A government watchdog has warned that private insurance companies are increasingly withdrawing from covering damages from major cyber-attacks, leaving US companies facing “catastrophic financial losses” unless another insurance model can be found.
The growing challenge to cover cyber risks is: described in a new report of the Government Accountability Office (GAO), calling for a government assessment of whether a federal cyber insurance option is needed.
The report draws on threat assessments from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Justice to quantify the risk of cyberattacks on critical infrastructure, vulnerable technologies that can be attacked and a range of threat actors that can exploit them.
to quote a annual threat analysis Released by the ODNI, the report finds that hacking groups associated with Russia, China, Iran and North Korea pose the greatest threat to US infrastructure — along with certain non-state actors such as organized cybercriminal gangs.
Given the wide and increasingly skilled range of actors willing to attack US entities, the number of cyber incidents is rising at an alarming rate.
“While federal agencies do not have a comprehensive inventory of cybersecurity incidents,” the report reads, “several major federal and industrial sources (1) show an increase in most types of cyberattacks in the United States, including those involving critical infrastructure, and ( 2) significant and increasing costs for cyber attacks.”
In 2016, US companies and government agencies were affected by a total of 19,060 incidents across the four main categories — ransomware, data breaches, corporate email compromises and denial of service attacks — with a total cost of $470 million, according to a GAO analysis from FBI reports. . In 2021, there were 26,074 incidents and the total cost was nearly $2.6 billion.
The report also cites specific incidents that have had a spillover effect on the economy at large, most notably the colonial pipeline cyber-attack that took a 5,500-mile fuel-transport operation offline. In that attack, the pipeline operator paid a $4.4 million ransom to the hackers — despite law enforcement’s advice that ransom demands should always be rejected.
Horrified by the possibility of having to cover such large losses, private insurers are pulling out of the market by excluding some of the most sophisticated cyber-attacks from insurance policy coverage. While data breaches and ransomware attacks are still generally covered, the report finds that “private insurers have taken steps to mitigate their potential losses from systemic cyber events”, refusing to cover losses caused by cyber warfare or deliberate targeting of infrastructure. .
According to the US Treasury Department, some insurers have also limited their exposure by lowering the maximum amount a policy will pay out in the event of a cyber-attack and/or increasing premiums in an effort to protect themselves from losses. There is further evidence that some insurance companies are completely withdrawing from coverage in infrastructure sectors, the GAO found, which rated the risk of an attack as too high.
Overall, the GAO report suggests that CISA and the Federal Insurance Bureau conduct a review to assess whether the above factors necessitate a federal insurance response along the lines of FDIC bank deposit insurance and the National Flood Insurance Program.