Title: As Cyberattack Risks Increase, How Is The Insurance Market and Government Responding? Description: Recent cyberattacks, such as the ransomware attack on Colonial Pipeline last year, have illustrated the significant economic cost cyber threats can pose as well as the importance of preparing for future incidents and their financial tolls. But insurance companies may be unwilling or unable to offer coverage against this growing threat, which has the potential for catastrophic losses. We talk with GAO's Dan Garcia-Diaz to find out more. Related GAO Work: GAO-22-104256, Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks Released: June 2022 [Music] [Dan Garcia-Diaz:] Financial services, health care, energy and our other critical infrastructure sectors are becoming more vulnerable to large cyberattacks. [Holly Hobbs:] Hi, and welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm your host, Holly Hobbs. Recent cyberattacks, such as last year's ransomware attack on Colonial Pipeline, have illustrated the significant economic cost of cyberattacks. Insurance policies could protect companies from these potentially catastrophic financial losses. But insurance companies may be unwilling or unable to offer coverage against this growing threat. Today, we'll talk with Dan Garcia-Diaz, the Managing Director of our Financial Markets and Community Investment team, about a new report that looks at the cyber-insurance marketplace, as well as federal efforts to address cyber risks. Thanks for joining us, Dan. [Dan Garcia-Diaz:] Thanks, Holly, for having me. [Holly Hobbs:] So Dan, help set the scene for us. Has our critical infrastructure--which includes important things like pipelines, electricity grids, our health and financial systems--become more vulnerable to cyber threats? [Dan Garcia-Diaz:] So, Holly, the short answer is yes. And the reason is, these critical infrastructure needs IT systems and networking to do their work. These systems are highly interconnected. And also owners and operators of these critical infrastructures continue to expand the use of IT--especially during the pandemic, when social distancing and working from different locations were needed. So, the ever expanding kind of reliance on IT systems and networking has created more points in a network that attackers can try to enter and compromise the system. [Holly Hobbs:] So what does the insurance market for coverage from these attacks look like? [Dan Garcia-Diaz:] So, cyber-insurance products have been around for a long time, about 20 years or so. And cyber-insurance policies cover common cyber-related losses, such as those associated with data breaches and ransomware attacks, and resulting lost business or business interruption costs. But this market has been changing and in part because there's a growing appreciation of the nature of the risk. Because of the interconnectedness of our critical infrastructures, there is a kind of a realization that cyberattacks can cause systemic damage and disruption to the economy. And as a result, insurers are starting to take steps to limit their exposure to these losses. So, for example, some insurers have reduced their limits for cyber coverage, raised premiums, and added exclusions for things like cyberattacks that are acts of war by a nation-state. [Holly Hobbs:] And Dan, what about government-insurance programs, like the Terrorism Risk Insurance Program (or TRIP)? How does that fit into this picture? [Dan Garcia-Diaz:] After September 11, insurers were taken aback by the potential impact of non-conventional terrorism attacks. And as a result, they kind of pulled back from the market. And so, a lot of developers found it very difficult to obtain property-insurance coverage because of this threat of a terrorist attack. As a result, the Terrorism Risk Insurance Program was established with a federal/private cost-share arrangement and a limit to what the private insurers would have to cover. For terrorism event to be covered by the program, the Treasury Secretary must first certify the event as an act of terrorism. But cyberattacks don't tend to meet the criteria for the Terrorism Risk Insurance Program for a variety of reasons. Attacks must be violent or coercive in nature, and many cyberattacks that we've seen do not meet that criteria. [Holly Hobbs:] So then what happens if coverage isn't available? [Dan Garcia-Diaz:] It's possible that a cyber-attacked entity would suffer such large losses as to not be able to continue operating. If a cyber-incident leads to enormous losses, it's likely the federal government would step in to cover these losses. This would create a significant, implicit fiscal exposure to the government. And actually, the federal response to the COVID-19 pandemic provides a really good example. Before the pandemic, there really wasn't any meaningful federal insurance or other financial assistance programs that existed to address lost business revenue from a global health catastrophe. And since March 2020, Congress has appropriated trillions of dollars to offset lost revenue and employment due to the disruption caused by the pandemic. The same thing would likely happen if we suffered a catastrophic cyberattack with systemic effects. [Holly Hobbs:] We've said these attacks could mean catastrophic financial losses. What does that mean? [Dan Garcia-Diaz:] So, DHS's cybersecurity agency issued a report back in 2020 where it analyzed available cyber incident studies to better understand cost and losses from these incidents. And the report estimated the impact of certain scenarios ranged from $2.8 billion to $1 trillion per event. So the scale of loss here could be considerably high. They also issued a report on the challenges facing the cyber-insurance market, such as the lack of data and information sharing. And in November 2021, Treasury revised its annual terrorism risk insurance data-call to collect from insurers additional information on the availability and affordability of cyber insurance coverage. And all of these are positive steps. {MUSIC} [Holly Hobbs:] So Dan just told us that the insurance market against cyberattacks is evolving, often in a way that means less coverage against potentially catastrophic financial losses--which could result in a larger role for the federal government. But that still, a lot is unknown about the risks and full costs of these attacks. So Dan, what additional actions or what recommendations do we have for improving federal efforts? [Dan Garcia-Diaz:] Well, we think both Treasury and DHS have taken steps to better understand cyber-risks in cyber insurance. But we think they could do more. We have a recommendation for both Treasury and DHS to jointly assess whether cyber-risks, and particularly the risk of a systemic cyber-attack with catastrophic losses, warrant a federal insurance response. We think this assessment could help inform congressional deliberations on the matter. And further, if Congress decides to create a federal insurance response for a catastrophic cyber risk, we've also included some advice on how they should consider designing the response using a previously developed framework we created to evaluate large scale federal assistance efforts. [Holly Hobbs:] And last question, what's the bottom line of this report? [Dan Garcia-Diaz:] Financial services, health care, energy and our other critical infrastructure sectors are becoming more vulnerable to large cyberattacks. Insurance can help cover some of these losses, but they won't be able to cover the largest systemic attacks. So the nation's leading agencies on cybersecurity and insurance need to come together to assess whether the risk and the potential financial exposure warrant a federal insurance response. Such as an assessment is going to help congressional decision-making. And really, the time is now for such actions. We do not want to be developing a response after a catastrophic event. We want to be prepared for it. [Holly Hobbs:] That was Dan Garcia-Diaz talking about GAO's recent review of cyber insurance. Thanks for your time, Dan. [Dan Garcia-Diaz:] Thank you. [Holly Hobbs:] And thank you for listening to the watchdog report. To hear more podcasts, subscribe to us on Apple Podcasts, Spotify or wherever you listen and make sure to leave a rating and review to let others know about the work we're doing. For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at GAO.gov.