8 December 2022

CBI calls for federal backstop for cyber insurance

The Centers for Better Insurance (CBI) has proposed that the US Government introduces a federal backstop for cyber insurance, arguing that a large cyber-attack by a foreign power or collective of hacker groups is not something the industry can manage alone.

Over the past several years, the Federal Insurance Office (FIO) in the US Department of the Treasury (Treasury) has continued its ongoing efforts with regard to both cyber insurance and insurer cybersecurity. The FIO says cyber insurance is a significant risk-transfer mechanism, and the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency.

The Government Accountability Office (GAO) released a report in June 2022 recommending that FIO and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) conduct a joint assessment to determine “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.” Both FIO and CISA have agreed to conduct the recommended assessment. FIO is also coordinating with the White House Office of the National Cyber Director on these issues.

The CBI’s Jason Schupp drew parallels with another US-backed government insurance backstop scheme, the Terrorism Risk Insurance Program (TRIP). Schupp argues that captives should be excluded from a backstop for cyber insurance should the government choose to adopt one.

He argues that a hybrid programme like TRIP can achieve great efficiencies by leveraging private market underwriting, pricing, and claim management discipline.

“Along with those positive attributes necessarily comes private market ingenuity in gaming the programme for unfair advantage,” he noted, adding that TRIP is “rife” with gaming by both participating insurers that do not fairly disclose the premium charged for terrorism coverage, and large corporate policyholders that have set up their own personal insurance companies (captives) to “exploit” the programme.

Schupp’s statement is in response to the Treasury’s Notice appearing at 87 FR 59161 (September 29, 2022) seeking comment on questions related to cyber insurance and catastrophic cyber incidents. Specifically, Schupp addresses Question 7 with respect to an appropriate structure for a cyber catastrophe programme.

He wrote: “The scale, complexity and dynamics of the catastrophe cyber risk suggests it would be best managed through some sort of a hybrid programme. Catastrophe cyber is not a regional risk but a national risk suggesting a federally led programme is more appropriate. Catastrophe cyber is also a rapidly evolving risk suggesting some level of private market agility would be beneficial. It is also believed individual policyholders can take mitigatory action to reduce risk and limit impact suggesting the utility of appropriate risk-based economic signalling. Finally, catastrophe cyber risk presents an enormous potential economic and operational impact leaving the federal government as the only credible financial backer for extreme events.”

He continued: “A hybrid cyber catastrophe programme offers policymakers far greater flexibility in programme design and a range of options in terms of federal financial and administrative investment. A well-designed hybrid cyber catastrophe risk programme has the potential to harness market efficiency and pricing by leveraging the private insurance industry’s frontend and backend capabilities coupled with mandatory strategic private market capital commitments.”

The CBI’s comment in full is here.