US Government Considers Cyber Insurance Backstop Exploration

If insurers face a significant cyberattack, the U.S. government may intervene with a cyber insurance safety net

The White House has announced that it will assess the possibility of creating a backstop under the Biden administration’s National Cybersecurity Strategy to provide assistance in the event of catastrophic hacks that could overwhelm insurers.

The National Cybersecurity Strategy of the Biden administration vows to evaluate how a backstop could be established to handle catastrophic hacks that may overwhelm insurers. According to the strategy, creating such a response plan ahead of a catastrophic event, rather than creating an aid package after the fact, could instill market certainty and strengthen the country’s resilience.

Advocates of a federal insurance response argue that a taxpayer-funded program could offer insurers a level of assurance, allowing them to assume more risk by easing exclusions.

In recent months, the idea of a federal insurance response has gained traction. This is due in part to insurers’ concerns about potential losses from a severe attack carried out by a nation-state, leading them to limit the types of hacks they cover. A federal program funded by taxpayers could provide insurers with more confidence and allow them to take on additional risks by easing exclusions.

Monica Shokrai, who oversees business risk and insurance for Google Cloud, pointed out that some insurance carriers have begun to limit or exclude coverage for cloud providers due to concerns about potential claims arising from a prolonged service outage caused by a cyber attack. This practice could leave companies that rely on cloud services vulnerable to significant risks and losses, according to Shokrai.

Ms. Shokrai warned that excluding or limiting coverage for cloud companies leaves insurance buyers and companies in general vulnerable to risks that they cannot mitigate or transfer through other means.

Following the NotPetya malware attack in 2017 that caused approximately $1.4 billion in damages to Merck & Co., insurers have been entangled in protracted legal battles over their expected coverage. In this regard, Merck & Co. won a case against carriers, asserting that its business insurance should cover expenses. However, lawyers representing the carriers contended that the attack constitutes a “warlike” act and should be excluded.

Similar backstop programs have been implemented by the U.S. government in the past to assist with catastrophic events such as hurricanes, including underwriting direct coverage. For example, the War Risk Insurance Act of 1914 provided insurance for shipping during the First World War.

Following the terrorist attacks on September 11, 2001, former President George W. Bush enacted the Terrorism Risk Insurance Act, which provided government reimbursement for verified acts of terrorism. In 2019, then-President Donald Trump extended the act until 2027.

Michael Hamilton, the founder and chief information security officer at cybersecurity firm Critical Insight Inc., suggests that programs like those authorized by the Terrorism Risk Insurance Act could serve as a model for a cyber insurance backstop. However, Hamilton warns that cyberattacks are notoriously challenging to attribute.

When the Federal Insurance Office of the Treasury Department released a public consultation in September, following a report by the Government Accountability Office, it received mixed responses from the industry when it was closed in December.

According to the American Property Casualty Insurance Association trade group, a federal cyber insurance response could be too early since the cyber insurance market is still evolving. The group suggests that coverage gaps could be addressed by developing a more structured method of attributing cyberattacks to nation-states or through non-financial approaches, rather than implementing a backstop program.

Shelby Schoensee, Director of Cyber Issues at the American Property Casualty Insurance Association (APCIA), said that the insurance industry and APCIA aim to prevent unintended outcomes that may arise from creating a new federal insurance program. According to Schoensee, a study that examines the extent to which long-term gaps exist could be useful in determining the best way to proceed.