The US Treasury Department has issued a request for public comment on a federal cyberinsurance program that would aim to cover the costs associated with severe cyberattacks. The Federal Insurance Office (FIO) and the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are currently conducting a joint assessment for Congress. Because cyberattacks are occurring at such frequent rates, rates for cyberinsurance coverage have soared, making it difficult for businesses to afford coverage if it is even available. The proposed federal program would focus on critical infrastructure and be used as a backstop.

The cyberinsurance market has grown over the years, with approximately $4 billion in direct premiums written in 2020. However, the frequency and severity of cyberincidents impacting critical infrastructure have also grown. A GAO report citing a 2020 CISA study found that the estimated potential losses from severe cyberincidents ranged from $2.8 billion to $1 trillion per event for the United States.

In the United States, insurance is generally provided through private insurers. However, the federal and state governments have supplemented the private market when private insurers have failed to offer affordable coverage to policyholders. For example, at the federal level, the government offers the National Flood Insurance Program (NFIP). In addition, many states have created residual market funds for policyholders to obtain coverage for natural disasters, malpractice liability, and other damages.

Some topics on which the FIO seeks comment include the following:

• What sectors of the US critical infrastructure are more susceptible to cybersecurity incidents?
• What amount of financial losses should be deemed “catastrophic” for purposes of a federal insurance response?
• What cybersecurity measures would most effectively reduce the likelihood or magnitude of a catastrophic cybersecurity incident, and how should the federal government incentivize the use of such measures?
• What insurance is currently available for catastrophic cybersecurity incidents?
• Is a federal cyberinsurance program warranted?
• What structure should a federal cyberinsurance program follow? For example, should it follow the structure of a current federal insurance program, such as NFIP?
• Should all cyberinsurers be required to participate, and what should be included in the scope of coverage?
• Should the program differentiate between businesses that are US based or have their infrastructure located within the United States and international businesses?
• Should policyholders be required to implement certain cybersecurity measures?

Comments are due on or before November 14. We will continue following this potential development that could dramatically change the cyberinsurance market.