GAO issues report on catastrophic cyber losses

Insurers and the federal government’s terrorism risk insurance may not be able to cover cyberattacks that target critical infrastructure, with cyber insurers having taken steps to limit their losses in such cases, says the U.S. Government Accountability Office, in a report issued Tuesday that calls for an assessment as to whether a federal response is needed. 

The U.S. critical infrastructure, including utilities, financial services and pipelines, face increasing cybersecurity risks, and the effects of such incidents can spill over from the initial attack to economically linked firms, magnifying their economic damage, warns the report, pointing to the May 2021 Colonial Pipeline Co. attack. 

Cyber insurance and the federal government backstop, the Terrorism Risk Insurance Program, are both limited in their ability to cover such losses, the report says. 

Cyber insurance can offset costs from common cyber risks such as data breaches and ransomware, but private insurers “have been taking steps to their potential losses from systemic cyber events,” by, for example, excluding them for cyber warfare and infrastructure outages, the report says, while the federal program covers losses for cyberattacks only if they are considered terrorism. 

The report recommends that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Department of Treasury’s Federal Insurance Office work together to produce a joint assessment for Congress on the extent to which a federal insurance response is warranted.