APCIA Comments On FIO's Potential Federal Insurance Response To Catastrophic Cyber Incidents

CHICAGO, Illinois, Dec. 15 (TNSgov) -- The American Property Casualty Insurance Association issued the following statement on Dec. 14, 2022, and letter:

The American Property Casualty Insurance Association (APCIA), The Council of Insurance Agents and Brokers (CIAB), CyberAcuView, and The Wholesale & Specialty Insurance Association (WSIA) submitted a joint letter to the Federal Insurance Office (FIO) in response to its request for comments on a "Potential Federal Insurance Response to Catastrophic Cyber Incidents" (RFC). The following statement may be attributed to Nat Wienecke, APCIA's senior vice president of federal government relations:

"APCIA shares FIO's objectives to examine catastrophic cyber risk for critical infrastructure, however, we strongly believe consideration of a federal insurance program may be premature. First, the cyber insurance marketplace should be studied to identify whether there are specific long-term gaps impacting sectors that the private insurance market may not currently address. This is important to avoid the possibility of unintended consequences with developing a federal program. We look forward to continued engagement with FIO as it studies the cyber insurance market."

The letter is attached.

The American Property Casualty Insurance Association (APCIA) is the primary national trade association for home, auto, and business insurers. APCIA promotes and protects the viability of private competition for the benefit of consumers and insurers, with a legacy dating back 150 years. APCIA members represent all sizes, structures, and regions--protecting families, communities, and businesses in the U.S. and across the globe.

* * *

December 14, 2022

To: Steven E. Seitz, Director, Federal Insurance Office, U.S. Department of the Treasury, 1500 Pennsylvania Avenue NW, Washington, DC 20220

Re: Potential Federal Insurance Response to Catastrophic Cyber Incidents

Director Seitz,

The American Property Casualty Insurance Association (APCIA), The Council of Insurance Agents and Brokers (CIAB), CyberAcuView, and The Wholesale & Specialty Insurance Association (WSIA) appreciate the opportunity to offer our respective members' input to the Federal Insurance Office (FIO) in response to its request for comments on a "Potential Federal Insurance Response to Catastrophic Cyber Incidents" (RFC)./1

The insurance industry, business community, and government have shared interests in encouraging stronger cybersecurity and preventing cyber-attacks and cybercrime. Many APCIA, CIAB, CyberAcuView and WSIA members provide or broker cyber insurance products to their customers through a dedicated or stand-alone policy or in some multi-risk policies where cyber is included. Our organizations represent the admitted and nonadmitted markets, both of which offer robust coverage. Cyber events can result in significant costs to an impacted business, and insurance offers an opportunity to transfer some of the risks and associated costs. Cyber insurance is also a beneficial tool in an organization's overall toolbox to help advance risk awareness and to encourage and enable the clients we service to adopt robust security measures, thereby supporting our nation's resiliency.

The cyber insurance market is relatively young and is constantly evolving. While demand for cyber coverage has led to the market's growth, the U.S. cyber insurance market as a percentage of the total property and casualty market is still quite small. In the U.S., property & casualty insurance premiums totaled approximately $800 billion, with cyber premiums accounting for just over $6.5 billion of these premiums in 2021.2

Cyber insurance policies have evolved from an indemnity product to a service and indemnity product. Today's cyber policies are dedicated to offering first- and third-party coverage for costs arising from defined unauthorized cyber events such as a distributed denial of services attack, destruction of data whether through malware or human error, system failures, cyber extortion threats, a breach of personal information or others. Increasingly cyber policies may include loss control and risk engineering benefits such as pre-breach planning; employee training and testing; vulnerability assessments and alerting; post-event forensics; and legal expertise.

Insurance Coverage Availability

Cyber insurance is generally composed of several separate insuring agreements and coverages for various cyber-related exposures ranging from data breach, computer attack, loss of income, cyber extortion events, etc. Each insuring agreement can have its own limit of insurance and deductible but is also typically subject to a policy aggregate limit of insurance. Cyber extortion, including all losses that stem from an extortion event, reimburses the ransom if paid, and, when permissible, is sometimes written up to the full aggregate limit. However, in some cases it is written at a lower limit than the other coverages based on the maturity of an applicant's cybersecurity and to control the insurer's exposure to loss. More recently, some carriers have excluded ransomware exposures or added other terms and limitations. The terms for coverage of any specific risks are largely dependent on the quality of a policyholder company's overall cyber hygiene. Coverage is excluded for uninsurable risks, namely infrastructure failure and war.

For war, denial of coverage will often include consideration of whether the cyber-attack can be attributed to a state, dependent, of course, on the wording of the exclusion. In terms of infrastructure failure, coverage would be denied if first-party losses including business interruption would be claimed by an insured as a result of a failure or outage of utility services, most commonly electricity or telecommunication providers.

