Published by The Lawfare Institute
in Cooperation With
Political conflict makes private insurers uncomfortable and has for a very long time. For example, as tension grew in the lead-up to World War I, the insurance industry considered excluding war-related losses from maritime policies—the consequences of which ultimately threatened to halt sea trade. In response, the British government committed to taking financial responsibility for merchant ships sunk by enemy action, concluding that public insurance was necessary to continue commerce in the presence of international conflict.
Some observers have argued that this same logic applies to cyber conflict. For at least a decade, policymakers have been discussing the creation of a backstop for cyber insurance, which would require the U.S. Treasury to accept financial responsibility for catastrophic cyber incidents.
Momentum behind the policy proposal has increased recently, due largely to a June 2022 report issued by the Government Accountability Office (GAO). The report recommended that the Federal Insurance Office and the Cybersecurity and Infrastructure Security Agency (CISA) conduct a joint assessment of “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.”
CISA’s involvement in these policy discussions is imperative, because it is the agency that would define the specified cybersecurity processes that the backstop could require policyholders to follow. After the report was issued, the GAO put out a request for comments to gauge the cybersecurity community’s response. Security vendors piled on to explain why their cybersecurity solutions should be mandated: HackerOne extolled the benefit of vulnerability disclosure and management policies, SentinelOne praised endpoint detection and response tools, and BlackFog indicated that it believed in anti-data exfiltration solutions. These vendors’ responses distract from a core issue: Which incidents should the backstop cover?
The Backstop’s Scope
Many different insurance vendors expressed opinions on what they believed would be best for the backstop to cover. Lloyd’s of London—an insurance market that currently writes 20 percent of global cyber insurance premiums—argued for a narrow backstop, because “private market solutions are preferable.” Lloyd’s of London is likely motivated by concerns that a broad government backstop would crowd out its private backstop—the Lloyd’s Central Fund—which individual syndicates (insurers) can draw on in the event of catastrophe. Notably, Lloyd’s wrote that it was open to a backstop covering infrastructure losses and state-backed attacks, which the private sector, it claims, “has little to no appetite” to underwrite.
Comparatively, the Risk and Insurance Management Society (RIMS)—a risk management industry body representing 200,000 risk professionals across 75 countries—recommended the implementation of a broad backstop. While the GAO’s report discussed a proposed backstop that would cover only risks to critical infrastructure, RIMS recommended that “the federal backstop extend to all economic sectors.” In support of this recommendation, RIMS pointed to a member survey that finds respondents would have purchased higher cyber insurance coverage limits if they were available at a reasonable rate. Essentially, RIMS is advocating for a supply-side subsidy to reduce the price of cyber insurance for a given limit, which would thus allow its members to purchase more cyber insurance.
At present, the insurance industry is reluctant to offer large limits because reinsurers are concerned about potential exposure to a variety of cyber catastrophes. Despite the fact that the cyber insurance market was estimated to have collected at least $6.5 billion in premiums in 2021, just four firms represent 80 percent of the cyber reinsurance market. Further, 50 percent of cyber insurance premiums are typically ceded to reinsurers. This means a handful of reinsurers are potentially exposed to tens of billions of dollars in cyber losses.
The associated financial stability concerns have also motivated efforts to clarify war exclusions in cyber policies, which allow insurers to deny claims linked to political conflict—specifically state-backed cyberattacks. Both Lloyd’s and RIMS agree that a backstop could help address this issue. According to its letter, RIMS hopes that a backstop would allow insurers to remove these exclusions, which would provide certainty to policyholders. However, there is no guarantee that the government will be any more reliable in certifying acts of cyber war. For example, RIMS complained in 2015 about ambiguity resulting from the U.S. Treasury not certifying that the 2013 Boston bombing was a terrorist incident, as would be required under the 2002 Terrorism Risk Insurance Act.
