Agencies Push Deadline to Comment on Would-Be Federal Cyber Insurance Program

The Treasury Department and the Cybersecurity and Infrastructure Security Agency extended their original deadline—Monday—to Dec. 14 for receiving public comment on whether federal funds should be used to help insure the provision of critical infrastructure against losses from cyberattacks, and if so, how a federal insurance program might be designed.

The agencies announced the extension in a Nov. 9 notice published in the Federal Register .

Pursuant to a recommendation from the Government Accountability Office, under direction from Congress to investigate the question, the agencies are seeking answers on “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response,” according to the notice.

Going back to the Obama administration, cyber insurance has been seen by policymakers across the political spectrum as a non-regulatory way to incentivize appropriate cybersecurity practices by private-sector entities. The agencies’ request for comment comes as a series of developments over recent years—including decisions in key court cases—coincide with insurance companies calling for a federal cyber insurance program.  

In December 2019, Congress passed an appropriations bill instructing GAO to report on the availability of cyber insurance for critical infrastructure providers. In May, 2021, GAO reported on challenges facing the industry—which the watchdog said could be addressed. And in June, GAO tagged Treasury and CISA to further investigate the need for a federal program akin to the National Flood Insurance Program run by the Federal Emergency Management Agency or the Federal Crop Insurance Program at the Department of Agriculture.  

In their initial Sept. 29 request for comment, Treasury and CISA said they would also consider how the Terrorism Risk Insurance Program, or TRIP, might be adapted to cover cybersecurity incidents, but that their focus would be primarily on non-TRIP approaches at home or abroad. 

The TRIP model—established after the terrorist attacks of Sept. 11—essentially insures the insurers, helping them to cover policyholders in the event of qualifying incidents. But there’s a $100 billion cap on the amount the government can pay out, and the agencies’ notice cites a study CISA published in 2020, which estimated potential losses from a single cyber incident could range from $2.8 billion to $1 trillion. And meeting the criteria for a terrorist attack might prove challenging for those seeking coverage after a cybersecurity incident.

Federal insurance programs are typically established to ensure policy holders are covered for damages during unforeseeable natural disasters—so-called “acts of god”—that result in a slew of claims at once, totally exceeding insurers’ ability to meet their obligations.

The potential for cyberattacks to cause cascading impacts and rack up insurance claims from policyholders was on full display during the 2017 NotPetya attack, which started in Ukraine, but had huge spillover effects on U.S. companies.   

In two major cases, insurance companies refused to cover claims by invoking “act of war” exclusions, due to the involvement of a nation-state actor. U.S. officials have attributed the NotPetya attack to Russia, but in a January 13 decision, a New Jersey court ruled that Insurance firm Ace did not provide enough notice about how the exclusion would be applied in shipping company Merck’s $1.7 billion property insurance policy. 

The Merck case is reportedly under appeal from Ace, which the court said should pay Merck’s claim of $1.4 billion in computer damages. More recently, The Record reported that insurance company Zurich is settling a $100 million lawsuit with snack food giant Mondelez after initially refusing to pay the latter’s NotPetya-related claim, given an act of war exclusion. 

Citing conversations with staff from the National Association of Insurance Commissioners, the May 2021 GAO report noted a lack of uniformity in the way the industry defined key policy terms, including an “act of war.” This ambiguity can result in misunderstandings and litigation between insurers and policyholders,” the GAO wrote, referring to lawsuits prompted by the NotPetya attack. 

Act of war exemptions were advocated by the reinsurance firm Lloyds of London in November of 2021. Reinsurance firms insure their insurance-industry clients’ ability to pay claims. Seeking to limit their exposure, insurance companies, following suit, continued to use the exclusion as an epidemic of ransomware plagued critical infrastructure providers. 

The industry also came under fire from some observers for reportedly encouraging policyholders to pay out ransom demands. And the Treasury department warned insurance companies could be in violation of U.S. sanctions by engaging with banned regimes like North Korea and Iran by proxy when they make such payments.

Insurance industry representatives say they’ve exercised greater scrutiny during their underwriting procedures in response to the rise in ransomware, and observers like Moody’s—the credit rating firm—reported that the war in Ukraine, along with ransomware, led to narrower coverage and higher premiums from the industry. Insurance representatives also note revisions Lloyds made to its bulletin in August advising the use of clearer “act of war” language in policies.

“We recognize that many managing agents in the market are already including clauses in their policies specifically tailored to exclude cyber-attack exposure arising both from war and non-war, state backed cyber-attacks,” the reinsurer wrote. “We wish to ensure, however, that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings … the complexities that can arise from cyber-attack exposures in the context of war or non-war, state backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust.”  

As the January court decision, the recent settlement agreement and supply-chain attacks like the SolarWinds hack spotlight the industry’s performance managing cybersecurity risks, insurance firms are promoting a federal response to supplement their coverage in the event of a catastrophic incident. 

“The insurance industry has come a long way in its understanding of cyber terrorism, [Hostile Cyber Activity] and cyber war, and assessing how to insure such risks,” reads a report the Geneva Association, an insurance-industry think tank published in January. “To expand the limits of insurability, insurers need to be proactive in assessing feasible options for sharing cyber risks, including with governments via [public-private partnerships]. Such collaborative efforts between insurers and governments will enable cyber protection gaps to be narrowed and ensure the full societal benefits of cyberspace can be realized.”

Referencing the notice from Treasury and CISA, global insurance firm Swiss Re expressed its support for a federal insurance program in a Nov. 8 report.

“Acts of cyber warfare, the disruption of a cloud provider of critical software or the deployment of malware through commonly-used software are examples of scenarios that could generate catastrophic losses,” the report reads, noting a “potential solution to help close the protection gap is to design a type of public private partnership (PPP) insurance scheme, where the coverage of systemic risks is split between insurers and a government(s)-backed fund.” 

Treasury and CISA are paying attention to the industry’s appeals. Their Sept.29 request for comment referenced the Geneva Association report, which suggested that a successful federal cyber insurance program must encourage entities to purchase cyber insurance. 

“​​To incentivize good cybersecurity, as much risk as possible should remain with firms and individuals and be underwritten by private insurers on commercial terms, with public-sector involvement limited to extreme loss outcomes,” the group said in its report. “Any government-backed solutions should not simply be a fiscal solution but also seek, with insurers, to promote adoption of cybersecurity best practices—including taking out appropriate insurance—in order to reduce the vulnerability of society to such risks.”

Treasury and CISA’s request for comment also asks how a federal insurance program can avoid creating a moral hazard, which they describe as “the possibility that either insurers or policyholders might take undue risks in reliance upon a federal insurance response or fail to implement cybersecurity controls.” 

In recommending the agencies report to Congress on the merits of a federal insurance program, the GAO advised caution regarding the moral hazard issue.