Agencies Push Deadline to Comment on Would-Be Federal Cyber Insurance Program

NatalyaBurova/Getty Images

Insurance companies are pushing for taxpayer assistance to provide coverage in the event of catastrophic incidents.

The Treasury Department and the Cybersecurity and Infrastructure Security Agency extended their original deadline—Monday—to Dec. 14 for receiving public comment on whether federal funds should be used to help insure the provision of critical infrastructure against losses from cyberattacks, and if so, how a federal insurance program might be designed.

The agencies announced the extension in a Nov. 9 notice published in the Federal Register .

Pursuant to a recommendation from the Government Accountability Office, under direction from Congress to investigate the question, the agencies are seeking answers on “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response,” according to the notice.

Going back to the Obama administration, cyber insurance has been seen by policymakers across the political spectrum as a non-regulatory way to incentivize appropriate cybersecurity practices by private-sector entities. The agencies’ request for comment comes as a series of developments over recent years—including decisions in key court cases—coincide with insurance companies calling for a federal cyber insurance program.  

In December 2019, Congress passed an appropriations bill instructing GAO to report on the availability of cyber insurance for critical infrastructure providers. In May, 2021, GAO reported on challenges facing the industry—which the watchdog said could be addressed. And in June, GAO tagged Treasury and CISA to further investigate the need for a federal program akin to the National Flood Insurance Program run by the Federal Emergency Management Agency or the Federal Crop Insurance Program at the Department of Agriculture.  

In their initial Sept. 29 request for comment, Treasury and CISA said they would also consider how the Terrorism Risk Insurance Program, or TRIP, might be adapted to cover cybersecurity incidents, but that their focus would be primarily on non-TRIP approaches at home or abroad. 

The TRIP model—established after the terrorist attacks of Sept. 11—essentially insures the insurers, helping them to cover policyholders in the event of qualifying incidents. But there’s a $100 billion cap on the amount the government can pay out, and the agencies’ notice cites a study CISA published in 2020, which estimated potential losses from a single cyber incident could range from $2.8 billion to $1 trillion. And meeting the criteria for a terrorist attack might prove challenging for those seeking coverage after a cybersecurity incident.

Federal insurance programs are typically established to ensure policy holders are covered for damages during unforeseeable natural disasters—so-called “acts of god”—that result in a slew of claims at once, totally exceeding insurers’ ability to meet their obligations.

The potential for cyberattacks to cause cascading impacts and rack up insurance claims from policyholders was on full display during the 2017 NotPetya attack, which started in Ukraine, but had huge spillover effects on U.S. companies.   

In two major cases, insurance companies refused to cover claims by invoking “act of war” exclusions, due to the involvement of a nation-state actor. U.S. officials have attributed the NotPetya attack to Russia, but in a January 13 decision, a New Jersey court ruled that Insurance firm Ace did not provide enough notice about how the exclusion would be applied in shipping company Merck’s $1.7 billion property insurance policy. 

The Merck case is reportedly under appeal from Ace, which the court said should pay Merck’s claim of $1.4 billion in computer damages. More recently, The Record reported that insurance company Zurich is settling a $100 million lawsuit with snack food giant Mondelez after initially refusing to pay the latter’s NotPetya-related claim, given an act of war exclusion. 

Citing conversations with staff from the National Association of Insurance Commissioners, the May 2021 GAO report noted a lack of uniformity in the way the industry defined key policy terms, including an “act of war.” This ambiguity can result in misunderstandings and litigation between insurers and policyholders,” the GAO wrote, referring to lawsuits prompted by the NotPetya attack. 

Act of war exemptions were advocated by the reinsurance firm Lloyds of London in November of 2021. Reinsurance firms insure their insurance-industry clients’ ability to pay claims. Seeking to limit their exposure, insurance companies, following suit, continued to use the exclusion as an epidemic of ransomware plagued critical infrastructure providers. 

The industry also came under fire from some observers for reportedly encouraging policyholders to pay out ransom demands. And the Treasury department warned insurance companies could be in violation of U.S. sanctions by engaging with banned regimes like North Korea and Iran by proxy when they make such payments.

Insurance industry representatives say they’ve exercised greater scrutiny during their underwriting procedures in response to the rise in ransomware, and observers like Moody’s—the credit rating firm—reported that the war in Ukraine, along with ransomware, led to narrower coverage and higher premiums from the industry. Insurance representatives also note revisions Lloyds made to its bulletin in August advising the use of clearer “act of war” language in policies.

“We recognize that many managing agents in the market are already including clauses in their policies specifically tailored to exclude cyber-attack exposure arising both from war and non-war, state backed cyber-attacks,” the reinsurer wrote. “We wish to ensure, however, that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings … the complexities that can arise from cyber-attack exposures in the context of war or non-war, state backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust.”  

As the January court decision, the recent settlement agreement and supply-chain attacks like the SolarWinds hack spotlight the industry’s performance managing cybersecurity risks, insurance firms are promoting a federal response to supplement their coverage in the event of a catastrophic incident. 

“The insurance industry has come a long way in its understanding of cyber terrorism, [Hostile Cyber Activity] and cyber war, and assessing how to insure such risks,” reads a report the Geneva Association, an insurance-industry think tank published in January. “To expand the limits of insurability, insurers need to be proactive in assessing feasible options for sharing cyber risks, including with governments via [public-private partnerships]. Such collaborative efforts between insurers and governments will enable cyber protection gaps to be narrowed and ensure the full societal benefits of cyberspace can be realized.”

Referencing the notice from Treasury and CISA, global insurance firm Swiss Re expressed its support for a federal insurance program in a Nov. 8 report.

“Acts of cyber warfare, the disruption of a cloud provider of critical software or the deployment of malware through commonly-used software are examples of scenarios that could generate catastrophic losses,” the report reads, noting a “potential solution to help close the protection gap is to design a type of public private partnership (PPP) insurance scheme, where the coverage of systemic risks is split between insurers and a government(s)-backed fund.” 

Treasury and CISA are paying attention to the industry’s appeals. Their Sept.29 request for comment referenced the Geneva Association report, which suggested that a successful federal cyber insurance program must encourage entities to purchase cyber insurance. 

“​​To incentivize good cybersecurity, as much risk as possible should remain with firms and individuals and be underwritten by private insurers on commercial terms, with public-sector involvement limited to extreme loss outcomes,” the group said in its report. “Any government-backed solutions should not simply be a fiscal solution but also seek, with insurers, to promote adoption of cybersecurity best practices—including taking out appropriate insurance—in order to reduce the vulnerability of society to such risks.”

Treasury and CISA’s request for comment also asks how a federal insurance program can avoid creating a moral hazard, which they describe as “the possibility that either insurers or policyholders might take undue risks in reliance upon a federal insurance response or fail to implement cybersecurity controls.” 

In recommending the agencies report to Congress on the merits of a federal insurance program, the GAO advised caution regarding the moral hazard issue.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.