Federal risk pool proposed to insure large-scale catastrophic cyber incidents must be well crafted, says risk association

The Treasury Department and the Cybersecurity and Infrastructure Security Agency have extended the deadline to 14 December for receiving public comment on whether a federal backstop should be created to protect critical infrastructure against losses from cyberattacks.

The agencies are seeking answers on “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response,” according to the latest notice.

Support from insurance buyers

RIMS, the Risk Management Society, has added its support for the creation of a risk pool in a comment letter to the Federal Insurance Office (FIO).

The letter indicates that risk professionals would likely support a well-crafted federal cyber insurance backstop, but notes the following concerns should be considered when developing a solution:

  • Determining whether the scope of the federal backstop should be limited to critical infrastructure or available to all organisations in light of an incident’s cascading impact;
  • If the backstop imposes cybersecurity controls, ensuring those controls align with existing external standards such as those issued by NIST or ISO;
  • Examining whether the federal cyber insurance response should be included in The Terrorism Risk Insurance Program (TRIP) or be kept independent.

“Cyber threats, and the devastation a cyber incident can have on an organisation, consumers and systems, remain the top concern for risk management professionals around the globe,” said RIMS chief executive officer Gary LaBranche.

“RIMS looks forward to working with federal policymakers to successfully develop a solution that provides greater financial protections for cyber events, paving the way for risk professionals to continue to make the world safer, more secure and more sustainable.”

According to the Federal Register notice of potential rulemaking: “Over the past several years, the Federal Insurance Office in the US Department of the Treasury has continued its ongoing efforts with regard to both cyber insurance and insurer cybersecurity.

“Cyber insurance is a significant risk-transfer mechanism, and the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency.”

Fears of systemic risk stall cyber growth

The cyber re/insurance market is experiencing a continued capacity crunch, with prices on both the commercial and reinsurance side skyrocketing thanks to a profound supply and demand imbalance.

Commercial rate rises of over 300% are not uncommon, according to one Lloyd’s broker. And currently, in 2022, the total size of the global cyber insurance market is estimated at below $10 billion.

Recent loss experience and concerns over the potential systemic nature of the risk have caused carriers and reinsurers to hit the pause button.

Just as the creation of a terrorism insurance backstop helped to create a viable market in the post 9/11 era, some commentators hope the creation of a federal-backed cyber risk pool could help the cyber insurance market reach its potential.