Should the United States Be Worried about Cyber Insurance Coverage?

While the cyber insurance market has grown in recent years, it may not be entirely prepared for certain major attacks, a United States government spending watchdog said. The U.S. Government Accountability Office (GAO) has called for a federal response for insurance and catastrophic cyber-attacks on critical infrastructure. The GAO highlights it’s essential the insurance market is functioning for businesses, consumers, and critical infrastructure operators. The GAO, responsible for auditing the trillions of dollars the U.S. government spends each year, cautions that private insurers and the U.S. government’s official terrorism risk insurance, or the Terrorism Risk Insurance Program (TRIP), might not be able to cover the calamitous financial loss from rising cyber-attacks.

The spokesman for GAO said, “Cyberattacks may not meet the program’s criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified.”

Due to the vagaries involved in attribution and policy language, ransomware and insurance are uncertain issues. Ransomware, while mostly driven by cybercriminals, has cost victims millions of dollars, and most attacks are officially attributed by Western governments to the Russian, North Korean, and Chinese governments. According to Red Sky Alliance, some insurers have used these official attributions to avoid payouts to the victims of these cyber-crimes, citing that those incidents can be constructed in court as an act of war, which cyber policies do not cover.

Insurance policies cover acts of terrorism, but with clauses that limit coverage to acts of certified violence. With Russia’s ongoing invasion of Ukraine, the question of insurance is an even bigger concern for the United States government due to fears of Kremlin-backed hackers on U.S. organizations in response to U.S. sanctions on Russia and Russian business.

When the market for cyber insurance for enterprises potentially fails to support businesses, how should the U.S. and GAO respond? The GAO report summarized, “Any federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants.”

Some insurance firms are “ring-fencing” their policies to protect themselves from incidents that cause systemic problems according to the GAO. For example, insurers do not cover attacks that technically fall into the category of warfare. The GAO says TRIP is the “government backstop for losses from terrorism.” While they do offer some protection when combined with cyber insurance, “both are limited in their ability to cover potentially catastrophic losses from systemic cyberattacks.”

“Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware,” the GAO said. “However, private insurers have been taking steps to limit their potential losses from systemic cyber events.  For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages.  TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements.  However, cyberattacks may not meet the program’s criteria to be certified as terrorism, even if they resulted in catastrophic losses.  For example, attacks must be violent or coercive in nature to be certified.”

According to recommendations by the GAO, the Cybersecurity and Infrastructure Security Agency (CISA), the cybersecurity authority for federal agencies, should work with the Director of the Federal Insurance Office to “produce a joint assessment for Congress on the extent to which the risks to the nation’s critical infrastructure from catastrophic cyberattacks, and the potential financial exposures resulting from these risks, warrant a federal insurance response.”

Overall, all organizations must be prepared for any and all cyber-attacks as insurance coverage may not cover any losses at all. According to this article from Reinsurance News  “As capacity tightens and cyber market pricing continues to harden, it is now becoming more acceptable for re/insurers to make base resilience requirements of insureds, such as by asking clients to secure better protection and boost their preparedness before insuring a risk.”

A comprehensive security posture helps to establish clarity on the base resilience for your cybersecurity program while informing priorities and level of investment to shore up areas of deficiency. If you would like to learn more about generating your own cybersecurity resilience baseline at a fraction of the effort and time, reach out to the team at TrustMAPP.