Treasury Seeks Comment on How to Structure a Cyber Insurance Program

The Treasury Department’s Federal Insurance Office wants to know whether a national cyber insurance program should require policy holders to implement basic cybersecurity measures in order to avoid creating a moral hazard.

“Should cybersecurity and/or cyber hygiene measures be required of policyholders under the structure?” Steven Seitz, director of Treasury’s Federal Insurance Office, asked in a request for comment set to publish in the Federal Register Thursday. “If so, which measures should be required?”

Comments are due within 45 days of the notice being published. Those interested in weighing in on the issue can also participate in a meeting of Treasury’s Federal Advisory Committee on Insurance Thursday afternoon.   

The question on effective cybersecurity measures is one of several FIO and the Cybersecurity and Infrastructure Security Agency are asking to help craft a report to Congress on the merits of establishing a federal cyber insurance program. Their effort stems from a recommendation of the Government Accountability Office, which Congress instructed to examine the role of the federal government in cyber insurance under the National Defense Authorization Act of 2021. 

GAO highlighted the possibility that a federal insurance program could create warped incentives in the industry, especially in the wake of ransomware attacks across the country, but the agency passed the baton to FIO and CISA to make the ultimate recommendation to Congress on the issue.  

The notice from Treasury and CISA describes moral hazard as “the possibility that either insurers or policyholders might take undue risks in reliance upon a federal insurance response or fail to implement cybersecurity controls.”

Insurance is typically regulated at the state level, but there are a couple of examples of federal programs, including the Terrorism Risk Insurance Program that Treasury oversees and the National Flood Insurance Program, which the Federal Emergency Management Agency administers.

NFIP mandates coverage for certain properties and is funded by the premiums, but the program is perennially in debt due to huge sums paid out after catastrophic hurricanes. As experts warn of a hurricane of historic proportions hitting the state of Florida, the NFIP is set to expire unless Congress reauthorizes it by the end of the week.

The TRIP model—established after the terrorist attacks of Sep. 11—essentially insures the insurers, helping them to cover policyholders in the event of qualifying incidents. But there’s a $100 billion cap on the amount the government can pay out, and the notice cites a study CISA published in 2020 which estimated potential losses from a single cyber incident could range from $2.8 billion to $1 trillion.

“Should an existing federal insurance program (e.g., NFIP or TRIP) or other U.S. or international public-private insurance mechanisms serve as a model for, or be modified to address, catastrophic cyber incidents?” the notice asks. 

According to the notice, “FIO intends to assess potential federal insurance responses that are outside of TRIP, but will also consider how potential responses could interact with, or be part of, TRIP.” That would spur questions about whether certain cyber incidents should count as terrorist attacks. 

The agencies also want answers to a host of other questions, such as whether insurers would be less likely to cover events that resulted in physical impacts and what amount of financial losses should be considered “catastrophic.” 

“What cybersecurity measures would most effectively reduce the likelihood or magnitude of catastrophic cyber incidents?” the notice also asks. “What steps could the federal government take to potentially incentivize or require policyholders to adopt these measures?”