Treasury Seeks Comment on How to Structure a Cyber Insurance Program

The Treasury Department’s Federal Insurance Office wants to know whether a national cyber insurance program should require policyholders to implement basic cybersecurity measures to avoid moral hazard.

“Should cybersecurity and/or cyberhygiene measures be required of policyholders under the structure?” Steven Seitz, director of the Treasury Department’s Federal Insurance Office, asked in a request for comment to be published in the Federal Register on Thursday. “If so, what measures are required?”

Comments are due within 45 days of the publication of the notice. Those interested in speaking out on the matter can also attend a meeting of the Treasury Department’s Federal Advisory Committee on Insurance on Thursday afternoon.

The question of effective cybersecurity measures is one of several FIOs and the Cybersecurity and Infrastructure Security Agency asking to help prepare a report for Congress on the merits of establishing a federal cyber insurance program. Their efforts follow a recommendation from the Government Accountability Office, which Congress directed to examine the federal government’s role in cyber insurance under the National Defense Authorization Act of 2021.

GAO highlighted the possibility that a federal insurance program could create skewed incentives in the industry, especially in the wake of ransomware attacks across the country, but the agency passed the baton to the FIO and CISA to give Congress the ultimate recommendation on the issue .

The Treasury/CISA notice describes moral hazard as “the possibility that either insurers or policyholders will take unreasonable risks in reliance on a federal insurance response or fail to implement cybersecurity controls.”

Insurance is typically regulated at the state level, but there are some examples of federal programs, including the Terrorism Risk Insurance Program, overseen by the Treasury Department, and the National Flood Insurance Program, administered by the Federal Emergency Management Agency.

NFIP mandates coverage for certain properties and is funded by premiums, but the program is perpetually indebted from huge sums paid out after catastrophic hurricanes. As experts warn of a historic hurricane hitting the state of Florida, the NFIP is set to expire if Congress doesn’t approve it again by the end of the week.

Introduced after the 9/11 terrorist attacks, the TRIP model essentially insures insurers and helps them protect policyholders in the event of qualifying incidents. But there is a $100 billion cap on the amount the government can pay out, and the notice cites a CISA study released in 2020 that estimated potential losses from a single cyber incident at between $2.8 billion US dollars and 1 trillion US dollars.

“Should an existing federal insurance program (e.g., NFIP or TRIP) or other U.S. or international public-private insurance mechanism serve as a model for catastrophic cyber incidents or be modified to address catastrophic cyber incidents?” the note asks.

According to the notice, “The FIO intends to evaluate potential federal insurance responses outside of TRIP, but will also consider how potential responses might interact with or be part of TRIP.” That would raise questions about whether certain cyber incidents should be considered terrorist attacks .

Agencies also want answers to a variety of other questions, e.g. B. whether insurers are less likely to cover events that resulted in physical impacts and what level of financial losses should be considered “catastrophic”.

“What cybersecurity measures would be most effective in reducing the likelihood or magnitude of catastrophic cyber incidents?” the note also asks. “What steps could the federal government take to potentially encourage or require policyholders to take these actions?”