Risk management, insurer groups urge federal cyber backstop

The potential formation of a federal backstop for commercial cyber insurance markets in the wake of a catastrophic cyber event has drawn support from risk management and insurance industry organizations.

The terrorism backstop formed after the Sept. 11, 2001, terrorism attacks could serve as a basic model for a cyber backstop, but factors such as funding and the structure of coverage need to be addressed, proponents say.

Last month, the Risk & Insurance Management Society Inc. sent a comment letter to the U.S. Treasury Department’s Federal Insurance Office saying its members “overwhelmingly supported” the creation of a federal cyber insurance backstop.

The letter was in response to a Sept. 29 notice from the Treasury seeking comments “on questions related to cyber insurance and catastrophic cyber incidents.” The initial deadline to submit comments was Nov. 14, which was extended to Dec. 15.

“Cyber insurance is a significant risk-transfer mechanism, and the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency,” the Treasury notice said.

The notice followed a June report from the Government Accountability Office recommending that FIO and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency conduct a joint assessment to determine “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.”

Bryan Cunningham, executive director of the Cybersecurity Policy & Research Institute at the University of California, Irvine, said he supports some role for the federal government in the management of catastrophic cyber exposures. “I think we have to have that,” he said. Details of the thresholds, funding and other considerations are “yet to be determined, but it should be there,” he said.

Mr. Cunningham previously served as deputy national security adviser in the George W. Bush administration under Condoleezza Rice and was involved in drafting the Homeland Security Act after 9/11.

He suggested the Terrorism Risk Insurance Act of 2002, which provided federal reinsurance coverage for insurers providing property/casualty coverage, could serve as a reference point because the language of the law has survived five reauthorizations and the program was successful in achieving its goal of stabilizing property markets after the attacks. The trigger for TRIA coverage began at $50 billion but rose to $200 billion at its most recent reauthorization, in 2019.

Lynn Haley Pilarski, chair of RIMS’ external affairs committee and senior risk manager at General Motors Co., said TRIA fulfilled its mandate of stabilizing commercial property insurance markets in the wake of the 9/11 devastation and that “risk managers are always looking for ways to improve coverage terms, increase capacity and stabilize insurance markets.”

Both Mr. Cunningham and Ms. Pilarski said attention should be paid to the definition of war in any backstop, especially as it pertains to coverage language and exclusions. The definition should not be so broad as to allow overly broad or restrictive exclusionary coverage language, they said.

Dale Porfilio, chief insurance officer for the Insurance Information Institute in New York, said the organization “considers cyber to be one of the most significant risks facing society and the insurance industry, and is concerned about a catastrophic cyber event on the scale of natural catastrophes like hurricanes and earthquakes.” He said events like the Colonial Pipeline shutdown in 2021, in which an energy provider was hit by a ransomware attack, showed the potential risk for “bad actors or nation states to attack major infrastructure like the U.S. power grid.”

A significant attack on infrastructure “could far exceed current private market cyber coverage,” Mr. Porfilio said. “We believe the federal government should invest in cyber-risk mitigation of national and community infrastructure as well as preventing cyberattacks by nation states and terrorist groups.”

Mr. Porfilio said “the potential benefit of a federal cyber insurance program like TRIA depends greatly on how it is structured and funded. We would not want it to replace or inhibit growth of the private cyber insurance and reinsurance market.”

A program like TRIA could be beneficial if it provided “umbrella coverage above the private market without adding undue cost or administrative burdens for policyholders and insurance carriers,” Mr. Porfilio said.

The American Property Casualty Insurance Association is in the process of formulating its complete response to the FIO request for comment but expressed initial support for the process.

“This is an important issue and top of mind for insurers. We will provide formal comments and welcome an ongoing dialogue with the administration,” said Nat Wienecke, senior vice president of federal government relations for APCIA.