Much more work and collaboration needs to be done but the U.S. Treasury has reached a “tentative conclusion” that a potential federal cyber insurance backstop will be focused on catastrophic cyber risk.
“We will remain focused on the policy options for some kind of public-private sector collaboration or other federal response that cabins catastrophic risk alongside the existing and expanding commercial cyber insurance market,” said Graham Steele, assistant secretary for financial institutions at the Treasury Department.
Steele spoke Nov. 17 at a conference presented by the Volatility and Risk Institute at New York University’s Stern School of Business and the Treasury’s Federal Insurance Office (FIO), which has been tasked under the Biden administration’s National Cybersecurity Strategy with deciding if some form of federal insurance response is necessary.
A glimpse into the Treasury’s thinking provided by Steele’s closing remarks to the conference revealed an answer of “it depends.”
A “well-designed federal insurance response could address the risks of tail events while incentivizing healthy private sector practices,” said Steele according to his remarks released by Treasury, but a “poorly designed program could shift too much risk to the government and reduce firms’ incentives” to shore up cybersecurity.
Steele said more work in 2024 will be done on the proper federal response, but it will be focused on catastrophic cyber risk since “we see that the private market for insurance against attritional cyber risk from losses other than those related to major catastrophes is dynamic and growing.”
“Waiting until after a catastrophic cyber incident occurs is sub-optimal for everyone, including private sector firms, the government that bears the responsibility for stabilizing the economy, and ultimately the taxpayers,” Steele said.
The challenge, acknowledged Steele, is the fact that unlike natural catastrophes, there is limited historical data on catastrophic cyber losses in order to model projections. Plus, potential catastrophic losses can transcend geographic boundaries as well as industries and an organization’s size.
The FIO in a report published in September found the cyber insurance market has grown from about $4.8 billion direct premiums written in 2021 to about $7.2 billion in 2022 but the market wrote only 4 million more policies from 2021 to 2022. Cyber insurance premiums make up less than 1% of the property/casualty industry, Steele said. In the meantime, cyber threats continue to advance – highlighted by the growth in use of artificial intelligence and cloud services, and recent events such as the ransomware attack on the Industrial & Commercial Bank of China (ICBC), the largest-ever distributed denial-of-service attack, and heightened activity related to overseas conflicts.
While these risks have yet to cause a catastrophic loss, “they are increasing in their frequency and impact,” Steele said.
“It may be a matter of when, not if, we experience a catastrophic cyber event.” he added.
Was this article valuable?
Here are more articles you may enjoy.