Two US authorities have agreed to examine the potential need for a federal mechanism – analogous to the one introduced for terrorist insurance after the 9/11 attacks – to address the growing cyber security threat to critical infrastructure. The perceived need to do so speaks to the growing complexity and the connection to this and other risks that governments, companies and societies face today.
The Government Accountability Office (GAO) recommended in a recently published report that the Treasury̵7;s Federal Insurance Office (FIO) and Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) take this action. It acknowledges that the FIO and CISA have “taken steps to understand the economic consequences of growing cybersecurity risks” – but these measures have not included the possible need for a federal insurance mechanism.
“The Cyber Insurance and Terrorism Risk Insurance Program (TRIP) – the government’s backstop for terrorism losses – are both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks,” the GAO report said. “Cyber insurance can offset the costs of some of the most common cyber risks, such as hacking and ransomware. But private insurance companies have taken steps to limit their potential losses from systemic cyber incidents.”
Insurance companies exclude coverage for losses from cyber warfare and infrastructure disruptions, the report notes, and cyber attacks may not meet TRIP’s criteria for being certified as terrorism.
As we have previously reported, some in the national security world have compared the US cyber security preparedness today with its preparedness for terrorist attacks before 9/11. Prior to September 11, 2001, terrorist coverage was included in most commercial real estate policies as a “silent” danger – not specifically excluded and therefore covered. Afterwards, the insurance companies began to exclude terrorist acts from the policy, and the US government established the Terrorism Risk Insurance Act (TRIA) to stabilize the market. TRIA created TRIP as a temporary system for shared public and private compensation for certain insured losses as a result of a certified terrorist act.
Treasury administers the program, which must be re-approved regularly. TRIP has been renewed four times – 2005, 2007, 2015 and 2019 – and the backstop has never been released.
GAO’s recommendation that a similar solution be considered for cyber risk highlights the potential inadequacy of traditional risk transfer products to deal with increasingly complex and costly threats. In addition to terrorism and cyber, we have experienced – and continue to experience – the myriad dangers of the pandemic, with its various effects on the global supply chain, driving behavior, business interruptions and teleworking, as well as the economy. Even if these challenges are mitigated, we will continue to face what is perhaps the most complex risk on the planet: those associated with climate and extreme weather.
One only needs to look as far as Florida, where the insurance market is on the verge of failure when authors of homeowners’ coverage begin to go bankrupt and global reinsurers reassess their appetite to provide capacity in the hurricane-prone, fraud- and litigation-plagued state. Or you can follow the forest fires in recent years; or trends in flood losses, which are increasingly creating problems inland, where the purchase prices for flood insurance tend to be lower than in coastal areas; or insured losses due to severe convective storms, which have increased in parallel with hurricane losses.
Fortunately, many states are taking action – often with partners, including the insurance industry – to anticipate and mitigate such risks. Much is being done, but much work remains to be done to change behaviors, best practices and public guidelines in a way that reduces risks and improves accessibility and affordability of coverage.