Treasury Department Seeks Public Comment on Potential Federal Cybersecurity Insurance Response
On September 29th, the Federal Insurance Office (“FIO”) within the U.S. Department of Treasury, issued a request for comment in the Federal Register to solicit comments on the possibility of implementing a federal insurance response to catastrophic cyber incidents. The comments will provide the FIO with information as it responds to a recommendation by the U.S. Government Accountability Office that the FIO and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) jointly assess the extent to which the risks to U.S. critical infrastructure from catastrophic cyberattacks warrant a federal insurance response. The agencies are seeking comments on a list of questions, including what kinds of cyberattacks are “catastrophic,” whether businesses are getting enough coverage, and how to encourage policyholders to strengthen cybersecurity practices.
The FIO also intends to gather information on what cybersecurity measures would most effectively reduce the likelihood or magnitude of catastrophic cyber incidents. Additionally, it will look into the measures that the federal government could adopt to incentivize or require policyholders to adopt these measures.
Cyberattacks are happening so frequently that underwriting standards generally cannot match the development and sophistication of the hacks. Over the last couple of years, insurers have raised rates to levels that make it hard for businesses to find affordable coverage. Due in part to these factors, the FIO is looking into whether a federal insurance backstop could close the gap as insurers cut coverage to limit their exposure.
In August, Lloyd’s of London issued a market bulletin that stated that it is set to introduce cyber insurance exclusions to coverage for “catastrophic” state-backed attacks from 2023, as cyber-attack risks involving state actors have additional features that require consideration. While Lloyd’s stated that it “remains strongly supportive of the writing of cyberattack cover,” it recognizes that “cyber-related business continues to be an evolving risk.”
Comments to the FIO’s request are due by November 14th. Following receipt and review of all comments, the FIO and CISA will provide Congress a joint assessment of whether a federal insurance response to catastrophic cyber incidents is warranted.