The cyber-insurance market has matured fast in recent years but it may fall short when it comes to certain major attacks, the US government spending watchdog has warned.
The US Government Accountability Office (GAO) has called for a federal response to insurance for "catastrophic" cyberattacks on critical infrastructure. A functioning insurance markets is essential for businesses, consumers and, as GAO highlights, for critical infrastructure operators.
The GAO, which audits the trillions of dollars the US government spends each year, warns that private insurers and the US government's official terrorism risk insurance -- the Terrorism Risk Insurance Program (TRIP) -- may not be able to cover catastrophic financial loss arising from cyberattacks.
"Cyberattacks may not meet the program's criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified," the GAO said.
Ransomware and insurance is a tricky issue due to the vagaries involved in attribution. While ransomware is mostly driven by cyber criminals, some incidents that costed victims millions of dollars have been officially attributed by Western governments to the governments of Russia, North Korea and China.
Some insurers have used these official attributions to avoid payouts to victims because those incidents can be construed in court as an act of war, which cyber-insurance policies don't cover. Insurance policies do cover acts of terrorism, but these also have clauses that limit coverage to acts of certified violence.
"The government's insurance may only cover cyberattacks if they can be considered "terrorism" under its defined criteria," the GAO said in a statement.
The question of insurance is now a bigger concern for the US government after Russia's ongoing invasion of Ukraine, which it fears could spur cyberattacks from Kremlin-backed hackers on US organizations in response to US sanctions on Russia and Russian businesses.
So what should the US and GAO do, at a national level, when the market for cyber insurance for enterprises could fail to support businesses?
"Any federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants," the GAO said.
As GAO notes, some insurance firms are ring-fencing their policies to protect themselves from incidents that cause systemic problems. Insurers don't cover attacks that technically could fall into the category of warfare, for example.
The GAO says TRIP is the "government backstop for losses from terrorism". Combined with cyber insurance, they do provide some protection but "both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks".
"Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware," says GAO.
"However, private insurers have been taking steps to limit their potential losses from systemic cyber events. For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages. TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements. However, cyberattacks may not meet the program's criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified."
The GAO recommends Cybersecurity and Infrastructure Security Agency (CISA), the cybersecurity authority for federal agencies, should work with the Director of the Federal Insurance Office to "produce a joint assessment for Congress on the extent to which the risks to the nation's critical infrastructure from catastrophic cyberattacks, and the potential financial exposures resulting from these risks, warrant a federal insurance response."