Should the United States Be Worried about Cyber Insurance Coverage?

Published On: September 6, 2022

While the cyber insurance market has grown in recent years, it may not be entirely prepared for certain major attacks, a United States government spending watchdog said. The U.S. Government Accountability Office (GAO) has called for a federal response for insurance and catastrophic cyber-attacks on critical infrastructure. The GAO highlights it’s essential the insurance market is functioning for businesses, consumers, and critical infrastructure operators. The GAO, responsible for auditing the trillions of dollars the U.S. government spends each year, cautions that private insurers and the U.S. government’s official terrorism risk insurance, or the Terrorism Risk Insurance Program (TRIP), might not be able to cover the calamitous financial loss from rising cyber-attacks.

The spokesman for GAO said, “Cyberattacks may not meet the program’s criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified.”

Due to the vagaries involved in attribution and policy language, ransomware and insurance are uncertain issues. Ransomware, while mostly driven by cybercriminals, has cost victims millions of dollars, and most attacks are officially attributed by Western governments to the Russian, North Korean, and Chinese governments. According to Red Sky Alliance, some insurers have used these official attributions to avoid payouts to the victims of these cyber-crimes, citing that those incidents can be constructed in court as an act of war, which cyber policies do not cover.

Insurance policies cover acts of terrorism, but with clauses that limit coverage to acts of certified violence. With Russia’s ongoing invasion of Ukraine, the question of insurance is an even bigger concern for the United States government due to fears of Kremlin-backed hackers on U.S. organizations in response to U.S. sanctions on Russia and Russian business.

When the market for cyber insurance for enterprises potentially fails to support businesses, how should the U.S. and GAO respond? The GAO report summarized, “Any federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants.”

Some insurance firms are “ring-fencing” their policies to protect themselves from incidents that cause systemic problems according to the GAO. For example, insurers do not cover attacks that technically fall into the category of warfare. The GAO says TRIP is the “government backstop for losses from terrorism.” While they do offer some protection when combined with cyber insurance, “both are limited in their ability to cover potentially catastrophic losses from systemic cyberattacks.”

“Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware,” the GAO said. “However, private insurers have been taking steps to limit their potential losses from systemic cyber events.  For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages.  TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements.  However, cyberattacks may not meet the program’s criteria to be certified as terrorism, even if they resulted in catastrophic losses.  For example, attacks must be violent or coercive in nature to be certified.”

According to recommendations by the GAO, the Cybersecurity and Infrastructure Security Agency (CISA), the cybersecurity authority for federal agencies, should work with the Director of the Federal Insurance Office to “produce a joint assessment for Congress on the extent to which the risks to the nation’s critical infrastructure from catastrophic cyberattacks, and the potential financial exposures resulting from these risks, warrant a federal insurance response.”

Overall, all organizations must be prepared for any and all cyber-attacks as insurance coverage may not cover any losses at all. According to this article from Reinsurance News  “As capacity tightens and cyber market pricing continues to harden, it is now becoming more acceptable for re/insurers to make base resilience requirements of insureds, such as by asking clients to secure better protection and boost their preparedness before insuring a risk.”

A comprehensive security posture helps to establish clarity on the base resilience for your cybersecurity program while informing priorities and level of investment to shore up areas of deficiency. If you would like to learn more about generating your own cybersecurity resilience baseline at a fraction of the effort and time, reach out to the team at TrustMAPP.

Browse These Topics


Assess Company's Security Readiness automate and visualize information security risk management better understanding of their information security management boost the confidence of board members boost the protection of your data corporation’s information security create a security roadmap cyber attack Cyber defense experts cyber security determining cyber risks developing security programs across the business Easy to Understand Data Security Solution effective cyber security software Effective Data Security Measures Good Cyber Hygiene guide development of a strong information security high quality cyber security tools house being robbed Identify Potential Security Weaknesses information security dashboard information security management information security managers information security platform Information Security Programs maintain advanced cyber security maintain the control and strength of your firm’s cyber security manage security programs success Managing information security prioritize security functions professional information security Progressive Data Security Solutions Proposing solutions to cyber threats reliable cyber security platform reliable information security dashboard responsibilities of a CISO risk assessment software stay ahead of potential cyber threats strengthening your company’s security measures strength of your company’s information security strong information security programs vCISO Visualization of Information Security Risk Management Visualize Information Security Risks visual representation of security risk in an organization