Risk management and insurer groups urge US cyber backstop

A potential federal backstop for commercial cyber insurance markets in the wake of a catastrophic cyber event has drawn support from risk management and insurance industry organisations during recent weeks.

The terrorism backstop formed after the 11 September 2001 terrorism attacks could serve as a basic model for a cyber backstop, but factors such as funding and the structure of coverage need to be addressed, proponents say.

Last month, Rims sent a comment letter to the US Treasury Department’s Federal Insurance Office (FIO), saying its members “overwhelmingly supported” the creation of a federal cyber insurance backstop.

The letter was in response to a 29 September notice from the US Treasury, seeking comments “on questions related to cyber insurance and catastrophic cyber incidents”. The initial deadline to submit comments was 14 November but was extended to 15 December.

“Cyber insurance is a significant risk transfer mechanism, and the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency,” the Treasury notice said.

The notice followed a June report from the Government Accountability Office recommending that the FIO and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency conduct a joint assessment to determine “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response”.

Bryan Cunningham, executive director of the Cybersecurity Policy & Research Institute at the University of California, said he supports some role for the federal government in the management of catastrophic cyber exposures. “I think we have to have that,” he said. Details of the thresholds, funding and other considerations are “yet to be determined, but it should be there”, he argued.

Cunningham previously served as deputy national security adviser in the George W Bush administration under Condoleezza Rice, and was involved in drafting the Homeland Security Act after 9/11.

He suggested that the Terrorism Risk Insurance Act (TRIA) of 2002, which provided federal reinsurance coverage for property insurers, could serve as a reference point because it has survived five reauthorisations and the programme was successful in achieving its goal of stabilising insurance markets after the attacks. The trigger for TRIA coverage began at $50bn but rose to $200bn at its most recent reauthorisation in 2019.

Lynn Haley Pilarski, chair of Rims’ external affairs committee and senior risk manager at General Motors, said TRIA fulfilled its mandate of stabilising commercial property insurance markets in the wake of the 9/11 devastation and that “risk managers are always looking for ways to improve coverage terms, increase capacity and stabilise insurance markets”.

Both Cunningham and Pilarski said attention should be paid to the definition of war in any backstop, especially as it pertains to coverage language and exclusions. The definition should not be so broad as to allow overly broad or restrictive exclusionary coverage language, they said.

Dale Porfilio, chief insurance officer for the Insurance Information Institute in New York, said the organisation “considers cyber to be one of the most significant risks facing society and the insurance industry, and is concerned about a catastrophic cyber event on the scale of natural catastrophes like hurricanes and earthquakes”.

He said events like the Colonial Pipeline shutdown in 2021, in which an energy provider was hit by a ransomware attack, showed the potential risk for bad actors or nation states to attack major infrastructure like the US power grid.

A significant attack on infrastructure “could far exceed current private market cyber coverage”, Porfilio said. “We believe the federal government should invest in cyber risk mitigation of national and community infrastructure, as well as preventing cyberattacks by nation states and terrorist groups,” he added.

Porfilio said “the potential benefit of a federal cyber insurance programme like TRIA depends greatly on how it is structured and funded”.

“We would not want it to replace or inhibit growth of the private cyber insurance and reinsurance market,” he added.

A programme like the TRIA could be beneficial if it provided cyber “umbrella coverage above the private market without adding undue cost or administrative burdens for policyholders and insurance carriers”, Porfilio said.

The American Property Casualty Insurance Association (APCIA) is in the process of formulating its complete response to the FIO request for comment on a cyber backstop, but expressed initial support for the process.

“This is an important issue and top of mind for insurers. We will provide formal comments and welcome an ongoing dialogue with the administration,” said Nat Wienecke, senior vice-president of federal government relations for the APCIA.

This article first appeared on our sister website Business Insurance. For further news from Business Insurance, please click here.

Back to top button