Register now for better personalized quote!

US watchdog is worried cyber insurance won't cover 'catastrophic cyberattacks'

Jun, 24, 2022 Hi-network.com
Image: Getty

The cyber-insurance market has matured fast in recent years but it may fall short when it comes to certain major attacks, the US government spending watchdog has warned.

The US Government Accountability Office (GAO) has called for a federal response to insurance for "catastrophic" cyberattacks on critical infrastructure. A functioning insurance markets is essential for businesses, consumers and, as GAO highlights, for critical infrastructure operators. 

Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read now

The GAO, which audits the trillions of dollars the US government spends each year, warns that private insurers and the US government's official terrorism risk insurance -- the Terrorism Risk Insurance Program (TRIP) -- may not be able to cover catastrophic financial loss arising from cyberattacks.

SEE: Cloud computing security: Five things you are probably doing wrong

"Cyberattacks may not meet the program's criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified," the GAO said.

Ransomware and insurance is a tricky issue due to the vagaries involved in attribution. While ransomware is mostly driven by cyber criminals, some incidents that costed victims millions of dollars have been officially attributed by Western governments to the governments of Russia, North Korea and China.  

Some insurers have used these official attributions to avoid payouts to victims because those incidents can be construed in court as an act of war, which cyber-insurance policies don't cover. Insurance policies do cover acts of terrorism, but these also have clauses that limit coverage to acts of certified violence.  

"The government's insurance may only cover cyberattacks if they can be considered "terrorism" under its defined criteria," the GAO said in a statement.

The question of insurance is now a bigger concern for the US government after Russia's ongoing invasion of Ukraine, which it fears could spur cyberattacks from Kremlin-backed hackers on US organizations in response to US sanctions on Russia and Russian businesses. 

So what should the US and GAO do, at a national level, when the market for cyber insurance for enterprises could fail to support businesses?

"Any federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants," the GAO said.

As GAO notes, some insurance firms are ring-fencing their policies to protect themselves from incidents that cause systemic problems. Insurers don't cover attacks that technically could fall into the category of warfare, for example. 

The GAO says TRIP is the "government backstop for losses from terrorism". Combined with cyber insurance, they do provide some protection but "both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks". 

"Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware," says GAO. 

"However, private insurers have been taking steps to limit their potential losses from systemic cyber events. For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages. TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements. However, cyberattacks may not meet the program's criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified."

The GAO recommends Cybersecurity and Infrastructure Security Agency (CISA), the cybersecurity authority for federal agencies, should work with the Director of the Federal Insurance Office to "produce a joint assessment for Congress on the extent to which the risks to the nation's critical infrastructure from catastrophic cyberattacks, and the potential financial exposures resulting from these risks, warrant a federal insurance response."

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.