As part of the White House’s National Cybersecurity Strategy, launched last year, the Biden Administration is evaluating the need for a federal cyber insurance backstop. It’s a contentious topic that saw hotspots of attention over the past year and more. 

A catastrophic cyber event in the insurance context is widely understood to mean a single systemic event that results in financial damages so great that they exceed the insurable losses the industry could afford to pay. Some advocates argue a backstop is needed to provide a financial safety net to shore up the insurance sector’s ability to withstand such an event and preemptively stabilize the economy. Others argue a backstop is needed to induce insurers to make available wider cyber coverage, either by accelerating market penetration or by motivating insurers to offer war coverage or coverage for cyber breaches that lead to the destruction of physical assets, also known as the cyber-physical gap. Some have even suggested the government should act as a reinsurer to underwrite common attritional risks taken by private insurers.

Risks of a backstop

A backstop comes with the significant risk of distorting a nascent and thriving cyber insurance market, misallocating public resources and driving moral hazard. That is why past federal intervention in the insurance sector has only come after a market failure and not in anticipation of one. 

Previous backstops, such as the Terrorism Risk Insurance Program and National Flood Insurance Program, were created because economic activity was adversely affected when entities could not procure sufficient insurance coverage. This is fundamentally different from cyber risk, where there is no indication that businesses are choosing to forgo economic activity because they cannot secure cyber coverage. In fact, the opposite is true: Every day, more businesses are embracing digital tools and services and adopting cyber insurance. The cyber insurance industry has expanded significantly without federal intervention and is poised to continue that growth. 

One major gap

Headlines about state-sponsored hackers lurking in U.S. infrastructure poised to disrupt or damage critical services appear almost weekly. Digital breaches that result in physical damage would be costly and time-consuming to repair. These events would not typically be eligible for insurance coverage, but they would have the potential to severely disrupt the U.S. economy. A backstop is appropriate if the federal government wants to act preemptively to make this kind of coverage available and position the economy to be resilient to these kinds of events. 

Outside of a policy decision to address this gap in coverage, there is a lack of compelling evidence to support federal intervention to safeguard against the possibility of a catastrophic event more generally. That’s because the likelihood and magnitude of a catastrophic cyber event are overstated. Among the reasons these risks are overstated is the insurance industry effectively limits coverage to risks it can insure or otherwise mitigates risk when uncertain. For example, some insurers and reinsurers are issuing insurance-linked securities to transfer reinsurance risks for catastrophic events to capital markets. And most of the industry has collectively decided that war and the cyber-physical gap are too risky to insure under current conditions. 

Bespoke approach needed 

Most existing federal backstop models are untested and designed for perils that are fundamentally different from cyber risk. Cyber risk insurance requires a bespoke approach.

First, any backstop must narrowly address an existing gap in the insurance marketplace: the cyber-physical gap. An example would be a breach of a pipeline system in which a hacker manipulates pipeline pressure to trigger an explosion. That type of physical destruction would generally be excluded from cyber policies by property damage exclusions and from property/casualty policies by computer attack exclusions. 

This gap in coverage exists today because cyber insurers lack the capital to offer limits that would cover property damage at this scale, and property/casualty insurers lack the comfort with cyber risk that would be required to underwrite this coverage. It’s a conundrum, to say the least. A carefully designed backstop could induce new coverage to address this gap without impeding market growth. 

Some in the industry have advocated for cyber-related war coverage. A backstop could cover cyber-physical incidents regardless of the actor causing the incident. Such an approach expands coverage while avoiding the challenges associated with the protracted and opaque process of government attribution of a specific event to a nation-state.

Second, a backstop must improve cyber resilience and not transfer to the taxpayer the financial consequences of poor cyber hygiene. To accomplish this, all policyholders should meet certain minimum-security requirements to be eligible for coverage, such as maintaining a patching cadence, segmenting operational technology and IT networks, implementing multifactor authentication, and deploying and actively monitoring an endpoint detection solution. 

Additionally, all critical infrastructure owners and operators should be required to obtain insurance coverage. This is necessary because U.S. cyber insurance penetration is low at roughly 26%. Insuring the cyber-physical gap will require a much larger pool of policyholders, in part to buttress solvency and alleviate adverse selection. The Price-Anderson Act of 1957 offers precedent for mandating commercial coverage under federal law. 

Third, because cyber risk is dynamic, a backstop should incentivize policyholders to maintain high cybersecurity standards throughout the life of their policy, not just at bind. One way of accomplishing that is with a shared-cost model. While the threshold for a catastrophic event will evolve, it should be a function of four variables: loss threshold, cause of aggregation, number of policyholders impacted, and number of insurers impacted. Once that threshold is triggered, the backstop should reimburse policyholders for at least 85% of their total loss. Policyholders should pay the remaining 15% of costs to maintain accountability.

Finally, insurers must retain discretion to price policies according to risk and to make coverage contingent on good cyber hygiene. Any arbitrary public pricing model will distort a nascent and competitive market in a manner that will reduce coverage and undermine the public interest.

By all measures, the cyber insurance industry is healthy and poised to grow without federal intervention. It is also true, though, that there are gaps in the kinds of coverage available today, specifically the cyber-physical gap. That gap exists because insurers deem those events as uninsurable under current conditions. If there is a public interest in having the insurance industry buttress our economy and provide new coverage for cyber-physical events, then a backstop is necessary. But we must ensure that any backstop is designed to improve our nation’s digital resilience and avoid moral hazard. A backstop must not simply transfer the financial consequences of cyber insecurity to the taxpayer.

Sezaneh Seymour is a Washington-based vice president and head of regulatory risk and policy at Coalition Inc. She can be reached at sezaneh.seymour@coalitioninc.com.