The cyber insurance market has matured in recent years, but it may fall short when it comes to certain major attacks, says a US government spending watchdog. The US Government Accountability Office (GAO) has called for a federal response to insurance for "catastrophic" cyberattacks on critical infrastructure. A functioning insurance market is essential for businesses, consumers, and, as GAO highlights, for critical infrastructure operators. The GAO, which audits the trillions of dollars the US government spends each year, warns that private insurers and the US government's official terrorism risk insurance the Terrorism Risk Insurance Program (TRIP) may not be able to cover catastrophic financial loss arising from cyberattacks. "Cyberattacks may not meet the program's criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified," the GAO spokesman said.
Ransomware and insurance is an uncertain issues due to the vagaries involved in attribution and policy language. While ransomware is mostly driven by cyber criminals, some incidents that have cost victims millions of dollars have been officially attributed by Western governments to the governments of Russia, North Korea, and China. Some insurers have used these official attributions to avoid payouts to victims because those incidents can be construed in court as an act of war, which cyber-insurance policies do not cover. Insurance policies do cover acts of terrorism, but these also have clauses that limit coverage to acts of certified violence. "The government's insurance may only cover cyberattacks if they can be considered "terrorism" under its defined criteria," the GAO spokesman said in a statement. The question of insurance is now a bigger concern for the US government after Russia's ongoing invasion of Ukraine, which it fears could spur cyberattacks from Kremlin-backed hackers on US organizations in response to US sanctions on Russia and Russian businesses.
What should the US and GAO do, at a national level, when the market for cyber insurance for enterprises could fail to support businesses? "Any federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants," the GAO report stated.
As GAO notes, some insurance firms are “ring-fencing” their policies to protect themselves from incidents that cause systemic problems. Insurers do not cover attacks that technically could fall into the category of warfare, for example. The GAO says TRIP is the "government backstop for losses from terrorism". Combined with cyber insurance, they do provide some protection but "both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks". "Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware," says GAO. "However, private insurers have been taking steps to limit their potential losses from systemic cyber events. For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages. TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements. However, cyberattacks may not meet the program's criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified."
The GAO recommends Cybersecurity and Infrastructure Security Agency (CISA), the cybersecurity authority for federal agencies, should work with the Director of the Federal Insurance Office to "produce a joint assessment for Congress on the extent to which the risks to the nation's critical infrastructure from catastrophic cyberattacks, and the potential financial exposures resulting from these risks, warrant a federal insurance response."
In summary, all organizations need to be prepared to defend against all cyberattacks as insurance coverage may be lacking or may not cover any losses at all.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings