The Government Accountability Office (GAO) is pressing the departments of Treasury and Homeland Security (DHS) to assess whether a further Federal response is needed to address the government’s existing terrorism risk insurance program, which may not cover losses from cyber and other attacks on U.S. critical infrastructure.
In a new report from GAO, the watchdog agency talks about cyber insurance and the Terrorism Risk Insurance Program (TRIP), which is administered by the Treasury Department and provides for compensation from some insured losses resulting from certified acts of terrorism. Both are limited in their ability to cover potentially catastrophic losses from systemic cyberattacks.
“TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements. However, cyberattacks may not meet the program’s criteria to be certified as terrorism, even if they resulted in catastrophic losses,” GAO detailed in its report. “For example, attacks must be violent or coercive in nature to be certified.”
Driving GAO’s concerns are the limits of cyber insurance as that market matures.
“Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware,” the agency said. “However, private insurers have been taking steps to limit their potential losses from systemic cyber events … For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages.”
Treasury and DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have taken steps to understand the financial implications of growing cyber risks, GAO said. But it added that neither have assessed the “extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a Federal response.”
GAO said both agencies are well-positioned to jointly perform an assessment and report the results to Congress to inform lawmakers whether a further Federal insurance response is warranted.
Both DHS and Treasury agreed with GAO’s recommendation to work together to produce a “joint assessment for Congress on the extent to which the risks to the nation’s critical infrastructure from catastrophic cyberattacks, and the potential financial exposures resulting from the risks, warrant a Federal insurance response.”