A government watchdog has warned that private insurance companies are increasingly backing out of covering damages from major cyberattacks — leaving American businesses facing “catastrophic financial loss” unless another insurance model can be found.
The growing challenge of covering cyber risk is outlined in a new report from the Government Accountability Office (GAO), which calls for a government assessment of whether a federal cyber insurance option is needed.
The report draws on threat assessments from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Justice to quantify the risk of cyberattacks on critical infrastructure, identifying vulnerable technologies that might be attacked and a range of threat actors capable of exploiting them.
Citing an annual threat assessment released by the ODNI, the report finds that hacking groups linked to Russia, China, Iran, and North Korea pose the greatest threat to US infrastructure — along with certain non-state actors like organized cybercriminal gangs.
Given the wide and increasingly skilled range of actors willing to target US entities, the number of cyber incidents is rising at an alarming rate.
“Although federal agencies do not have a comprehensive inventory of cybersecurity incidents,” the report reads, “several key federal and industry sources show (1) an increase in most types of cyberattacks across the United States— including those affecting critical infrastructure, and (2) significant and increasing costs for cyberattacks.”
In 2016, US businesses and public bodies were hit with a total of 19,060 incidents in the four major categories — ransomware, data breaches, business email compromise, and denial of service attacks — with a total cost of $470 million, per a GAO analysis of FBI reports. In 2021, there were 26,074 incidents, and the total cost was close to $2.6 billion.
The report also cites specific incidents that have had a spillover effect on the wider economy, notably the cyberattack on the Colonial Pipeline that took a 5,500-mile-long fuel transporting operation offline. In that attack, the pipeline operator paid a ransom of $4.4 million to the hackers — despite advice from law enforcement agencies that ransom demands should always be rejected.
Spooked by the possibility of having to cover such large losses, private insurers are backing out of the market by excluding some of the most high-level cyberattacks from being covered by insurance policies. While data breaches and ransomware attacks are generally still covered, the report finds that “private insurers have been taking steps to limit their potential losses from systemic cyber events,” declining to cover losses incurred by acts of cyber warfare or deliberate infrastructure targeting.
According to the US Department of the Treasury, some insurers have also been mitigating their exposure by lowering the maximum amount that a policy will pay out in the case of a cyberattack and / or increasing premiums in an attempt to protect themselves from losses. There’s further evidence that some insurance companies are pulling back from coverage in infrastructure sectors entirely, the GAO found, judging the risk of attack as too high.
Overall, the GAO report suggests that CISA and the Federal Insurance Office undertake an assessment into whether the above factors necessitate a federal insurance response along the lines of FDIC insurance for bank deposits and the National Flood Insurance Program.