The Case for a Federal Cyber-Insurance Backstop

By stepping in to provide aid, the federal government could help protect companies, insurers, and the economy from the impact of a widespread, catastrophic cyberattack.

Monica Shokrai, Head of Business Risk & Insurance, Google Cloud

June 7, 2023

4 Min Read
Key saying "cyber insurance" sitting on keyboard
Source: Panther Media GmbH via Alamy Stock Photo

The uptick and evolving nature of cyberattacks — and the economic challenges they pose — have sparked much-needed conversations about the benefits of cyber insurance. But with so many organizations now considering the value of cyber insurance as part of a comprehensive plan for addressing their cyber-risk, insurers are closely evaluating if and how they'd remain viable in the event of a catastrophic, widespread cyberattack that implicates high volumes of policyholders.

Many cyber-insurance policies include war exclusions, nuances with widespread event coverage, and even naming specific technology providers that could present systemic risk to an insurer. Therefore, there continues to be growing uncertainty around coverage and rising exclusions that attempt to eliminate cyber-insurance providers' risk from a broad or systemic catastrophic event. This approach also exposes insurance customers (and companies in general) to risk for which they have extremely limited alternative options for mitigation or transfer.

Insurance and government leaders are working to identify how to make cyber insurance more sustainable and are considering a broad array of tools for addressing the systemic risk of a catastrophic, widespread cyber event. One of these tools, highlighted in the Biden Administration's National Cybersecurity Strategy, is to explore a possible federal cyber-insurance backstop. While the details in the strategy are minimal, here's what such a tool might entail and how it could potentially work to protect both insurers and their policyholders from the impact of detrimental cyberattacks.

What Is a Cyber-Insurance Backstop?

Put simply, a federal cyber-insurance backstop would involve the US government stepping in to provide aid (likely at least in part financially) to stabilize the economy in the event of a catastrophic, widespread cyber incident. Under such a framework, legislators could set requirements for private insurers to qualify for federal support.

Holistically constructed, a federal cyber-insurance backstop would transfer remote but potentially catastrophic risks from qualifying insurers (or their policyholders) to the federal government. These would be systemic risks that insurers cannot sustain on their own due to financial stability concerns; however, a federal insurance backstop could ease coverage restrictions by providing reinsurance in the event of a catastrophic loss.

The US government has similar backstop programs to assist with natural disasters, even underwriting direct insurance coverage. The first step toward putting something like this into practice would be to identify what constitutes a catastrophic cyber event. Fortunately, cybersecurity experts are well-positioned to support this area. While building out what this would look like for cybersecurity would take time, it has the potential to be a legitimate resolution to a complex problem.

Potential Benefits

If implemented properly, there are many potential benefits to putting a federal cyber-insurance backstop into practice. To name a few:

  • Utilizing insurance to enforce better safety: Insurance can be a trigger to reduce risk more broadly. We're seeing this across industries outside of cybersecurity; for example, in the housing and property market, insurers are requiring automatic sprinkler systems for property insurance; the healthcare industry is outlining benchmarks for healthy living; and auto insurers are offering safe driving discounts. By defining what constitutes a catastrophic event, identifying which activities reduce the most risk, and relying on insurers to enforce these activities through underwriting criteria, a backstop can be another way to enforce better safety.

  • Putting more capital into the market: Broadly speaking, insurance can drive resilience as a society: Not only can it enable a fast and effective distribution of funds in the event of a catastrophe, it can also provide a predefined path to remediation and access to experts during a time of need. A federal cyber-insurance backstop could allow insurers to explicitly cover widespread events and therefore put more capital into the cyber-insurance market in case of a catastrophe, ultimately building resilience as a society.

  • Reducing litigation risk: A growing concern in cyber insurance is uncertainty around new exclusionary language and the fact that such language hasn't yet been tested in court. A well-defined backstop could provide increased coverage clarity, ultimately reducing litigation risk, by preventing insurers and the insured from waging costly legal battles over unclear coverage in the event of a cyberattack.

  • Centralizing a consistent approach to risk management: The cyber-insurance industry is operating in a complex landscape for reinsurers and insurers, where policy language varies drastically across providers. A federal cyber-insurance backstop could create a more centralized, consistent approach that ultimately helps support organizations' security and insurers' financial stability.

An Industrywide Effort

The implementation of a federal backstop could be a positive move for the security community overall and a step forward in continuing to make cyber insurance a viable option for corporations. This can also build and enforce the cyber-insurance industry's ultimate goal: leveraging insurance to enforce and encourage better cybersecurity practices from their clients, ultimately driving down cyber-risk and making risk transfer more affordable.

With that said, to do this effectively, it cannot be built in a vacuum. Cybersecurity experts, insurers, and the federal government must all work together to design a backstop that considers the nuances and complexities of the evolving cyber-threat landscape. Its inclusion in the National Cybersecurity Strategy is just the start.

About the Author(s)

Monica Shokrai

Head of Business Risk & Insurance, Google Cloud

Monica Shokrai leads business risk and insurance for Google Cloud, including managing insurance product development and partnerships for Google Cloud's Risk Protection Program. Monica is also the Head of Actuarial, Analytics & Systems for Alphabet's Business Risk & Insurance team. Monica is passionate about driving innovation in the industry through combining her experience in both tech and insurance. Prior to her current role at Google, she focused on managing new and emerging risks through working closely with Alphabet’s Other Bets.

Monica has over 14 years of experience in the risk and insurance industry and is lucky to have seen the industry from multiple angles, having worked at a consulting and brokerage firm, a large commercial carrier, a startup and now at Google. Immediately prior to joining Google, Monica spent ten years working as an actuary, most recently leading the Global pricing team at Berkshire Hathaway Specialty Insurance.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights