Catastrophic cyber risks pose challenge to insurance sectorPosted On: Jun. 28, 2022 6:55 AM CST
U.S. critical infrastructure remains exposed to cyberattacks with limited insurance protection available, a government report released last week said, but experts differ on how the problem should be addressed.
Some say the insurance industry should do a better job of addressing the threat of systemic risks to critical infrastructure, but others say a government backstop is needed.
A report issued last week by the U.S. Government Accountability Office said there is a limited ability to cover potentially catastrophic losses from systemic cyberattacks on targets such as utilities, financial services and pipelines.
Cyber liability insurers have taken steps to limit their losses from such attacks, and the federal Terrorism Risk Insurance Program only covers cyberattack losses if they are considered terrorism, among other requirements, the report said.
The GAO called for an assessment as to whether a federal insurance response is warranted.
It is hard to insure against risks that have a low likelihood of occurring but have “massive consequences” if they do occur, said Stephen Lilley, a partner with Mayer Brown LLP in Washington.
Insurers have backed away from the exposures, said Stuart Panensky, a partner with FisherBroyles LLP in Princeton, New Jersey.
“There are a few insurance players that continue to insure in the higher risk industries, subject to very strict underwriting guidelines,” but, as the study points out, many insurers “won’t touch it,” he said.
Insurers “are looking to grow the market and to promote what cyber insurers can do for policyholders. At the same time, they’re looking to restrict coverage, increase deductibles and retentions, and lower limits,” said Peter Halprin, a partner with Pasich LLP in New York.
Insurers “need to be clear which direction they want to take this in,” he said.
Private insurers should offer more stable coverage that protects organizations involved with critical infrastructure projects, and by extension everyone else needing it, said Joshua Gold, a shareholder with Anderson Kill P.C. in New York.
“We need to address systemic risk and, until we do, we’ve got an inherent problem out there,” said Nick Economidis, vice president of erisk underwriting for Crum & Forster, a unit of Fairfax Financial Holdings Ltd., in Houston.
The industry should develop a long-term solution rather than “kicking the can down the road,” he said.
The government should also play a role, some experts say.
“There should be a governmental insurance program that protects against the sort of things that are uninsurable in the private market,” just as the Federal Emergency Management Agency protects against widescale disasters, said Aaron Aanenson, Austin, Texas-based senior director and cyber insurance thought leader at cyber security rating company BitSight.
Bridget Quinn Choi, New York-based director of incident response strategy at Booz Allen Hamilton Inc., said a backstop like the federal terrorism insurance program should be created.
The solution should define what constitutes cyber terrorism or cyber warfare and what rises to the level of triggering the coverage, she said.
“This report is a step in the right direction,” Ms. Quinn Choi said.