Cyber Insurance,
Governance & Risk Management
Federal Review Questions Whether Private Insurers Can Absorb Cyber Losses
The U.S. federal government has reignited a critical debate surrounding the capacity of private insurers to effectively manage catastrophic cyber risks. The ongoing discussions question whether a public backstop is necessary, a conversation that has been prevalent in both U.S. and U.K. policy circles for several years. The primary focus of this renewed concern is the unpredictable nature of cyber risks that may have escalated beyond the absorption capability of private insurance companies.
This week, a notice published in the Federal Register has solicited public comments on the current handling of cyber incidents under the Terrorism Risk Insurance Program (TRIP). This program was instituted post-9/11 to ensure that insurers can provide coverage in the event of large-scale attacks without risking a systemic collapse. The effort is particularly noteworthy as it reflects a growing recognition that cyber incidents may require a federal response similar to that provided for traditional terrorism.
Originally established in 2002, TRIP was designed to stabilize the insurance markets following substantial losses and uncertainty generated by terrorist attacks. Under this framework, the federal government provides a backstop for insured losses resulting from acts of terrorism, intervening when industry losses surpass a set threshold. However, there has always been a gray area regarding cyber incidents, with many potentially fitting the criteria of terrorism. This ambiguity has made it difficult for insurers to appropriately model and price such risks, given the challenges inherent in determining intent, attribution, and the consequential scale of these attacks.
Officials from the Department of the Treasury are now delving into whether these ambiguities are precipitating coverage gaps that could leave operators of critical infrastructure vulnerable in the event of significant cyber disruptions. In their request for comments, which is being conducted in coordination with the Cybersecurity and Infrastructure Security Agency, industry stakeholders are being asked to assess whether existing laws sufficiently cover cyber risks and if adjustments to TRIP would be justified.
While the initiative underscores the seriousness of the issue, analysts suggest that it is still in exploratory phases rather than reflecting an imminent policy shift. Josephine Wolff, an associate professor at the Fletcher School at Tufts University specializing in cyber insurance, noted, “I don’t think there’s a huge amount of momentum for a backstop right now. The fact that they’re issuing yet another request for comment, rather than any policy proposal, suggests they’re still in the fairly early, exploratory stages of thinking about this.”
This sentiment is shared by other experts monitoring the situation. Tyler Moore, a professor at the University of Tulsa whose work focuses on cybersecurity economics, indicated that while the discussion about a federal backstop remains relevant, progress on it has stagnated. “Discussions of a backstop remain exploratory in nature, but they are still important. The industry is not prepared to deal with a widespread catastrophic cyber event,” he stated.
The frequency and severity of cyber incidents are escalating, with various high-profile attacks like ransomware, supply chain breaches, and nation-state adversities raising alarms about the potential for systemic economic disruption. Experts have long argued that an overwhelming cyber incident—such as a coordinated attack on critical infrastructure—could generate losses that far exceed the current capabilities of insurers to absorb and manage.
Wolff emphasized that the significant market gaps primarily stem from the cost and scope of major incidents, particularly those instigated by nation-state actors or targeting critical infrastructure. “Most cyber insurance coverage is capped significantly lower than many companies would like. Attacks on power grids, water systems, or transportation networks would likely exceed what private insurers can realistically cover,” she noted.
Moore elaborated on this issue, mentioning that insurers design policies to mitigate correlated systemic losses. “Cyber insurance policies today are written in such a way to eliminate correlated risk wherever possible,” he pointed out, providing the example of the SolarWinds attack, where economic damages substantially surpassed insured losses. He cautioned that the economic hit from such incidents could be much larger, as firms often find themselves inadequately insured.
This ongoing dynamic has catalyzed recurrent discussions about the need for a federal cyber insurance backstop, akin to TRIP or other public-private risk-sharing frameworks that have emerged in contexts like terrorism and flood insurance. Past attempts in the U.S. to formalize such a backstop have faced challenges, leading policymakers to steer their focus toward broader reforms related to cyber risk management and regulatory strategies as part of the national cybersecurity agenda.
On the other side of the Atlantic, the United Kingdom, under the leadership of Prime Minister Rishi Sunak, also grappled with similar considerations but ultimately decided against implementing a government-backed cyber reinsurance scheme. The Conservative government cited concerns that such an intervention could undermine competition, even while ransomware incidents surged and exerted pressure on the insurance market.