Security News > 2024 > February > A Cyber Insurance Backstop
One possible solution, touted by former Department of Homeland Security Secretary Michael Chertoff on a recent podcast, would be for the federal government to step in and help pay for these sorts of attacks by providing a cyber insurance backstop.
A cyber insurance backstop would provide a means for insurers to receive financial support from the federal government in the event that there was a catastrophic cyberattack that caused so much financial damage that the insurers could not afford to cover all of it.
There is a growing consensus among insurers in favor of the creation and implementation of a federal cyber insurance backstop.
In an August 2022 bulletin, Lloyd's instructed its underwriters to exclude from all cyber insurance policies not just losses arising from war but also "Losses arising from state backed cyber-attacks that significantly impair the ability of a state to function or that significantly impair the security capabilities of a state." Other insurers, such as Chubb, have tried to avoid tricky questions about attribution by suggesting exclusions for cyberattacks that pose a "Systemic risk" or impact multiple entities simultaneously.
In 2022 the Federal Insurance Office in the Treasury Department published a Request for Comment on a "Potential Federal Insurance Response to Catastrophic Cyber Incidents." The responses recommended a variety of different possible backstop models, ranging from expanding TRIP to encompass certain catastrophic cyber incidents, to creating a new structure similar to the National Flood Insurance Program that helps underwrite flood insurance, to trying a public-private partnership backstop model similar to the United Kingdom's Pool Re program.
One might argue similarly that a cyber insurance backstop would subsidize those companies whose security posture creates the potential for cyber catastrophe, such as the NotPetya attack that caused $10 billion in damage.
News URL
https://www.schneier.com/blog/archives/2024/02/a-cyber-insurance-backstop.html