A government watchdog has warned that private insurance companies are increasingly foregoing coverage for damage caused by major cyberattacks, leaving US businesses facing ‘catastrophic financial losses’ unless another model is met. insurance cannot be found.
The growing challenge of cyber risk coverage is outlined in a new report from the Government Accountability Office (GAO), which calls for a government assessment to determine if a federal cyber insurance option is needed.
The report draws on threat assessments from the National Security Agency (NSA), the Office of the Director of National Intelligence (ODNI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Ministry of Justice to quantify the risk of cyberattacks on critical infrastructure, by identifying vulnerable technologies susceptible to attack and a range of threat actors capable of exploiting them.
Citing an annual threat assessment published by the ODNI, the report finds that hacking groups linked to Russia, China, Iran and North Korea pose the biggest threat to US infrastructure – with certain non-state actors such as organized cybercriminal gangs.
Given the wide range of increasingly skilled actors ready to target US entities, the number of cyber incidents is increasing at an alarming rate.
“Although federal agencies do not have a comprehensive inventory of cybersecurity incidents,” the report states, “several key federal and industry sources show (1) an increase in most types of cyberattacks in the United States, including including those affecting critical infrastructure, and (2) significant and growing costs for cyberattacks.
In 2016, US businesses and government agencies were impacted by a total of 19,060 incidents across four major categories – ransomware, data breaches, business email compromise and denial of service attacks – with a total cost of $470 million, according to a GAO analysis of FBI Reports. In 2021, there were 26,074 incidents and the total cost was nearly $2.6 billion.
The report also cites specific incidents that had a ripple effect on the wider economy, including the cyberattack on the Colonial Pipeline that took a 5,500-mile fuel shipping operation offline. In this attack, the pipeline operator paid the hackers a $4.4 million ransom, despite advice from law enforcement that ransom demands should always be rejected.
Frightened by the possibility of having to cover such large losses, private insurers are pulling out of the market by excluding some of the most serious cyberattacks from insurance policy coverage. While data breaches and ransomware attacks are generally still covered, the report finds that “private insurers have taken steps to limit their potential losses from systemic cyber events”, refusing to cover losses incurred through acts of corruption. cyber warfare or deliberate targeting of infrastructure.
According to the US Treasury Department, some insurers have also mitigated their exposure by lowering the maximum amount a policy will pay in the event of a cyberattack and/or raising premiums to try to protect against losses. There is other evidence that some insurance companies are pulling out of coverage altogether in infrastructure sectors, the GAO found, deeming the risk of attack too high.
Overall, the GAO report suggests that CISA and the Federal Insurance Office undertake an assessment to determine whether the above factors require a federal insurance response on the model of FDIC insurance for deposits. banks and the National Flood Insurance Program.