Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News
Regulation, Standards and Compliance

CISA, Treasury Department seek public comment on potential federal insurance response to catastrophic cyber incidents

September 30, 2022
CISA, Treasury Department seek public comment on potential federal insurance response to catastrophic cyber incidents

The Federal Insurance Office (FIO) within the U.S. Department of Treasury, along with Cybersecurity and Infrastructure Security Agency (CISA), has requested public comments as to whether a federal insurance response to catastrophic cyber incidents may be warranted. The agencies also seek inputs on how such an insurance response should be structured and other related issues. 

FIO has also increased its data collection concerning the Terrorism Risk Insurance Program (TRIP) and supported the development of the Treasury’s counter-ransomware strategy. The agency intends to assess potential federal insurance responses outside of TRIP but will also consider how potential responses could interact with or be part of TRIP. 

State and federal governments have responded in various ways to situations in which the private market cannot provide sufficient or affordable insurance, and FIO seeks input on a wide range of options and potential response structures, according to a notice published in the Federal Register on Thursday. 

Among other things, FIO is seeking comment on issues concerning the risks of catastrophic cyber incidents to critical infrastructure, the potential quantification of such risks, the extent of existing private market insurance protection for such risks, whether a federal insurance response is warranted, and how such a federal insurance response, if warranted, should be structured.

The FIO has sought public comments on catastrophic cyber incidents and the potential federal insurance response for these cyber incidents. The agency is looking for feedback on what type of cyber incidents could have a catastrophic effect on U.S. critical infrastructure and the likelihood of such incidents. It also looks at ascertaining if any sectors of U.S. critical infrastructure are more susceptible to such incidents and how the federal government and/or the insurance industry should address the potential for cascading, cross-sector impacts from a cyber incident. Finally, it also looks at what type of potential catastrophic cyber incident could justify creating a federal insurance response.

The notice also looks at measuring financial and insured losses. It seeks responses on what data and methodologies the federal government and/or the insurance industry could use to predict, measure, and assess the financial impact of catastrophic cyber incidents. It also looks into what amount of financial losses should be deemed catastrophic for any potential federal insurance response and how the FIO should measure and assess potential insured loss from catastrophic cyber incidents.

The FIO also intends to gather information on what cybersecurity measures would most effectively reduce the likelihood or magnitude of catastrophic cyber incidents. Additionally, it will look into the measures that the federal government could adopt to incentivize or require policyholders to adopt these measures.

The FIO notice also looks into what insurance coverage is currently available for catastrophic cyber incidents,  the current limitations on coverage for catastrophic cyber incidents, and the rationales which have been (or likely would be) used to deny coverage for such cyber incidents. It also seeks an assessment of whether the private market currently makes insurance for catastrophic cyber incidents desired by policyholders in terms of the limits, the scope of coverage, and the type and size of businesses seeking coverage.

The Federal Register notice also seeks feedback on what data collected that the public would be willing to share with FIO and/or CISA to consider in their assessment of catastrophic cyber incidents and cyber insurance. It also looks into what other information regarding such cyber incidents and cyber insurance should FIO and CISA consider and the nature of data that the FIO and/or CISA consider collecting to help inform this assessment and their ongoing work. Additionally, the notice seeks to gather comments on whether a federal insurance response for catastrophic cyber incidents is warranted, along with its merits and demerits. 

The FIO notice looks into what FIO and CISA should consider potential structures for a potential federal insurance response for catastrophic cyber incidents. It calls upon the public to address potential models, participation, the scope of coverage, and cybersecurity and/or cyber hygiene measures required of policyholders under the structure. It also draws attention to moral hazard risks,  risk sharing, reinsurance/capital markets, funding issues, evaluation, and potential limitations that insurers might be unwilling to insure, even if a federal response supporting such coverage was adopted.

The FIO notice also seeks comment from the public on the effects on the cyber insurance market. In addition, it looks into how a federal insurance response might affect the availability and affordability of cyber insurance across the entire insurance market and whether there would be an effect on any part of the cyber insurance market that would remain outside the parameters of a federal insurance response.

In June, the U.S. Government Accountability Office (GAO) released a report recommending that the FIO and the CISA conduct a joint assessment to jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response, and inform Congress of the results of their assessment. Both agencies have agreed with the recommendations.

Additionally, the agencies have taken steps to understand the financial implications of growing cybersecurity risks. However, they have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response. FIO is also coordinating with the White House Office of the National Cyber Director on these issues.

Last month, Lloyd’s of London said that it is set to introduce cyber insurance exclusions to coverage for ‘catastrophic’ state-backed attacks from 2023, as cyber-attack risks involving state actors have additional features that require consideration. While the insurance firm stated that it ‘remains strongly supportive of the writing of cyberattack cover,’ it recognizes that ‘cyber-related business continues to be an evolving risk.’ 

The London-based firm pointed to ‘the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb.’

Moreover, with rising ransomware attacks and subsequent payouts, insurers are forced to find ways to limit their risk or go out of business. The move to limit systemic risk in the insurance market has prompted warnings that it would lead to legal disputes over whether specific attacks had state support while further restricting cover vital to businesses.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation