Bloomberg Law
June 21, 2022, 8:00 PM

Federal Backstop for Cyber Insurance Should Be Studied, GAO Says

Gina Heeb
Gina Heeb

The Biden administration should assess whether private insurers need a federal assistance to help cover losses from cyberattacks on electricity grids, banks, pipelines and other critical infrastructure, a government watchdog said.

Private insurers have increasingly sought to reduce their exposure to cyberattack claims through policy exclusions and higher premiums, creating potential gaps in coverage against ransomware and data breach risks that could result in “catastrophic losses and risk to national security,” the Government Accountability Office said in a report.

The report recommended that the Treasury and Homeland Security departments jointly conduct the study to help an insurance market that may be “unable or unwilling to provide very large amounts of coverage” for risks that are “hard to estimate or might have never occurred before.”

Federal agencies at the Treasury and Homeland Security departments “have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response,” the report said.

The GAO pointed to a 2021 cyberattack on the Georgia-based Colonial Pipeline Co., which temporarily halted operations at a major pipeline that carries energy shipments between the Gulf Coast and the Northeast.

“There is a kind of a realization that cyberattacks can cause systemic damage and disruption to the economy,” said Dan Garcia-Diaz, the managing director of the financial markets and community investment team at the GAO. “And as a result, insurers are starting to take steps to limit their exposure to these losses.”

A surge in remote work due to the coronavirus pandemic could leave industries more vulnerable to cyberattacks, he said.

“The ever-expanding kind of reliance on IT systems and networking has created more points in a network that attackers can try to enter and compromise the system,” Garcia-Diaz said.

Cyberattacks often don’t meet the criteria to be covered by the Terrorism Risk Insurance Act, a post-9/11 law that created a cost-share arrangement between the government and private insurance companies. To be covered by the program, an attack must be certified as a terrorism act by the Treasury Secretary.

To contact the reporter on this story: Gina Heeb in Washington at

To contact the editor responsible for this story: Roger Yu at

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.