Similarly, we are witnessing the elimination of "silent cyber" coverage within traditional insurance policies that do not expressly indicate whether coverage is provided for losses associated with a cyber hack. In addition to creating uncertainty for policyholders, these policies pose challenges for underwriters in conducting risk assessments without a clear understanding of whether and how much cyber risk a policy covers. Recent efforts on silent coverage, led by Lloyds, seek to establish new best practices for the cyber market whereby all policies either affirm or exclude cyber.

Federal Insurance Response

FIO has identified a significant number of instructive questions to assist in the analysis of a potential federal insurance program for catastrophic cyber events. However, we posit that the threshold question in the RFC, is question 6 - Is a federal insurance response for catastrophic cyber incidents warranted?

Historically, federal insurance responses have been constructed when there has been clear evidence of a market failure within a specific peril or line that led to deleterious impacts. This is not the scenario for the cyber insurance market. In fact, the most recent NAIC Cyber Insurance Report states that the current cyber insurance market is expected to double in size every three years.3 Additionally, reinsurance is readily available and new carriers continue to enter the market. Nevertheless, we are presented with a unique opportunity to proactively evaluate and discuss how the federal government could assist through public-private partnership, if eventually needed.

The cyber insurance market is nascent and needs more time to develop to ascertain whether a federal response is appropriate. We strongly believe before further consideration of the questions surrounding the details of a federal insurance program occurs, the cyber insurance marketplace should be studied to identify whether there are specific long-term gaps impacting certain sectors that the private insurance market may not currently address. As such we want to avoid the possibility of unintended consequences associated with developing a program in the absence of further maturity in what is a rapidly developing market.

A study on the potential impacts of protection gaps, and whether and to what extent gaps exist, will be helpful. For example, is there a lack of understanding about whether coverage is unavailable or if it is limited? Cyber warfare or infrastructure outages are mostly excluded from insurance coverage (as they are in other established coverage lines), and there are other situations in which coverage may be limited (additional examples are provided below).

There needs to be additional time to consider in what other context a federal program could complement the private market. In order to narrow the scope to achieve this, we suggest analyzing scenarios such as an attack on critical infrastructure, as part of the joint assessment by FIO and the Cybersecurity and Information Security Agency (CISA).4 Such a review of the industries necessary to ensure our country's security and safety would be beneficial to consider how the government and private industry can work together to continue to enhance cyber hygiene.

Additionally, the information to study protection gaps by its nature must go beyond the insurance industry and should also include information that CISA and other industry sectors can provide to inform what scenarios and events may be catastrophic.

FIO should also be mindful of where a potential solution will free up capital to support the private market but in other instances fill a protection gap where industry reluctance may be insurmountable. Examples include events where coverage is provided but more meaningful limits are lower - (i.e., widespread events caused by a massive cloud outage or mass malware event) or events that are excluded which prevent policyholders from obtaining coverage - (i.e., cyber war, infrastructure outage). A clear understanding of the objectives and all potential outcomes will better inform if a government response is warranted, and if so, what it should look like.

Once this threshold analysis is complete the structural questions can be considered. It may be that a public private partnership is not needed at all. There may be information gleaned from a study that exposes non-insurance solutions related to improving overall cyber hygiene that businesses may implement. For example, attribution as to the perpetrator of a cyber-attack is a significant area of concern because it creates uncertainty, which keeps capital on the sidelines. While we recognize attribution may have political implications, perhaps a form of catastrophic event categorization could be developed obviating the need for attribution to a nation-state, so long as an event meets criteria of a pre-defined catastrophic event. This could provide some clarity for the market regarding attribution while being mindful of the political complications of attribution for the federal government. This creates a meaningful public-private partnership opportunity that does not necessitate a federal insurance program.

The following comments offer responses to the identified categories of questions raised in the RFC, but please note we continue to urge continued study focused on question 6 of the RFC.

Nature of Event

Catastrophic events should focus on widespread cyber events with accumulation exposure, i.e., the potential for a cyber incident affecting a significant portion of insureds to have severe or ultimately

unmanageable effects on an entire cyber portfolio. It is difficult to come up with an exhaustive or definitive list of the types of cyber incidents that are likely to have a catastrophic effect, not least because there has been no large-scale catastrophic cyber event to date and because of the constantly evolving threat landscape. Other types of scenarios typically envisaged and specifically managed and modelled for by insurers are a cloud outage, or widespread IT virus - again, both with the potential for strategic/critical infrastructure failure cascade - and, to a lesser extent, large-scale data breach. Further potential scenarios often mentioned in the insurance industry in the context of systemic risk include large-scale cloud ransomware at a leading cloud service provider, severe vulnerability or zero-day exploits, software supply chain exploits, etc.

