Growing apprehension among insurers and reinsurers over the risk of a systemic cyber incident has attracted the attention of the U.S. Treasury Department, which put out a request for information (RFI) on the subject to the property and casualty insurance industry in September 2022.
The department’s action springboards off of a concerning June 2022 report on cyber insurance issued by the Government Accountability Office (GAO). The report cited three main worries: an increase in the frequency and severity of cyber incidents impacting critical infrastructure; a number of recent cyber attacks demonstrating the potential for a systemic cyber incident that “spills over from the initial target to economically linked firms, thereby magnifying the damage”; and risks presented by cyber incidents to critical U.S. infrastructure.
Astoundingly, the GAO report stated that scenario-based estimates of a potential loss from a severe cyber incident range from $2.8 billion to $1 trillion on a per event basis. The possibility of such shocking losses impelled the GAO to conclude that a federal insurance response might be in order, hence the Treasury Department’s RFI to the industry. One possible response floated by the GAO is the development of a federal insurance cyber backstop similar to the Terrorism Risk Insurance Program, a federal loss-sharing program for certain losses resulting from a certified act of terrorism.
Industry players are intrigued by the possibility of a federal loss-sharing program. “Although a catastrophic loss produced by a systemic risk scenario involving a multitude of insureds has yet to happen, the industry at present is dealing with this threat through policy wording designed to reduce their loss exposure,” says Mario Vitale, CEO of cyber insurance provider Resilience Cyber Insurance Solutions. “The question then becomes, what will reinsurers do. Some already are putting loss ratio caps reducing their cyber exposure.”
If the insurance and reinsurance markets continue to reduce their exposure to a systemic loss, Vitale says, insureds “will need to bear more of the cyber risk on their balance sheets or pay substantially more for coverage. This possibility makes a government backstop an important subject for discussion.”
The Treasury Department issued its information request last November. Following receipt, the commentary will be jointly assessed by the Federal Insurance Office, which is engaged in developing the department’s counter-ransomware strategy, and the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, which will subsequently inform Congress if a federal insurance response is warranted.
Robert Hartwig, associate professor of finance at the University of South Carolina, says all countries, not just the United States, should be “thinking strongly” about the development of a government backstop “for what will inevitably be some sort of systemic shock from a cyber event.”
Hartwig, who has testified several times in front of Congress on the reauthorization of the Terrorism Risk Insurance Program, says the insurance industry “needs to carefully manage this exposure sooner than later. A structure like a federal backstop that spreads catastrophic cyber losses over time, by borrowing on a scale that would be inconceivable on the part of private insurers, is a step in the right direction.”