The Government Accountability Office (GAO) says the Department of Homeland Security (DHS) and the Department of the Treasury should assess if a federal response is needed to address insurance against cyber attacks.
Critical infrastructure has become more vulnerable to cyber attacks for reasons that include greater use of interconnected electronic systems. At the same time, threat actors including nation states, criminal groups, and terrorists have stepped up their capabilities of carrying out cyber attacks on critical infrastructure. Attacks of this kind are increasing both in terms of frequency as well as cost.
According to the U.S. Intelligence Community’s 2022 Annual Threat Assessment, China, Russia, Iran, and North Korea pose the greatest cyber attack threats to U.S. critical infrastructure. For example, CISA has warned that Russia’s invasion of Ukraine could affect organizations both within and beyond the region, to include the United States, and that every organization must be prepared to respond to disruptive cyber activity.
Additionally, in 2022, the Federal Bureau of Investigation observed that several ransomware groups developed code designed to stop critical infrastructure or industrial processes. The threat is constantly evolving and criminal groups are becoming even more capable, particularly with advances in artificial intelligence.
Cyber insurance can help offset costs of some common cyber risks, like data breaches or ransomware. But cyber risks are growing, and cyber attacks targeting critical infrastructure—like utilities or financial services—could affect entire systems and result in catastrophic financial loss. GAO is concerned that insurers and the government’s terrorism risk insurance may not be able to cover such losses. For example, the government’s Terrorism Risk Insurance Program (TRIP) insurance may only cover cyber attacks if they can be considered “terrorism” under its defined criteria whereby attacks must be violent or coercive in nature to be certified.
GAO’s performance audit conducted between March 2020 and June 2022 has found that both TRIP and private cyber insurance are limited in their ability to cover potentially catastrophic losses from systemic cyber attacks. The watchdog found that private insurers have been taking steps to limit their potential losses from systemic cyber events. For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages. Many insurers also have increased premium rates in response to increasing losses. The Council of Insurance Agents & Brokers reported a more than 34 percent increase in cyber premium rates from the third to the fourth quarter of 2021. One insurer told GAO that it opted not to insure the energy sector because energy operations can be attacked in multiple ways, and because it is concerned that energy operators do not follow robust cybersecurity protocols.
It is conceivable that a cyber attack could cause substantial losses while falling under neither the TRIP nor private insurance requirements for cover.
Treasury’s Federal Insurance Office (FIO) and Cybersecurity and Infrastructure Security Agency (CISA) within DHS both have taken steps to understand the financial implications of growing cybersecurity risks, GAO said. In 2018, CISA issued a report assessing the cyber insurance market, which identified the core challenges constraining the cyber insurance market, including a lack of data, methodological limitations, and a lack of information-sharing. In 2020, the agency reported costs and losses from cyber incidents. The report analyzed three sets of cyber incident studies, which estimated per-incident, nationally aggregated, or scenario-based costs and losses. The estimated impact of these scenarios ranged from $2.8 billion to $1 trillion per event for the United States.
However, the watchdog found that CISA and FIO have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response. CISA is the primary risk advisor on critical infrastructure and FIO the federal monitor of the insurance sector and are consequently well-positioned to jointly perform such an assessment, which could inform deliberations on whether a federal insurance response is warranted.
CISA and FIO officials said one reason they have not yet assessed the need for a federal response to systemic cyber events is that they lack the data to do so. Nevertheless they agreed that there is a need for an assessment. DHS stated that it will review the aggregate data generated by incident disclosures under the Cyber Incident Reporting for Critical Information Act of 2022 once available, and work with Treasury in the interim to determine other data needed. Treasury confirmed that it has begun collaboration on this effort.
If indeed a federal response were deemed necessary, GAO suggests that its framework for providing federal assistance to private market participants (GAO-10-719) could help inform its design. The framework notes the need to define the problem, mitigate moral hazard (that the existence of a federal backstop could result in entities taking greater risks), and protect taxpayer interests. Consistent with these elements, GAO recommends that any federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants.