U.S. watchdogs are worried that cyber insurance may not cover “catastrophic cyberattacks.”

The cyber insurance market has matured rapidly in recent years, but it may be inadequate for certain large-scale attacks, US government spending monitoring agencies warn.

The US Government Accountability Office (GAO) is calling for a federal response to insurance against “catastrophic” cyberattacks on critical infrastructure. A functioning insurance market is essential for key infrastructure operators, as emphasized by businesses, consumers, and GAO.

Audit GAO Trillions of dollars The U.S. government spends annually, warning that private insurance companies and the U.S. government’s official terror risk insurance, the Terror Risk Insurance Program (TRIP), may not be able to cover the catastrophic economic losses resulting from cyberattacks. increase.

“Cyber ​​attacks, even if they cause catastrophic losses, may not meet the criteria of a program to be certified as terrorism. For example, to be certified, the attack is inherently violent or compulsory. We have to, “says GAO.

Ransomware and insurance are difficult issues due to the whims of attribution. Ransomware is primarily caused by cybercriminals, but several incidents that have caused millions of dollars in casualties have been officially attributed to Russian, North Korean, and Chinese governments by the Western government. increase.

Some insurers use these official attributions to avoid paying victims. These cases may be interpreted in court as acts of war that are not covered by cyber insurance contracts. Insurance policies cover acts of terrorism, but they also have provisions that limit them to authorized acts of violence.

“Government insurance may only cover cyber attacks if they are considered” terrorism “under defined standards. ” GAO said in a statement..

After Russia continued to invade Ukraine, insurance issues are now a bigger concern for the U.S. government, with cyber attacks from Kremlin-backed hackers on U.S. organizations in response to U.S. sanctions on Russia and its businesses. May spur.

So what should the US and GAO do at the national level if the corporate cyber insurance market may not be able to support the business?

“Federal insurance coverage must include clear criteria for coverage, specific cybersecurity requirements, and a dedicated financing mechanism with concessions from all market participants,” GAO said. ..

As GAO points out, some insurers are ring fencing policies to protect themselves from incidents that cause system problems. For example, insurance companies do not respond to attacks that could technically fall into the war category.

GAO states that TRIP is a “government backstop against terrorist losses.” Combined with cyber insurance, it provides some protection, but “both limit the ability to cover the catastrophic losses of a systemic cyber attack.”

“Cyber ​​insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware,” says GAO.

“But private insurers are taking steps to limit potential losses from systematic cyber events. For example, insurers are excluding compensation for losses from cyber warfare and infrastructure outages. TRIP will cover the loss of a cyberattack if it is considered terrorism, however, the cyberattack may not meet the criteria of a program to be certified as terrorism, even if it causes catastrophic loss. For example, in order to be certified, the attack must be violent or compulsory in nature. “

GAO is a federal cyber security agency, the Cybersecurity and Infrastructure Security Agency (CISA), working with the director of the Federal Insurance Department to “a catastrophic cyberattack at risk to the country’s critical infrastructure. , And the potential financial exposure resulting from these risks guarantees federal insurance coverage. “

Read An Article Like This

Watch the video here: U.S. watchdogs are worried that cyber insurance may not cover “catastrophic cyberattacks.”

U.S. watchdogs are worried that cyber insurance may not cover