A US Treasury Department request for public input on a potential federal cyber insurance program highlights a coverage gap for US companies as insurers reduce offerings.
The regulator is seeking public comment until Nov. 14 on whether the government needs to shore up the insurance industry to pay for severe cyberattacks, especially those involving critical infrastructure such as power grids, train lines, hospitals, and utility companies.
Cyberattacks are happening so frequently that underwriting standards sometimes can’t match the fast development and sophistication of the hacks. Insurers are raising rates to levels that make it hard for businesses to find affordable coverage. A federal insurance backstop could close the gap as insurers cut coverage to limit their exposure.
The Treasury Department’s Federal Insurance Office is seeking comment on a list of questions, including what kinds of cyberattacks are “catastrophic,” whether businesses are getting enough coverage, and how to encourage policyholders to strengthen cybersecurity practices.
Cyber insurers have seen losses jump 300% from 2018 to 2021, according to Fitch Ratings. Insurers, including Lloyd’s of London, Chubb Ltd., and Beazley PLC are racing to cut coverage for catastrophic cyberattacks that can paralyze multiple industries at once.
Federal financial support for certain cyber risks would also give insurers relief and security to make cyber insurance more widely available, said Andy Moss, a partner at Reed Smith LLP.
“A cyber insurer can write policies with comfort knowing it can transfer some risk to the government, so it can offer bigger policy limits for businesses,” Moss said.
The Federal Insurance Office is conducting a joint assessment for Congress with the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Insurers will be watching to see how the policy debate plays out. A national mandate may discourage some carriers from offering competitive terms to some businesses that prefer more flexible requirements to fit their individual cyber risk profile.
“Some insurers may feel complying with the federal standards can constrain them” as they want gain market share to cover companies that don’t meet the certain cybersecurity criteria, said David Finz, a vice president of insurance broker Alliant Insurance Services.
The government should allow voluntary participation in a federal insurance program, Finz said. Private insurers should also keep their freedom to dictate underwriting standards and cyber controls for policyholders, he added.
“Individual underwriters know best on what cyber measures are effective, since their capital is at risk when they provide coverage,” Finz said.
A national cyber insurance program, if established, may limit what qualifies as critical infrastructure for coverage, said Iliana Peters, a shareholder at Polsinelli PC who works with regulators on data privacy policies.
Even if a company qualifies as owning critical infrastructure, it may not get coverage for a cyberattack because, in her experience with regulators, the incident has to be “catastrophic” and have “a significant effect on the economy or a particular region,” Peters said.
The Treasury’s recent request for comment on its proposal is a very preliminary step in the process, and it can take years to work out details, Peters said.
“It is unlikely that the government would roll out a comprehensive cyber insurance program because they’re not going to have the funds to cover any and all types of incidents,” she said.
A federal backstop for “catastrophic cyber losses would be vital to sustaining a viable private insurance market for catastrophic cyber coverage, which is becoming essentially an uninsurable risk,” said Annmarie Giblin, a partner at Hinshaw & Culbertson LLP who represents insurers.
The 2017 NotPetya malware attack that paralyzed global computer systems, Colonial Pipeline’s $5 million ransom payment in 2021, and the Russia-Ukraine war have driven more insurers to stop covering cross-sector and government-sponsored cyber attacks.
Chubb, the biggest US cyber insurer, has proposed a widespread hack exclusion. Beazley recently unveiled a catastrophic events exclusion.
“Overall, the insurance industry seeks to partner with regulators to develop the best possible solutions that work for all stakeholders, including policyholders,” Loretta Worters, a spokesperson at the Insurance Information Institute, a trade group of insurance companies.
Not Enough Coverage
Standalone cyber premiums jumped 95% in 2021, and top 20 US insurers took in over $3.9 billion in cybersecurity direct premiums that year, according to AM Best’s data.
Michelle Reed, co-head of Akin Gump Strauss Hauer & Feld LLP’s cybersecurity practice, said some of her clients saw a three-fold increase in insurance rates in a single year. Reed said she has seen carriers making “a huge pullback” on coverage limits in the past two years.
The reduced coverage amount can no longer shield policyholders from cyber losses, Reed said. A $10 million policy can end up with a $150,000 limit on cyber frauds, she said.
A national insurance program requiring baseline cybersecurity protocols, such as multi-factor authentication or VPN for remote work access, would incentivize businesses to improve their controls necessary to prevent cyber risks, said Kamran Salour, a data security partner at Troutman Pepper.