US businesses encounter numerous hurdles in securing adequate cybersecurity insurance, as detailed by experts and industry representatives during a recent hearing before the House Homeland Security Committee’s cyber-focused subcommittee. The discussion underscored significant issues in policy terms and availability, particularly for sectors like natural gas utilities. These challenges were amplified amidst rising cyber threats and the complexity of current insurance offerings.
Limited Availability and Complex Terms
Kimberly Denbow, vice president of security and operations at the American Gas Association, highlighted that few insurers are willing to provide policies for natural gas utilities. When such policies are available, their terms are often convoluted and difficult for operators, especially smaller ones, to decipher. Denbow suggested that standardized definitions and applications would aid in simplifying policies for better comprehension.
Coverage Gaps Amid Rising Threats
Matthew McCabe, the managing director of cyber broking at Guy Carpenter & Company, pointed out that cyber insurance typically excludes acts of war. Given the increasing state-sponsored cyber operations targeting critical infrastructure, businesses are concerned about whether their policies would cover damages related to such conflicts. This uncertainty is further complicated by the rising premiums and the challenge of adequately modeling cyberattack impacts.
Calls for Federal Backstop
The complexity and rising costs in the cyber insurance market have led to calls for a federal “backstop,” where the government would step in to guarantee large-scale losses. However, experts caution that establishing such a mechanism will be challenging. The Biden administration’s national cybersecurity strategy includes exploring this idea, but significant obstacles remain before it can be implemented.
Comparatively, historical discussions on cyber insurance have focused primarily on the growing need for such protections as cyber threats evolved. Initially, policies were more straightforward, but as cyberattacks became more sophisticated, the need for clearer terms and broader coverage emerged. Earlier industry responses also indicated a less urgent push for federal involvement, reflecting the evolving nature of cyber threats and insurance needs.
In the past, the focus was on building basic cybersecurity measures within companies without heavily relying on insurance. As cyber threats increased, so did premiums and the complexity of coverage. This shift marked a significant change from the previous era when the cybersecurity insurance market was relatively nascent and less encumbered by the current level of cyber warfare-associated risks.
Challenges in securing cyber insurance stem from the lack of consistent risk models and terminologies, contributing to friction in the market, as noted by Rep. Eric Swalwell. Demand for cyber insurance is at an all-time high, driving up premiums and making insurers wary of issuing policies. This situation puts businesses in a precarious position, balancing the need for protection with the affordability and clarity of insurance policies.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also emphasized that the private sector’s critical infrastructure must enhance its resilience against cyberattacks. CISA officials warned that businesses should not solely rely on insurance but also focus on making their systems robust against potential breaches. Recent cyber activities by state-sponsored actors illustrate the evolving nature of cyber threats, necessitating a multifaceted approach to cybersecurity.
Brandon Wales, CISA’s executive director, highlighted the significance of cyber resilience, especially in light of aggressive tactics by Chinese-backed hackers targeting critical infrastructure. The onset of the Ukraine conflict demonstrated how cyberattacks could serve as a precursor to physical confrontations, underscoring the need for resilient systems capable of withstanding such disruptions.
The rise in cyber threats and the corresponding challenges in the cyber insurance market call for a concerted effort to standardize policy terms and possibly implement a federal backstop. