Critical infrastructure in the United States is still vulnerable to cyber attacks with limited insurance coverage available, said a government report released last week, but experts differ on how to address the problem.
Some say that the insurance industry should do a better job of addressing the threat of systemic risks to critical infrastructure, but others say a government backstop is needed.
A report issued last week by the US Government Accountability Office said there is limited capacity to cover potentially catastrophic losses from systemic cyberattacks against targets such as tools, financial services and pipelines.
Cybercrime insurance companies have taken steps to limit their losses from such attacks, and the Federal Terrorism Risk Insurance Program only covers cyberattack losses if they are considered terrorism, among other claims, the report said.
GAO called for an assessment of whether a federal insurance response is justified.
It is difficult to insure against risks that have a low probability of occurring but that have “massive consequences”; if they do occur, says Stephen Lilley, a partner with Mayer Brown LLP in Washington.
Insurance companies have backed down from the exposures, says Stuart Panensky, a partner with FisherBroyles LLP in Princeton, New Jersey.
“There are a few insurers that continue to insure in the higher risk industries, subject to very strict issuance guidelines,” but, as the study points out, many insurance companies “will not touch it,” he said.
Insurance companies “strive to grow the market and promote what cyber insurance companies can do for policyholders. At the same time, they want to limit coverage, increase deductibles and retentions and lower limits,” says Peter Halprin, partner with Pasich LLP in New York.
Insurance companies “need to be clear in which direction they want to take this,” he said.
Private insurance companies should offer more stable coverage that protects organizations involved in critical infrastructure projects, and by extension everyone else who needs it, says Joshua Gold, a shareholder in Anderson Kill PC in New York.
“We need to address systemic risks, and until we do, we have an inherent problem out there,” said Nick Economidis, vice president of risk underwriting for Crum & Forster, a unit at Fairfax Financial Holdings Ltd., in Houston.
The industry should develop a long-term solution rather than “kick the can on the road,” he said.
The government should also play a role, according to some experts.
“There should be a state insurance program that protects against the kind of things that are uninsured in the private market,” just as the Federal Emergency Management Agency protects against major disasters, says Aaron Aanenson, Austin, Texas-based senior director and cyber insurance thought leader at cybersecurity rating firm BitSight. .
Bridget Quinn Choi, New York-based head of incident response strategy at Booz Allen Hamilton Inc., said a backstop like the Federal Terrorism Insurance Program should be created.
The solution should define what constitutes cyberterrorism or cyber warfare and what rises to the level to trigger coverage, she said.
“This report is a step in the right direction,” said Quinn Choi.