The uptick and evolving nature of cyberattacks — and the economic challenges they pose — have sparked much-needed conversations about the benefits of cyber insurance. But with so many organizations now considering the value of cyber insurance as part of a comprehensive plan for addressing their cyber-risk, insurers are closely evaluating if and how they'd remain viable in the event of a catastrophic, widespread cyberattack that implicates high volumes of policyholders.
Many cyber-insurance policies include war exclusions, nuances with widespread event coverage, and even naming specific technology providers that could present systemic risk to an insurer. Therefore, there continues to be growing uncertainty around coverage and rising exclusions that attempt to eliminate cyber-insurance providers' risk from a broad or systemic catastrophic event. This approach also exposes insurance customers (and companies in general) to risk for which they have extremely limited alternative options for mitigation or transfer.
Insurance and government leaders are working to identify how to make cyber insurance more sustainable and are considering a broad array of tools for addressing the systemic risk of a catastrophic, widespread cyber event. One of these tools, highlighted in the Biden Administration's National Cybersecurity Strategy, is to explore a possible federal cyber-insurance backstop. While the details in the strategy are minimal, here's what such a tool might entail and how it could potentially work to protect both insurers and their policyholders from the impact of detrimental cyberattacks.
What Is a Cyber-Insurance Backstop?
Put simply, a federal cyber-insurance backstop would involve the US government stepping in to provide aid (likely at least in part financially) to stabilize the economy in the event of a catastrophic, widespread cyber incident. Under such a framework, legislators could set requirements for private insurers to qualify for federal support.
Holistically constructed, a federal cyber-insurance backstop would transfer remote but potentially catastrophic risks from qualifying insurers (or their policyholders) to the federal government. These would be systemic risks that insurers cannot sustain on their own due to financial stability concerns; however, a federal insurance backstop could ease coverage restrictions by providing reinsurance in the event of a catastrophic loss.
The US government has similar backstop programs to assist with natural disasters, even underwriting direct insurance coverage. The first step toward putting something like this into practice would be to identify what constitutes a catastrophic cyber event. Fortunately, cybersecurity experts are well-positioned to support this area. While building out what this would look like for cybersecurity would take time, it has the potential to be a legitimate resolution to a complex problem.
If implemented properly, there are many potential benefits to putting a federal cyber-insurance backstop into practice. To name a few:
Utilizing insurance to enforce better safety: Insurance can be a trigger to reduce risk more broadly. We're seeing this across industries outside of cybersecurity; for example, in the housing and property market, insurers are requiring automatic sprinkler systems for property insurance; the healthcare industry is outlining benchmarks for healthy living; and auto insurers are offering safe driving discounts. By defining what constitutes a catastrophic event, identifying which activities reduce the most risk, and relying on insurers to enforce these activities through underwriting criteria, a backstop can be another way to enforce better safety.
Putting more capital into the market: Broadly speaking, insurance can drive resilience as a society: Not only can it enable a fast and effective distribution of funds in the event of a catastrophe, it can also provide a predefined path to remediation and access to experts during a time of need. A federal cyber-insurance backstop could allow insurers to explicitly cover widespread events and therefore put more capital into the cyber-insurance market in case of a catastrophe, ultimately building resilience as a society.
Reducing litigation risk: A growing concern in cyber insurance is uncertainty around new exclusionary language and the fact that such language hasn't yet been tested in court. A well-defined backstop could provide increased coverage clarity, ultimately reducing litigation risk, by preventing insurers and the insured from waging costly legal battles over unclear coverage in the event of a cyberattack.
Centralizing a consistent approach to risk management: The cyber-insurance industry is operating in a complex landscape for reinsurers and insurers, where policy language varies drastically across providers. A federal cyber-insurance backstop could create a more centralized, consistent approach that ultimately helps support organizations' security and insurers' financial stability.
An Industrywide Effort
The implementation of a federal backstop could be a positive move for the security community overall and a step forward in continuing to make cyber insurance a viable option for corporations. This can also build and enforce the cyber-insurance industry's ultimate goal: leveraging insurance to enforce and encourage better cybersecurity practices from their clients, ultimately driving down cyber-risk and making risk transfer more affordable.
With that said, to do this effectively, it cannot be built in a vacuum. Cybersecurity experts, insurers, and the federal government must all work together to design a backstop that considers the nuances and complexities of the evolving cyber-threat landscape. Its inclusion in the National Cybersecurity Strategy is just the start.