A research arm of Congress is studying the costs of cyber attacks on the U.S. infrastructure and whether the backup provided by the federal Terrorism Risk Insurance Program (TRIP) is adequate for cyber-terrorism events.
The General Accountability Office (GAO) said in a letter to Congress accompanying a new report on the cyber insurance market that it would be issuing a report later this year on the costs and insurance for cyber terrorism, including the extent to which TRIP (also referred to as TRIA) is able to respond to cyber attacks and cyber terrorism.
The Federal Insurance Office in Treasury administers TRIA, which requires the government to share some losses with private insurers in the event of a certified act of terrorism. Losses from cyber attacks might be reimbursed under TRIP if the attacks meet specific certification criteria. Treasury has never certified any event under TRIA.
The GAO said its report later this year will examine the risks and costs of cyber attacks on U.S. critical infrastructure; insurance coverage that is available for losses related to cyber risk, including cyber terrorism; and the extent to which TRIP is structured to respond to cyber attacks and cyber terrorism.
In its report on the cyber insurance market, the GAO said insurance and regulatory experts are unsure about the likelihood of Treasury certifying cyber attacks as acts of terrorism because the Treasury department has never done so.
For Treasury to certify an act of terrorism, the act “must be violent or dangerous to human life, property, or infrastructure, generally result in losses in the United States, and be part of an effort to coerce the civilian population of the United States or affect the conduct of the U.S. government by coercion.”
However, the GAO notes, cyber attacks may not be violent or they may cause losses to computer servers located outside the country. In addition, cyber attacks could be conducted for financial ransom, rather than to coerce the government or population of the United States.
The Centers for Better Insurance has argued that Congress could revise the certification criteria to include acts that involve losses associated with electronic data and infrastructure, extend the geographic parameters beyond damage in the United States, and broaden the scope of intent underlying the cyber attack beyond coercion.
However, according to the GAO, the Insurance Information Institute has warned that insurers might pull back on the property and liability insurance they offer if they feel they could not assume those levels of risk.
The report identifies two other concerns. One is the possibility of an extremely large cyber attack exceeding the TRIA cap of $100 billion, leaving losses above the cap uninsured. Second is the increased level of risk borne by private sector insurers. While congressional reauthorizations of TRIA generally shifted exposure from the federal government to the private sector, a May 2020 Treasury report found that because of the shift in loss exposures, TRIP may no longer be as effective a framework for insurance industry stability as it previously was.
Other Report
In March 2020 there was another government report that discussed cyber terrorism. The Cyberspace Solarium Commission called for consideration of government-backed reinsurance to cover catastrophic cyber events that goes beyond TRIP. The commission suggested that Congress also study these issues and gaps:
The commission members urged the public to urge government and private sector leaders “act with speed and agility” to address the cyber threats.
The GAO report on cyber insurance found that among the challenges the insurance industry faces are a lack of historical data on losses and a lack of common definitions, including for cyber terrorism, in insurance policies.
*This story ran previously in our sister publication Insurance Journal.