Insurance companies and the federal government’s terrorism risk insurance may not be able to cover cyber-attacks targeting critical infrastructure, with cyber-insurance companies taking steps to limit their losses in such cases, the U.S. Government Accountability Office said in a report issued Tuesday requiring an assessment of if a federal response is needed.
The US critical infrastructure, including tools, financial services and pipelines, is facing increasing cybersecurity risks, and the effects of such incidents can spread from the first attack to economically interconnected companies, exacerbating their economic damage, warns the report and points to May 2021 Colonial Pipeline Co. attack.
Cyber insurance and the federal government̵7;s backstop, the Terrorism Risk Insurance Program, are both limited in their ability to cover such losses, the report said.
Cyber insurance can offset the costs of common cyber risks such as hacking and ransomware, but private insurance companies “have taken steps to combat their potential losses from systemic cyber incidents”, for example by excluding them for cyber warfare and infrastructure disruption, the report says, while the federal program covers for cyberattacks only if they are considered terrorism.
The report recommends that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Department of Finance’s Federal Insurance Office work together to produce a joint assessment for Congress on the extent to which a federal insurance response is warranted.