The U.S. Treasury Department is seeking public comment on the need and scope for a potential federal insurance response to catastrophic cyber incidents, akin to the one put in place for terrorism insurance after the attacks of September 11, 2001.
In its request for comment, the agency is seeking public input until November 14, 2022 on whether risks to critical infrastructure stemming from catastrophic cyberattacks “warrant a federal insurance response.” The request, published by the Federal Insurance Office (FIO) in the U.S. Department of Treasury, stems from a June 2022 Government Accountability Office (GAO) report which recommended that the FIO and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) jointly assess the issue and secure public comments related to cyber insurance and catastrophic cyber incidents.
The request noted the increasingly significant frequency and severity of cyberattacks on critical infrastructure, the effects of which “can spill over from the initial target to economically linked firms – thereby magnifying the damage to the economy.” It also observed that the ability for the private cybersecurity market to absorb such losses – estimated at up to $1 trillion per event for the United States – is limited. See GAO report at 25.
The parallels to the terrorism insurance market are clear. In response to the attacks of 9/11, many insurers began to include express terrorism exclusions in their policies. The U.S. government responded by establishing the Terrorism Risk Insurance Act (TRIA) to help stabilize the market. TRIA created the Terrorism Risk Insurance Program (TRIP) as a temporary means to share public and private compensation for certain insured losses from certified acts of terrorism. Treasury administers the TRIP program, which is authorized through 2027 and has a cap on government assistance of $100 billion per year. TRIP has yet to be triggered.
The GAO report noted that cyber insurers have limited their exposures to systemic cyber incidents in several ways, including by lowering policy limits, creating higher premium rates, excluding potential systemic events, and limiting coverage for critical infrastructure. The report recommended that a federal insurance solution be considered for catastrophic cyber risks and that the FIO and CISA solicit public comment thereon.
The Request for Comment
The request is seeking comments on “the risks of catastrophic cyber incidents to critical infrastructure, the potential quantification of such risks, the extent of existing private market insurance protection for such risks, whether a federal insurance response is warranted, and how such a federal insurance response, if warranted, should be structured.” It acknowledges that most regulation of insurance occurs at the state level, but cites several federal insurance programs, including TRIP, the National Flood insurance Program, and the Federal Crop Insurance Program, in which residual markets are created and obligations spread across the industry in some fashion. Additionally, the request contemplates whether a federal response should be outside of TRIP, or interact with or be part of, TRIP.
The request highlights several topics for discussion, including:
- What is a “Catastrophic” Event: What types of “catastrophic” cyber incidents could justify a federal insurance response and how should FIO define “catastrophic.” FIO notes that “catastrophic” typically relates to the magnitude of the loss, its dispersion among multiple entities, and the degree of critical services affected.
- Measuring Financial and Insured Losses: What amount of financial losses should be deemed “catastrophic.”
- Cybersecurity measures: What cybersecurity measures would most effectively reduce the catastrophic cyber incidents.
- Current coverage: What insurance coverage is currently available for catastrophic cyber incidents?
- Structure of federal response: What structures should be considered by FIO and CISA for a potential federal insurance response?
Comments are due November 14, 2022. Insurers should closely monitor developments in the area and consider submitting comments if warranted. Your Sidley team can help in this regard.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.