Part Two: Opportunities for Policy Intervention
The lack of affordable and effective cyber insurance coverage is causing problems for the nation’s cybersecurity. While providing better coverage should primarily be a private endeavor, the federal government can help with the effort through legislative and/or regulatory action and, at the same time, advance existing policy objectives. There are two key areas where industry and government goals meet. First, a data-sharing regime could help insurers refine their pricing and coverage while adding incentives for incident reporting. Second, a federal backstop providing reinsurance for insurance held by critical infrastructure could alleviate uncertainties around risks and encourage insurers to add coverage in high-risk sectors.
The two-part series introduces cyber insurance challenges and explores how the federal government can address these challenges. This post discusses policy options for cyber insurance to promote the nation’s cybersecurity. Part one discusses the industry overall and key challenges for the industry.
Opportunity One: Establishing a Public-Private Cyber Claims Sharing Framework
Data is crucial in the insurance industry. Having sufficient historical claim data allows insurers to design products that more adequately address the risks that the insureds face. In cyber, the lack of cyber claim data has led to inaccurate risk evaluation and premiums not reflective of the underlying cyber risk. The disparity contributes to the capacity reduction currently facing the insurance market, harming both the insurers and the insureds. Government should mandate a data sharing framework that aggregates cyber claim data from insurers since existing initiatives are insufficient. This shift would improve the market’s and government’s visibility into current cyber threats.
Uncertainties in evaluating risk incentivizes the insurance industry to pool cyber claim data, but incentivization alone is insufficient to facilitate large-scale participation. Claim data sharing is a common practice in many lines of insurance businesses, such as healthcare insurance and auto insurance. The recent growth in the cyber insurance market has necessitated the development of private cyber data sharing platforms, but those that exist already are not widely adopted or agreed upon. Specifically, the lack of data privacy standards and required participation may damage insurers’ own competitive position and compromise the insureds’ data privacy. As a result, a private data-sharing framework may not solve the market’s problems anytime soon.
While the cyber insurance industry works on a private data-sharing framework, the government is also trying to get a better grasp of cyber incidents through reporting mandates. Government cyber incident data sharing frameworks exist for critical infrastructure and several industries, but the mandates do not cover the majority of the private sector. Although the Cybersecurity and Infrastructure Security Agency (CISA) and law enforcement encourage entities to report cyberattacks, most businesses lack the incentive and resources to aggregate the required data and navigate complex reporting requirements. Since insurers already collect incident data, which includes useful information on the impact and vectors of the attack, asking them for claim data avoids the incentive and resource issue.
Currently, lawmakers have already proposed taking advantage of data collected by insurers, which is based on the Cyber Solarium Commission’s recommendations for the Bureau of Cyber Statistics. However, industry associations criticized the framework for requiring insurers to collect data beyond what is necessary for the underwriting process, such as the vulnerabilities that led to the attack or forensic evidence about the attacker’s identity. The associations pointed out that these requirements not only violate existing contractual obligations but also paint insurers as a lucrative target for cyberattacks.
Based on the limited feedback the proposal received and similar models abroad, we can draw a picture of a practical data-sharing framework for cyber insurance that has guardrails. First, a data sharing requirement should not go beyond the data already collected by insurers, and any law enforcement should conduct any additional collection. Second, it should contain provisions for proper data anonymization, security and equal access for all participating insurers to improve the accuracy of risk modeling. Third, unlike the proposal for the Bureau of Cyber Statistic, design and implementation of the framework should be led by industry and connected groups, following standards set jointly by industry bodies such as the National Association of Insurance Commissioners (NAIC) and government agencies such as CISA. A working framework for claim data sharing would allow premiums to more accurately reflect individual policyholders’ threat exposure while communicating high-quality information regarding the cybersecurity of all insured organizations.
Opportunity Two: Improve Coverage Affordability for Critical Infrastructure through a Federal Reinsurance Program
The second challenge concerns the diminishing coverage for critical infrastructure, such as healthcare, energy and other public utilities. Organizations in these sectors have traditionally been vulnerable to cyberattacks due to their extensive use of legacy systems, lack of IT resources and appeal to nation-state hackers. The possibility of larger insurance claims results in further reduced coverage in an under-supplied market. A government reinsurance program can help absorb part of the risks for private insurers, allowing them to remain profitable while offering expanded coverages for critical infrastructure.
Federal and state governments have created public reinsurance programs to address negative externalities in other private insurance markets. One example is the Transitional Reinsurance Program under the Affordable Care Act, which uses federal funding to co-insure individual healthcare claims exceeding a certain amount, enabling private insurers to provide affordable insurance plans for elderly citizens. Government risk-sharing programs like these address unfair allocations of resources for high-risk entities in a profit-seeking market. A similar program could answer the dilemma facing critical infrastructure coverage for cyber.
The most relevant existing government program is the Terrorism Risk Insurance Program (TRIP), a reinsurance program that compensates insurers for losses from “certified acts of terrorism.” After NotPetya cost insurance companies billions of dollars in 2017, insurers became worried that similar incidents in the future could make the entire business unprofitable and asked congress to expand TRIP coverage to include “cyber terrorism.” However, researchers have pointed out that ambiguous definitions of cyber terrorism, difficulties in attribution and an insufficient reinsurance capacity diminish the program’s applicability to cyber. In March 2022, the Treasury tasked CISA and the Federal Insurance Office (FIO) to consider whether the program should be expanded to include catastrophic cyberattacks, but a deadline for a solution has not been proposed.
A new reinsurance program or revisions to an existing one should clarify the definition of cyberattacks and the certification process of cyber terrorism. It should also consult industry regarding the provision of capacities and the co-insurance threshold. Finally, the program should ensure that subsidized insurance does not disincentivize better cybersecurity, possibly by imposing a higher minimum-security requirement on organizations insured by the program.
Overall, the federal government’s and insurers’ interests align to improve the nation’s cybersecurity. While insurers adjust to the evolving cyber threats, the government should empower the market by removing the information barrier within the market and by providing a reinsurance safety net to protect the most vulnerable organizations. These two recommendations would make significant headway in addressing the capacity issues in the current insurance market and in improving national cybersecurity.
Jeff Qiu is a research assistant with the R Street Institute’s Cybersecurity and Emerging Threats Team. He is pursuing a master’s degree in cybersecurity and public policy at the Fletcher School at Tufts University. Before joining R Street, he worked as a software engineer at U.S. and Chinese tech companies. He earned his bachelor’s degree in economics and computer science from the University of Chicago.