The Government Accountability Office has expressed support for the Treasury Department to increase the amount of information it collects from insurers regarding cybersecurity claims as part of a program that allows the government to help pay off claims. insured in the event of a catastrophic event.
Federal Insurance Office of the Treasury Friday published a notice in the Federal Register soliciting feedback on new cybersecurity worksheets that participants are required to submit under the Terrorism Risk Insurance Program. TRIP was created by statute to help insurance companies stay viable after the 9/11 attacks, when it was difficult to find companies willing to shoulder the risk of such losses in the future.
âAs GAO has previously reported, obtaining complete information on cyber insurance and loss has been a persistent problem in overseeing the Terrorist Risk Insurance (TRIP) program,â John said. Pendleton, director of financial markets and community investment for GAO. Nextgov. âCollecting additional data on coverages and losses, including ransomware, would help assess the adequacy of TRIP, so this effort is a step in the right direction. ”
Cyber ââsecurity insurance has long been viewed as a non-regulatory, market-based way to improve the defenses of private sector entities. But it has also been controversial amid ambiguous policy definitions and a lack of data to inform sound pricing systems. The rise of ransomware has drawn more attention to the industry, as some policymakers have expressed concern that payments from insurance companies are an unnecessary incentive for malicious actors. But as aggressors demanded higher and higher ransoms, the insurance industry also seemed to welcome government involvement in the production of better actuarial models.
“Without comprehensive, high-quality cyber loss data, it can be difficult to estimate potential losses from cyber attacks and the pricing policies as a result,” read the GAO report released in May under the National Defense Authorization Act of 2021. âSome industry participants said federal and state governments and industry could work together to collect and share incident data to assess risk and develop cyber insurance products.
In this report, the GAO announced upcoming work specifically around TRIP.
âOur broader review of TRIP is underway and we expect to complete our report in spring 2022,â Pendleton said.
The Treasury navigates a narrow lane between trying to work with insurers to collect data on ransomware payments and warning insurance companies and other financial third parties that they run the risk of violating sanctions by making such payments. due to the likelihood of attacks being sponsored by adversaries. regimes like North Korea and Iran.
“The cyber insurance market continues to grow and evolve, and losses related to cybersecurity (particularly with regard to ransomware) have increased significantly over the past few years,” reads the request from Treasury comments. âIn view of recent market developments and the important role of cyber insurance in the program, the Treasury would appreciate more detailed information on the availability and affordability of such coverage in the market. “
The Treasury noted that states, which are responsible for regulating the insurance industry, will also separately solicit comments on the proposal through the National Association of Insurance Commissioners.
Comments to the Treasury are due within 60 days of publication of the notice.
And a cyber insurance company – Resilience, which was among those attending a White House event this summer with representatives from industries the administration sees as crucial to advancing cybersecurity – is already hanging over it.
“This proposal could allow both insurers, as well as the federal government, to gain a better understanding of cyber threat insurance coverage, in all businesses of all sizes,” said Amy Chang, chief risk officer and of the response at Resilience. Nextgov. âAs the aggregated data and trends become public, this would provide the insurance market with useful context on cyber insurance solutions and claims data. Ultimately, insurers can use this data to better respond to the continuing evolution of these threats and provide more refined and protective solutions for US businesses. “