US mulls national cyber backstop for cat risks

The US government  is seeking feedback on creating a national cyber insurance program to cover catastrophic cyber attacks, in order to fill a gap left by the private cyber insurance market. 

The Treasury Department said Thursday that it is looking for public comments on cyber security issues concerning cross-sector cyber attacks and whether currently available cyber insurance is affordable for businesses. Feedback can be submitted until Nov. 14.

The Treasury’s Federal Insurance Office is doing the research in light of a Government Accountability Office report published in June, which asked the departments of the Treasury and Homeland Security to address catastrophic cyber risks. 

Currently, there are several programs in which the US government, either at the state or the federal levels, provides or mandates insurance coverage. This includes the National Flood Insurance Program, the Federal Crop Insurance Program, and the Terrorism Risk Insurance Program.

“Cyber insurance is an increasingly significant risk-transfer mechanism, and the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency,” said Steven Seitz, the director of the Federal Insurance Office, adding: “Through underwriting and pricing, insurers can encourage or even require policyholders to implement strong cybersecurity standards and controls.”

According to a 2020 study by the Department of Homeland Security, the US could suffer between $2.8bn and $1trn in losses from one severe cyber-attack. The data was provided by Lloyd’s of London. 

Insurers are very concerned about systemic cyber threats such as these, and have worked to remove coverage for cyber attacks arising from acts of war, for example. Recently, Lloyd’s required all insurers selling from its marketplace to stop offering coverage for nation-state backed cyber attacks starting March 2023.

The Treasury is looking for comment on the type of cyber incidents that could have a catastrophic effect on US critical infrastructure, how frequent they could be, and their severity. It is also seeking comment on the scope of coverage the government should provide.

For example, should it be limited to certain critical infrastructure sectors, size(s) of policyholder permitted to participate, policyholder retentions or deductibles, any required coverages, limits, deductibles, etc?,” it asks, adding: “Should coverage be limited to or differentiate whether a firm is US-based or the infrastructure is located within the US?”

The Treasury said it also wants to know what limitations currently exist on private coverage of catastrophic cyber events, and whether existing programs like TRIP or the NFIP could serve as a model for cyber.

It is also seeking comment on whether reinsurance arrangements, including capital markets participation, should be involved.

And the Treasury has also asked what data companies are willing to share and what cybersecurity measures they think are most effective to counter severe cyber incidents.