A research arm of Congress is studying the costs of cyber attacks on the U.S. infrastructure and whether the backup provided by the federal Terrorism Risk Insurance Program (TRIP) is adequate for cyber-terrorism events.
The General Accountability Office (GAO) said in a letter to Congress accompanying a new report on the cyber insurance market that it would be issuing a report later this year on the costs and insurance for cyber terrorism, including the extent to which TRIP (also referred to as TRIA) is able to respond to cyber attacks and cyber terrorism.
The Federal Insurance Office in Treasury administers TRIA, which requires the government to share some losses with private insurers in the event of a certified act of terrorism. Losses from cyber attacks might be reimbursed under TRIP if the attacks meet specific certification criteria. Treasury has never certified any event under TRIA.
The GAO said its report later this year will examine the risks and costs of cyber attacks on U.S. critical infrastructure; insurance coverage that is available for losses related to cyber risk, including cyber terrorism; and the extent to which TRIP is structured to respond to cyber attacks and cyber terrorism.
In its report on the cyber insurance market, the GAO said insurance and regulatory experts are unsure about the likelihood of Treasury certifying cyber attacks as acts of terrorism because the Treasury department has never done so.
For Treasury to certify an act of terrorism, the act “must be violent or dangerous to human life, property, or infrastructure, generally result in losses in the United States, and be part of an effort to coerce the civilian population of the United States or affect the conduct of the U.S. government by coercion.”
However, the GAO notes, cyber attacks may not be violent or they may cause losses to computer servers located outside the country. In addition, cyber attacks could be conducted for financial ransom, rather than to coerce the government or population of the United States.
The Centers for Better Insurance has argued that Congress could revise the certification criteria to include acts that involve losses associated with electronic data and infrastructure, extend the geographic parameters beyond damage in the United States, and broaden the scope of intent underlying the cyber attack beyond coercion.
However, according to the GAO, the Insurance Information Institute has warned that insurers might pull back on the property and liability insurance they offer if they feel they could not assume those levels of risk.
The report identifies two other concerns. One is the possibility of an extremely large cyber attack exceeding the TRIA cap of $100 billion, leaving losses above the cap uninsured. Second is the increased level of risk borne by private sector insurers. While congressional reauthorizations of TRIA generally shifted exposure from the federal government to the private sector, a May 2020 Treasury report found that because of the shift in loss exposures, TRIP may no longer be as effective a framework for insurance industry stability as it previously was.
In March 2020 there was another government report that discussed cyber terrorism. The Cyberspace Solarium Commission called for consideration of government-backed reinsurance to cover catastrophic cyber events that goes beyond TRIP. The commission suggested that Congress also study these issues and gaps:
- Current exemptions for property/casualty insurance policies, including act of war exemptions, and complications of including them in cyber insurance policies.
- The existing scoping of TRIA to assess whether it is sufficiently broad to cover cyber events perpetrated by nation-states, which most general property/casualty insurance policies currently exclude or attempt to exclude.
- If the triggering threshold for TRIA—a loss of $200 million, as of the 2020 reauthorization—is the appropriate size to trigger a similar backstop for catastrophic cyber events.
- Comparative models of federal share percentage of a cyber insurance-related backstop.
- What types of cyber events constitute “certified acts of terrorism” and whether this provides a sufficient backstop for insurers, as many major cyber events—particularly those perpetrated by nation-states—may not fit squarely under the definition of “certified act of terrorism.”
- What events and which entities would be covered by a backstop, given that terror attacks generally take place in and affect a confined area, while some cyber incidents are not bounded by geography. For example, the study should address whether a cyber attack on an American company affecting only assets in another jurisdiction would qualify.
The commission members urged the public to urge government and private sector leaders “act with speed and agility” to address the cyber threats.
The GAO report on cyber insurance found that among the challenges the insurance industry faces are a lack of historical data on losses and a lack of common definitions, including for cyber terrorism, in insurance policies.
*This story ran previously in our sister publication Insurance Journal.