The FederalRegister.gov posted that the “Federal Insurance Office (FIO) is seeking comments from the public on questions related to cyber insurance and catastrophic cyber incidents….on or before November 14, 2022.” The September 29, 2022 posting entitled “Potential Federal Insurance Response, to Catastrophic Cyber Incidents” (https://www.federalregister.gov/documents/2022/09/29/2022-21133/potential-federal-insurance-response-to-catastrophic-cyber-incidents) included these comments:
Cyber insurance is an increasingly significant risk-transfer mechanism, and the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency.
Through underwriting and pricing, insurers can encourage or even require policyholders to implement strong cybersecurity standards and controls.
More generally, cyber insurance “can help policyholders respond to lawsuits and loss, and provide associated mitigation services, arising in a variety of situations such as data loss, cloud outage, distributed denial-of-service attacks, malware, and associated ransomware extortion.”
Cyber insurance is a growing market, with approximately $4 billion in direct premiums written in 2020
On June 21, 2022, GAO issued a report, Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks (GAO Report). https://www.gao.gov/products/gao-22-104256
The GAO Report emphasizes three points about the catastrophic risk of cyber incidents. First, cyber incidents impacting critical infrastructure have increased in frequency and severity.
The GAO Report cites a 2020 study by CISA that includes an analysis of scenario-based estimates of potential losses from severe cyber incidents that ranged from $2.8 billion to $1 trillion per event for the United States.
Second, the GAO Report finds that recent attacks demonstrate the potential for systemic cyber incidents, citing recent cyber attacks that “illustrate that the effects of cyber incidents can spill over from the initial target to economically linked firms—thereby magnifying the damage to the economy.”
Third, the GAO Report evaluates some of the issues regarding potential risks presented by cyber incidents to critical infrastructure in the United States.
The GAO Report also identified potential issues in creating a federal insurance cyber backstop within the scope of the Terrorism Risk Insurance Program (TRIP).
The GAO Report concludes that a full evaluation of whether there should be a federal insurance response in connection with catastrophic cyber risks would be best addressed by FIO (given its statutory authorities, including monitoring of the insurance sector and assisting the Secretary of the Treasury with administration of TRIP) and CISA (given its expertise in connection with cyber and physical risks to U.S. infrastructure) in a joint assessment to be provided to Congress.
Both FIO and CISA accepted the GAO recommendation to conduct such a joint assessment, as reflected in letters attached to the GAO Report.
Please submit your comments, thanks.