If It Ain’t Broke
Amid all of this discussion about the scope of a potential backstop, one must wonder: Is it even necessary? Notably, the typical justification for government insurance is not present in the cyber setting. Federal backstops are usually motivated by the risk that gaps in insurance will halt economic activity. For example, the Terrorism Risk Insurance Act was introduced in response to property developers halting construction projects due to terrorism exclusions in property insurance policies introduced after 9/11.
There is no evidence that firms are halting online economic activity because of either low cyber insurance limits or the introduction of new war clauses. It is simply unthinkable that retail firms would shut down websites and rely on brick and mortar stores because of changes in cyber insurance coverage. The impact of the digital age—and reliance on the internet—is simply too strong.
It is perhaps more realistic to consider whether insurance availability changed which technologies were adopted. Technologists have long warned that monopoly power in tech companies is increasing systemic risk. One could imagine insurers incentivizing policyholders to increase the security and diversity of products and services, thereby reducing systemic risk. Insurers could do so by offering premium discounts if firms adopt certain tech providers, or denying coverage for firms that adopt technology that increases systemic risk. Such a trend would be a positive development for national security.
However, there is little evidence that the unavailability of insurance is currently influencing technology adoption. Thus, exclusions in insurance coverage are not influencing online economic activity, let alone halting activity, as was the case post-9/11 and in the lead-up to World War I.
Winners and Losers
So who would benefit, and who would suffer, as a result of the implementation of a federal cyber backstop? A government backstop would increase the supply of insurance. Reinsurers can take advantage of the backstop by offloading potential risks—such as infrastructure attacks or state-backed attacks—to the government, thereby reducing the reserve funds they need to hold in the event of a catastrophe. The freed-up funds could then be redeployed to increase the supply of reinsurance, allowing primary insurers to cover previously excluded harms or offer greater coverage limits. Thus, policyholders are the “winners” in this instance, because they would ultimately pay less for cyber insurance—or at least get more coverage for the same price. And ultimately, the biggest cyber reinsurers sleep easier at night because the U.S. Treasury absorbs the costs of the most damaging cyberattacks.
Who loses in this instance depends on the structure of the backstop. Backstops are typically funded either by taxpayers or by an industry-wide levy. For example, for the 2002 terrorism backstop, losses paid by the Treasury Department would eventually be recovered by a 3 percent surcharge on nationwide property insurance premiums. Given that terrorism losses are most likely to be suffered by urban properties, this had the effect of evening prices across geographies. Without the levy, cities would have had to pay premiums that reflect the likelihood that they would be targeted by a terrorist attack, with properties in larger cities paying much larger premiums. The levy, however, ensured that this risk premium was shared more evenly across the country, ultimately at the expense of suburban and rural property owners.
In other cases, the benefits of insurance availability may accrue to civil society. For example, in the 1910s, the United Kingdom’s economy was largely reliant on trade and imported raw materials. Any event that halted shipping would not only prevent exporters from selling goods but also raise the costs of imported goods for all U.K. citizens. Each imported good purchased by a consumer would carry a premium, or it would not be shipped due to the unavailability of insurance. Without the state backstop for merchant ships, the country very possibly could have faced shortages, leaving U.K. citizens without important goods, including their morning cup of tea.
Neither of these justifications for terrorism and maritime backstops, however, maps onto cyber insurance. It is not clear that catastrophic cyber risk is focused on one location or industry in the same way that terrorism risk is concentrated in city centers. For example, RIMS even went so far as to lobby against a narrow backstop for cyberattacks on critical infrastructure. This means that all cyber policyholders would be covered by the backstop, but also presumably all policyholders would have to pay into an industry-wide levy to recover any payouts under the backstop. Such a scheme is reminiscent of the status quo, in which half of all cyber insurance premiums are already ceded to reinsurers, apart from the impact on the reinsurers’ solvency.
The other option is that the U.S. Treasury could simply absorb the cost of backstop payouts. This would in effect mean taxpayers subsidize cyber insurance policyholders’ exposure to systemic cyber risk. However, it is not yet clear that civil society benefits enough from online activity that taxpayers should subsidize cyber insurance. Individuals already suffer negative effects from online activity, such as online tracking and data breaches, so why should they further subsidize online economic activity? This is particularly true because of unintended consequences that may arise from subsidizing cyber insurance, such as moral hazard.
