The potential creation of a federal backstop for commercial cyber insurance markets in the wake of a catastrophic cyber event has received support from risk management and insurance industry organizations.
The terrorism backstop formed after Sept. 11, 2001, terrorist attacks can serve as a basic model for a cyber backstop, but factors such as funding and coverage structure must be addressed, advocates say.
Last month, the Risk & Insurance Management Society Inc. sent a comment letter to the U.S. Treasury Department’s Federal Insurance Office, saying its members “overwhelmingly supported” the creation of a federal cyber insurance backstop.
The letter was in response to a Sept. 29 Treasury Department notice seeking comments “on issues related to cyber insurance and catastrophic cyber incidents.”; The first deadline for comments was 14 November, which was extended to 15 December.
“Cyber insurance is a significant risk transfer mechanism, and the insurance industry has an important role to play in strengthening cyber hygiene and building resilience,” the Treasury statement said.
The announcement followed a June report by the Government Accountability Office recommending that the FIO and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency conduct a joint assessment to determine “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.”
Bryan Cunningham, executive director of the Cybersecurity Policy & Research Institute at the University of California, Irvine, said he supports some role for the federal government in dealing with catastrophic cyber exposures. “I think we have to have it,” he said. Details of the thresholds, funding and other considerations are “not yet determined, but it should be there,” he said.
Mr. Cunningham previously served as Deputy National Security Advisor in the George W. Bush administration under Condoleezza Rice and was involved in the drafting of the Homeland Security Act after 9/11.
He suggested that the Terrorism Risk Insurance Act of 2002, which provided federal reinsurance coverage for insurers providing property/casualty coverage, could serve as a reference point because the language of the act has survived five reauthorizations and the program was successful in achieving its goal of stabilizing real estate markets after the attacks . The trigger for TRIA coverage started at $50 billion but rose to $200 billion in its most recent reauthorization, in 2019.
Lynn Haley Pilarski, RIMS external committee chair and senior risk manager at General Motors Co., said TRIA fulfilled its mandate to stabilize commercial property insurance markets in the wake of the 9/11 devastation and that “risk managers are always looking for ways to improve coverage conditions, increase capacity and stabilize insurance markets.”
Both Mr. Cunningham and Mrs. Pilarski said that attention should be paid to the definition of war in any backstop, particularly regarding coverage language and exclusions. The definition should not be so broad as to allow overly broad or restrictive language for exclusionary coverage, they said.
Dale Porfilio, chief insurance officer for the Insurance Information Institute in New York, said the organization “views cyber as one of the most significant risks facing society and the insurance industry, and is concerned about a catastrophic cyber event on the scale of natural disasters like hurricanes and earthquakes.” He said events like the 2021 Colonial Pipeline shutdown, where an energy supplier was hit by a ransomware attack, showed the potential risk of “bad actors or nation-states attacking major infrastructure like the U.S. power grid.”
A significant attack on infrastructure “could far exceed current cyber coverage in the private market,” Porfilio said. “We believe the federal government should invest in cyber risk mitigation of national and community infrastructure as well as preventing cyber attacks by nation states and terrorist groups.”
Mr. Porfilio said “the potential benefit of a federal cyber insurance program like TRIA depends a lot on how it’s structured and funded. We wouldn’t want it to displace or inhibit the growth of the private cyber insurance and reinsurance market.”
A program like TRIA can be beneficial if it provides “umbrella coverage across the private market without adding unnecessary costs or administrative burdens to policyholders and insurers,” Porfilio said.
The American Property Casualty Insurance Association is formulating its full response to the FIO’s request for comment but expressed initial support for the process.
“This is an important issue and an important issue for insurers. We will be submitting formal comments and welcome an ongoing dialogue with the administration,” said Nat Wienecke, senior vice president of federal government relations for APCIA.