for the industry and those thinking of taking out a policy.  

“Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware,” GAO wrote. “However, private insurers have been taking steps to limit their potential losses from systemic cyber events. For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages.” 

The report reiterated the limitations of Treasury’s TRIP, which Congress established after the attacks of September 11th to help the private sector cover up to $100 billion in losses for qualifying events. 

“TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements,” GAO wrote. “However, cyberattacks may not meet the program's criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified.”

GAO said Treasury and CISA are both in a position to assess the merits of a federal insurance program dedicated to covering catastrophic cyber incidents which—after the infamous “SolarWinds” event—policymakers are more keenly aware can have cascading impacts across critical infrastructure. 

FIO and CISA have “both have taken steps to understand the financial implications of growing cybersecurity risks. However, they have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response,” GAO said, suggesting they jointly submit a report to Congress on the question.