A cyberattack that disrupts everyday life in the U.S. will likely cost more than the insurance industry can afford to cover, requiring government intervention, insurers and brokers said.
The idea of a federal backstop to help insurers cope in the event of a catastrophic cyberattack has been examined by the government in recent years, but has gained momentum with tandem efforts at the Treasury Department, the Office of the National Cyber Director and the Cybersecurity and Infrastructure Security Agency over the past year. Government officials and the insurance industry plan to meet in April to work out exactly what such a program would look like.
Federal support in the event of a catastrophic attack would undoubtedly be necessary, said John Keogh, president and chief operating officer of insurer Chubb. While the industry could absorb a major natural disaster, the effects of a cyberattack on a similar scale would quickly overwhelm its capacity to cover losses.
“A $250 billion cyber event is beyond the ability of the insurance industry to respond to today,” said Keogh, who was speaking at a recent conference organized by New York University and the U.S. Treasury Department in New York.
Some cyberattacks have cost billions of dollars, including the NotPetya malware infections of 2017, which caused an estimated $10 billion of damage worldwide across shipping companies, healthcare systems and logistics businesses, among others. That case also led to lawsuits against insurers by policyholders over the question of whether the attacks, which the U.S. attributed to Russia, triggered war exclusions. Moscow has denied involvement.
Truly devastating attacks could dwarf those costs. In October, insurance and reinsurance marketplace Lloyd’s of London predicted a successful cyberattack on a major financial-services payments system would result in global economic losses of $3.5 trillion over a five-year period. The scenario, which Lloyd’s described as “hypothetical but plausible,” would hit the U.S. hardest, at $1.1 trillion of damage.
Lloyd’s estimated that insurers globally underwrote around $9 billion of cyber insurance premiums in 2022, forecasting that number to reach between $13 billion and $25 billion by 2025, highlighting the gap between coverage and possible losses.
“We understand that some of the risk is too great for the insurance industry to take on all by itself,” said Drenan Dudley, acting National Cyber Director, adding that while the U.S. government would likely step in after the fact, developing plans ahead of such an event would provide certainty to insurers.
Insurers are leery of their exposure to such events. In August 2022, Lloyd’s directed its syndicates to incorporate language in policies that specifically excludes state-backed catastrophic events from coverage.
Graham Steele, assistant secretary for financial institutions at the Treasury Department, said at the Nov. 17 conference that the government has reached the conclusion that it must investigate the topic more thoroughly. A simple “yes” or “no” answer to the question of whether a federal response is required demands a more nuanced answer, he said.
“We believe that further exploration of the proper federal insurance response to catastrophic cyber risks is warranted, and should be undertaken,” he said.
While a well-designed backstop could provide assurance to carriers, and encourage cybersecurity best practices, a poorly designed program could shift too much risk onto the government, he said.
CISA is also re-establishing its Cyber Insurance Data Analysis Working Group, said Nitin Natarajan, the agency’s deputy director. The group originally comprised insurers and government officials from 2012 to 2016 to better understand the risks within cyber insurance, and its next incarnation will follow a similar approach, Natarajan said.
Insurers suggest that previous measures in similar areas could prove instructive in defining any backstop. The Terrorism Risk Insurance Act, signed into law by President George W. Bush on Nov. 26, 2002, created a temporary federal backstop for insurance claims related to acts of terrorism, following the Sept. 11 attacks. The program, renewed by Congress through 2027, provides federal assistance once insurers reach a certain threshold of losses, most recently set at $200 million.
“Tria is a fairly elegant solution in the sense that it encourages and works through the existing market, to show up at the times when it’s necessary to draw a line under the exposure,” said Tom Reagan, global head of cyber at insurance broker Marsh, a unit of Marsh & McLennan.
Dan Palardy, lead actuary at insurer Cowbell Cyber, said government programs that sit alongside traditional insurers, such as the U.K.’s Pool Re or the U.S. National Flood Insurance Program, can also serve as a model for a catastrophic cyber backstop, but the triggers must be clearly defined. Notably muddy areas within cyber, such as attributing attacks to their perpetrators, should also be tackled, he said.
“The trade of catastrophic cyber risk tends to fixate on the limits of the insured risk, particularly, the issue of attribution as it pertains to cyberwar. Policy language designed to address instances where attribution is unclear could aid in this,” he said.