Economics 101 predicts moral hazard—a phenomenon in which policyholders engage in riskier behavior after purchasing insurance because they are protected from consequences that were much more threatening when they were uninsured. The effect of moral hazard is larger when insurance covers more risk, such as when higher coverage limits are available. In terms of cyber insurance, a government backstop increasing the supply of insurance creates the potential risk that newly insured policyholders might relax cybersecurity precautions as a result of moral hazard.
The insurance industry’s response to this phenomenon is that moral hazard is prevented by insurers incentivizing better security, termed active insurance, which multiple researchers have studied. Insurers may improve cybersecurity levels by (a) offering coverage only to firms that meet a minimum standard of cyber hygiene, (b) offering premium discounts for adopting security controls and procedures, (c) excluding claims in which basic security measures were not in place, and (d) providing rapid access to cyber incident response services. The industry is not alone in this assumption—policymakers in the United States, the United Kingdom, and the European Union have all expressed interest in cyber insurance to potentially improve cybersecurity.
There is, however, an emerging consensus that mainstream cyber insurance has been underwhelming in terms of improving ex-ante cybersecurity levels. This is supported by an extract from the RIMS letter, which explains that 59 percent of respondents to the organization’s internal survey reported that “their cyber insurance policies do not require cybersecurity controls that exceed their organization’s existing cybersecurity controls.” This state of affairs is caused by an over-supply of cyber insurance, which perversely is what a government backstop would intensify.
An over-supply of insurance prevents insurers from requesting that policyholders implement improved cybersecurity controls by creating a “race to the bottom” in due diligence and obligations on policyholders. For example, say an underwriter asks 50 questions to get a holistic perspective on the cyber risk being underwritten. A prospective policyholder would likely go to an alternative insurer that instead asks 25 questions to minimize the cost of answering the additional 25 questions asked by the first underwriter. To compete with the second underwriter and maintain a steady flow of business, the original underwriter is therefore forced to assess risk with 25 or fewer questions. Then, to compete again with the first underwriter, the second underwriter could skimp on due diligence even more—say by asking only 15 questions—to ultimately win market share. Thus, an over-supply of insurance reduces the ability of insurers to conduct due diligence, which weakens cybersecurity overall.
The ransomware epidemic, which may have peaked in 2021, provided a brief respite from this race to the bottom. Loss ratios climbed to 100 percent or more for some insurers, meaning they paid out more in claims than they received in premiums. Insurers that took the worst hits reduced the number of their cyber clients, or even withdrew from cyber insurance coverage completely. This lack of competition allowed knowledgeable insurers to begin tightening conditions for policyholders to renew cyber insurance policies, such as requiring policyholders to adopt multi-factor authentication practices.
The fall in ransomware rates in 2022 could start to unwind this process. One broker reports that “carriers are re-emerging” to offer higher limits for the first time in two years. The race to the bottom is starting to gain momentum again, which serves to reduce the incentives for policyholders to improve cybersecurity levels. A federal backstop would further intensify this phenomenon.
While historical examples suggest that government backstops facilitate economic activity—such as in the wake of 9/11 and the build-up to World War I—this is not the case for present-day cyber insurance because online activity would happen regardless.
A backstop could create an over-supply of insurance, and this may weaken incentives to improve cybersecurity levels. This discussion is reminiscent of federal insurance schemes that covered properties in areas especially vulnerable to natural disaster, such as the coasts of North Carolina and Florida. Critics of such policy measures ask why property owners should be subsidized to rebuild houses in areas exposed to natural disaster.
One might argue similarly that a cyber insurance backstop would subsidize those firms whose security posture creates the potential for cyber catastrophe, such as the NotPetya attack that caused $10 billion in damage. Infection in this instance could have been prevented by basic cyber hygiene. Why should firms that do not employ basic cyber hygiene be subsidized by industry peers? The argument is even less clear for a taxpayer-funded subsidy.