Cyber Insurance, TRIP Might Fall Short in Infrastructure Attacks

Cyber attacks targeting critical infrastructure like utilities or financial services could result in catastrophic financial losses that cyber insurance and the federal Terrorism Risk Insurance Program (TRIP) might be unable to cover, according to a new report from the US Government Accountability Office (GAO).

While cyber insurance can help offset costs of common cyber risks like data breaches or ransomware, cyber risks are growing, and cyber attacks targeting critical infrastructure could affect entire systems, according to the GAO report, "Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks."

The GAO recommended that the US Departments of the Treasury and Homeland Security jointly assess whether a federal response is needed to address the risk.

The GAO report found that US critical infrastructure such as utilities, financial services, and pipelines faces increasing cyber-security risks. Greater use of interconnected systems has made such critical infrastructure more vulnerable to cyber attacks, the GAO report said.

Meanwhile, threat actors—including nation-states, criminal groups, and terrorists—have become increasingly capable of carrying out cyber attacks on critical infrastructure, according to the GAO, while cyber attacks, including those affecting critical infrastructure, have increased in frequency and cost.

The GAO report noted that the effects of cyber attacks can spill over from the initial target to economically linked firms, potentially magnifying the damage to the economy. It cited the May 2021 Colonial Pipeline Company cyber attack that led to gasoline shortages as an example.

"Cyber insurance and the Terrorism Risk Insurance Program—the government backstop for losses from terrorism—are both limited in their ability to cover potentially catastrophic losses from systemic cyber attacks," the report said. "Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware. However, private insurers have been taking steps to limit their potential losses from systemic cyber events."

The report noted that insurers are excluding coverage for losses from cyber warfare and infrastructure outages. Meanwhile, TRIP covers cyber-attack losses if they are considered terrorism, among other requirements, though cyber attacks may not meet the program's criteria to be certified as terrorism, even if they result in catastrophic losses. For example, the report said, attacks must be violent or coercive in nature to be certified as terrorism under TRIP.

"The Department of the Treasury's Federal Insurance Office and the Department of Homeland Security's Cyber Security and Infrastructure Security Agency (CISA) both have taken steps to understand the financial implications of growing cyber security risks," the report said. "However, they have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response."

Ultimately, the GAO recommended that CISA "jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response, and inform Congress of the results of their assessment." Both agencies agreed with the recommendation, the GAO said.