Measuring Financial and Insured Losses

Within the insurance industry - both carriers and third-party vendors - spend a great deal of time and resources modeling and trying to understand such incidents. But there is still a lot of inherent uncertainty due to a lack of large historic events and lack of structured data. In the absence of actual catastrophic cyber events, predicting the impact of such incidents can only be done by modeling potential catastrophic events based on expert knowledge and judgment. Therefore, it is important to have a sound understanding about realistic scenarios, their likelihood, ability to spread, as well as impacts to the business and financials of the affected companies. Joint work and research by the government and insurers, with insurers developing their own cyber models with vendors on likely scenarios and underlying potential events would significantly enhance the understanding and modeling of catastrophic cyber incidents.

Cybersecurity Measures

Implementing minimum cybersecurity controls is the most effective way to reduce the likelihood or magnitude of catastrophic cyber incidents. Examples of the primary areas of focus for underwriters, include:

* Access control (deployment of multi-factor authentication (MFA), privileged access management, remote access such as RDP and VPN).

* Incident response readiness (deployment of endpoint protection and response tools, documented breach response and ransomware playbooks, tabletop exercises, and employee training).

* Business resiliency and redundancy (supply chain risk management, network segmentation, operational technology (OT) management, data backup strategy).

The development of cyber resilience, back-up and recovery, and incident response strategies would all reduce the magnitude of cyber incidents. The federal government could continue to promote and encourage best practices for cyber hygiene, as well as recommendations for recovery and response, in the interest of building a more sustainable cyber insurance market.

Data and Research

Existing data only applies to known threat vectors and not future threat vectors. Because society continues to evolve the way technology is used, new threat vectors will continue to emerge and new ways of avoiding, mitigating, or minimizing future threat vectors will evolve as well.

In order to understand the extent of the risk and potential for a catastrophic event, government data on the overarching threat environment (especially nation state) and tensions should be shared with the industry/private sector. Also, many uncertainties remain regarding the prediction of the potential financial impact of a widespread cloud outage. Therefore, data regarding the use of the various cloud providers in different sectors, size of clients and the business dependency on cloud services are necessary for modeling this systemic risk with confidence.

Data held by vendors of antivirus, antimalware, Endpoint Detection and Response (EDR) solutions, as well as from managed service providers and cyber incident response firms may present a broader picture of incidents.

Potential Structures for Federal Insurance Response

We believe it is premature to explore the details of a federal insurance response without conducting a thorough study of the threshold questions raised above to determine where, if at all, such a response is needed. Nevertheless, experience with the Terrorism Risk Insurance Program (TRIP) suggests that if a federal insurance program for catastrophic cyber risks was warranted, we would have concerns with a TRIP-like structure. For example, "mandatory make available" may not work, because it is hard to know what types of perils that may be under consideration for such a structure that insurers would be willing to cover in whole, in part, or at all. Additionally, a TRIA-like certification requirement may not be workable. In sum, should such a system be contemplated, a TRIA-type approach may not be the right solution even if federal involvement is appropriate.

Effects on Cyber Insurance Market

The cyber insurance market is relatively young and evolving. As previously noted, the current market is expected to double in size every three years. Reinsurance is available and new carriers are entering the market. Establishing a federal program would need to identify specific long-term gaps that the private sector cannot address. If the program truly addresses gaps not provided in the private market, then the impacts to the market may be positive. There also may be no change to the availability of cyber insurance as the gaps that would be identified are not currently priced by insurers.

Conclusion

The undersigned organizations appreciate the opportunity to provide comments to the FIO on this important analysis of the cyber insurance market. The study should also evaluate any potential impacts to the cyber insurance markets, positive or negative, in order to ensure no harm is done to any stakeholders. A thoughtful, deliberative approach to the study will help to prevent unintended consequences.

The insurance industry shares FIO's objectives and looks forward to continued engagement with FIO as it studies the cyber insurance market. Thank you for your consideration of our comments.

Respectfully submitted,

American Property Casualty Insurance Association

The Council of Insurance Agents and Brokers

CyberAcuView

The Wholesale & Specialty Insurance Association

1/ https://www.federalregister.gov/documents/2022/09/29/2022-21133/potential-federal-insurance-response-to-catastrophic-cyber-incidents

2/ NAIC Report on the Cyber Insurance Market, October 18, 2022

3/ Ibid

4/ GAO Report "Cyber Insurance Action Needed to Assess Potential Federal Response to Catastrophic Attacks", June 2022

* * *

Original text here: https://www.apci.org/media/news-releases/release/73981/