Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Reports
Risk & Compliance
Threat Landscape
Vulnerabilities

CISA, FIO must assess potential federal insurance response to cyber attacks, financial exposures

June 22, 2022
CISA, FIO must assess potential federal insurance response to cyber attacks, financial exposures

A report by the U.S. Government Accountability Office (GAO) said that the Department of the Treasury’s Federal Insurance Office (FIO) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) should jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response, and inform Congress of the results of their assessment. Both agencies have agreed with the recommendations.

Furthermore, the two agencies have taken steps to understand the financial implications of growing cybersecurity risks. “However, they have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response,” according to the GAO report. 

The GAO report made two recommendations, one each to CISA and FIO. Specifically, the CISA director should work with the FIO director to produce a joint assessment for Congress on the extent to which the risks to the nation’s critical infrastructure from catastrophic cyberattacks, and the potential financial exposures resulting from these risks, warrant a federal insurance response. 

The second recommendation is that the FIO director must work with the CISA director to produce a joint assessment for Congress on the extent to which the risks to the nation’s critical infrastructure from catastrophic cyberattacks, and the potential financial exposures resulting from these risks, warrant a federal insurance response.  

The GAO report said that both CISA and FIO have taken some steps to assess the financial implications of catastrophic cyberattacks, but they have not fully assessed the extent to which the risks to the nation’s critical infrastructure from catastrophic cyber incidents, and the potential financial exposures from these risks, warrant a federal insurance response. 

“An assessment that joins CISA’s analysis of the cyber risks facing critical infrastructure with FIO’s insight and data on the private insurance market could inform Congress in its future deliberations,” GAO said. “In the event that Congress later decided to create or expand a federal mechanism to help cover such losses, applying our framework for providing federal assistance would help ensure that any response balanced and appropriately safeguarded public and private interests,” the report added.

While the CISA is the primary risk advisor on critical infrastructure, the FIO is the federal monitor of the insurance sector. Both agencies are ideally positioned to jointly perform such an assessment. Doing so and reporting the results to Congress can inform deliberations on whether a federal insurance response is warranted. 

“If such a response were deemed necessary, GAO’s framework for providing federal assistance to private market participants could help inform its design. The framework notes the need to define the problem, mitigate moral hazard (that the existence of a federal backstop could result in entities taking greater risks), and protect taxpayer interests,” the GAO report said. 

The GAO carried out the study on the evolving situation of cyber threats to critical infrastructure represent a significant economic challenge. Although cyber incident costs are paid in part by the private cyber insurance market, growing cyber threats have created uncertainty in this evolving market. Consistent with these elements, any federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants, according to the report. 

The congressional watchdog said in its report that some private insurance companies offer businesses and other entities cyber insurance to protect against losses stemming from cyberattacks. However, growing cyber risks have created uncertainty in the evolving cyber insurance market. Last May, the agency reported that the limited availability of historical loss and cyber event data, lack of common definitions in policy language, and potential for cyber incidents to incur aggregated losses continue to challenge the cyber insurance industry. 

Additionally, the agency and others have raised questions about the extent to which the Terrorism Risk Insurance Act of 2002 (TRIA) might help address cyber losses. “For example, we previously reported that some industry participants were unsure about the likelihood of the Department of the Treasury certifying cyberattacks as acts of terrorism. This was because the department has never certified any event under TRIA and cyberattack characteristics may not readily meet the act’s certification requirements,” the report added.

The Further Consolidated Appropriations Act, 2020, includes a provision for GAO to study cyber risks to U.S. critical infrastructure and available insurance for these risks. The report examines the extent to which cyber risks for critical infrastructure exist, private insurance covers catastrophic cyber losses, and Terrorism Risk Insurance Program (TRIP) provides a backstop for such losses and cognizant federal agencies have assessed a potential federal response to cyberattacks. TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements. 

The agency also reviewed cyber insurance coverage literature and reports on cyber risk and the insurance market. GAO interviewed CISA and FIO officials and industry stakeholders, including critical infrastructure owners, insurers, and brokers, that were selected based on factors such as expertise and market share.

“As of May 2022, legislation had not been introduced in Congress to create a federal insurance response to help address systemic or catastrophic cyber events,” the GAO report said. “However, if Congress were to consider such legislation in the future, our previously developed framework for providing federal assistance to private market participants could help inform its design,” it concluded. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market