The prospect of a federal insurance program or backstop for catastrophic cyber events is gaining momentum as the U.S. Treasury Department said in November it would initiate further studies in response to growing awareness of cyber terrorist threats to national security and the economy.
The notion of a federal program to address the cyber-threat issue is already simmering in a host of other federal agencies. In June, the Government Accountability Office published a report that concluded action was needed to assess the potential federal response to catastrophic cyberattacks and recommended the Treasury’s Federal Insurance Office (FIO) and the Cybersecurity and Infrastructure Security Agency (CISA) produce a joint assessment for Congress on the potential risks and possible need for federal insurance for catastrophic cyberattacks, much like the government’s Terrorism Risk Insurance program that is administered by the FIO.
In July 2023, the Biden Administration published a National Cybersecurity Strategy Implementation Plan that includes as a strategic objective the exploration of a “federal cyber insurance backstop” and identified the FIO as the responsible agency for assessing the need for and possible structures of a federal insurance response to catastrophic cyberattacks.
Last month, the FIO and the Volatility and Risk Institute at New York University’s Stern School of Business hosted a conference on Catastrophic Cyber Risk and a Potential Federal Insurance Response. A briefing paper on the conference prepared by the law firm of Eversheds Sutherland, said the Treasury’s assistant secretary for financial institutions, Graham Steele, answered the question of whether there is a need for a federal insurance response to catastrophic cyber incidents with, “the final answer looks less like a straightforward ‘yes’ or ‘no’ than a more nuanced ‘it depends’ and indicated further exploration of the proper federal insurance response should be undertaken.”
Cyber insurance market growing
So far, the briefing reported, Treasury has found the private market for insurance against cyber risk from losses other than those related to major catastrophes is dynamic and growing and, as a result, its assessment of a potential federal response will be focused on catastrophic risk options for a public-private collaboration or other federal response that “cabins” catastrophic risk along with the commercial market.
The Cybersecurity Insurance Data Analysis Working Group, established in 2014 by the FIO and Homeland Security, will reconstitute and establish a cyber repository where relevant federal agencies would be permitted to provide participating insurers with certain anonymized and/or aggregated information regarding cyber threats in order to more accurately price policies and to assist insureds with risk mitigation, according to FIO Director Steven Seitz.
The insurance industry is generally supportive of the repository, according to the legal briefing, but there are concerns about how to keep data anonymous and secure.
Steele said that the FIO will take a leadership role in the International Forum of Terrorism Risk (Re)Insurance Pools (IFTRIP), an umbrella organization for more than 15 international terrorism risk insurance pools and mechanisms that engage in the insurance or reinsurance of terrorism risk, and will host the 2024 IFTRIP Annual Conference in Washington, DC. Treasury also will host a conference in April to explore in more detail some specific ideas about the form of a federal response and may organize one or more informal groups of subject matter experts and key stakeholders on specific topics.
Left unanswered was what constitutes a catastrophic cyberattack but was largely assumed it would involve a massive, computerized attack on major institutions, such as banks or the stock market, as well as utilities or the nation’s power grids.
Doug Bailey is a journalist and freelance writer who lives outside of Boston. He can be reached at [email protected].