Federal government considers sharing costs for ‘catastrophic’ cyber incidents

As cyberattacks continue to rise, the federal government is contemplating whether it should step in to help private insurance companies cover some of the costs related to severe cyber incidents.

The Treasury Department and Cybersecurity and Infrastructure Security Agency (CISA) recently asked stakeholders in the industry to weigh in on whether there’s a need for a federal insurance response to “catastrophic” cyber incidents and, if so, how such a program should be implemented. 

The request stems from recommendations made by the Government Accountability Office (GAO) suggesting that the agencies conduct a joint assessment to determine the federal government’s role in cyber insurance.

This comes as private insurance firms have significantly increased premiums for companies seeking cyber coverage and, in some cases, denied coverage for state-sponsored cyberattacks as their frequency has surged over the past few years.

Currently, the U.S. government does not have a federally backed cyber insurance program to deal with destructive cyberattacks.

“I think what you’re seeing is the government sort of thinking about this from their side … if they should be doing more to help companies that are hit and, if so, how should they define what the thresholds are,” said Josephine Wolff, an associate professor of cybersecurity policy at the Tufts University Fletcher School. 

“They’re clearly evaluating that and trying to think carefully about it right now,” Wolff added.

Cyberattacks, specifically ransomware, have significantly increased over the last two years as cyber criminals have sought to extort victims amid the pandemic.

Just this summer, ransomware attacks rose 47 percent from June to July, according to a report published by cybersecurity firm NCC Group.

Previous reports conducted by the firm indicated that ransomware cases had declined in the spring following a surge earlier in the pandemic but soon picked up again, with attacks increasing from 135 in June to 198 in July.

The costs of those attacks can be astronomical: The Treasury’s notice cited a 2020 study conducted by CISA that estimated the U.S. could suffer between $2.8 billion to $1 trillion in losses from a single severe cyber incident.

As attacks have increased, so have the number of companies seeking cyber insurance. In its 2021 report, the GAO found that companies choosing to get cyber coverage from their insurance providers rose from 26 percent in 2016 to 47 percent in 2020.

At the same time, however, the surge in cyberattacks has dramatically increased the cost of cyber insurance premiums, experts said.

Andrea DeField, a partner at Hunton Andrews Kurth, said some of her clients are seeing premiums increase by 25 to 200 percent in just one year.

DeField said the increase in premiums is primarily driven by rising ransomware attacks.

Cyberattacks “can be really expensive [for insurers], especially if the company wasn’t adequately prepared with good backup,” DeField said.

Insurance companies have also started limiting their coverage for certain high-risk clients and tightening their policy terms and conditions as a way to minimize their exposure, the GAO reported.

“As demand for cyber insurance has increased, so has uncertainty about the market,” the GAO said. “It’s become more challenging to price cyber risk and to make this coverage available.”

The GAO added that the cost of cyber insurance is partly based on the “frequency, severity, and cost of cyberattacks, all of which have been increasing.” 

“The market has hardened, it’s harder to get [a cyber insurance policy] and you have to have better cyber hygiene” to be considered, DeField added.

Some insurance companies have gone as far as denying coverage for state-sponsored cyberattacks, as they consider them acts of war.

Late last year, for instance, Lloyd’s of London, a global insurance marketplace, issued a guidance stating that it would no longer cover cyberattacks carried out by foreign threat actors. 

“I think it was a concern that they didn’t want to cover anything that could be a true act of war and that it’s getting harder to draw that line given the current threat climate as to what is a state-sponsored cyberattack,” DeField said of that guidance.

In a recent notice clarifying the original guidance, Lloyd’s explained that “cyber related business continues to be an evolving risk.”

“In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure … means that losses have the potential to greatly exceed what the insurance market is able to absorb,” the company said.

DeField explained that cyber insurance companies typically do not cover acts of war such as kinetic warfare, but they do have an exception to that rule when it comes to cyber terrorism, which most insurers cover.

“That was the state of play prior to Lloyd’s coming out with its new guidance,” DeField said, which she described as a “pretty significant move.”

However, DeField said she hasn’t seen U.S. cyber insurance companies follow suit in excluding cyber terrorism from their coverage.

“I think they realized that a lot of the bigger commercial companies’ policyholders were not going to accept that sort of language [change] given the risks that they face in the market and how much they’re paying in premiums,” she said.

That was the case for Merck, a U.S.-based multinational pharmaceutical company, which sued its insurer in 2019 for refusing to cover $1.4 billion in damages caused by the 2017 NotPetya malware attack.

The destructive malware disrupted key Ukrainian institutions, including banks, government ministries and companies, and spread to other countries, including the U.S., the United Kingdom, France and Germany.

The insurance company argued that it was denying coverage because the attack was an act of war and had been attributed to Russia.

However, earlier this year, a New Jersey court ruled in favor of Merck, finding that the war exclusion included in the insurance policy applied only to armed conflict and did not specifically exclude coverage for state-sponsored cyberattacks.

Wolff said the Merck ruling shows that the issue isn’t “cut and dried” and that some courts will disagree with insurance companies on this matter and have different interpretations as to what constitutes an act of war. 

“Not all courts are going to view a cyberattack as an act of war,” Wolff said.

DeField added that if the private insurance market were to “pull away” and start tightening up its policies by removing the cyber terrorism exception “and companies were left with no other options, then I think we would need a federal program,” but she doesn’t think the cyber insurance industry is at that point yet.