In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant a federal insurance response, and to inform Congress of the results of their assessment.  CISA is the primary risk advisor on critical infrastructure, and FIO is the federal monitor of the insurance sector.

The GAO prepared this report pursuant to the Terrorism Risk Insurance Program Reauthorization Act of 2019, which, among other things, directed the GAO to conduct a study on: (1) the risks and potential costs of cyberattacks to U.S. public and private infrastructure; (2) whether states’ definition of cyber liability under a property and casualty line of insurance is adequate coverage for an act of cyber terrorism; (3) whether such risks can be adequately priced by the private market; and (4) whether the risk-share system established under the Terrorism Risk Insurance Act of 2002, which created the Terrorism Risk Insurance Program (TRIP), is appropriate for covering cyber terrorism events.

In the report, the GAO highlighted the significant and growing cybersecurity risks facing U.S. critical infrastructure and examined how the insurance market against cyberattacks is evolving, often in a way that means less coverage against potentially catastrophic financial losses. The report noted that although cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware, private insurers have been taking steps to limit their potential losses from cyberattacks with systemic effects.  Coverage under TRIP, which requires the federal government to share certain insured losses with private insurers in the event of an act of terrorism, is limited to attacks that meet certification criteria specified by the program, among other requirements.  As the GAO notes, even very large cyberattacks on critical infrastructure resulting in catastrophic losses and risk to national security might not be covered if they do not meet all the certification criteria.  For example, one criterion is that the event must be a “violent act or an act that is dangerous” to human life, property, or infrastructure.  Even though a data breach or denial of service attack may result in stolen data or IT system disruption, it may not necessarily be a violent act or dangerous to human life, property, or infrastructure.  To date, the federal government has not certified any such acts of terrorism.

The report also noted that while CISA and FIO have taken some steps to understand the financial implications of cyber risk, neither agency has fully assessed the extent to which the risks to the nation’s critical infrastructure from catastrophic cyber incidents, and the potential financial exposures from these risks, warrant a federal insurance response.  In their comments to the report, both DHS and Treasury agreed with the GAO’s recommendation to work together to produce such an assessment for Congress. DHS stated that it would review the aggregate data generated by incident disclosures under the Cyber Incident Reporting for Critical Information Act of 2022 (previously discussed here), once available, and work with Treasury in the interim to determine other data needed.  Treasury confirmed that it had reached out to DHS to begin collaboration on this effort.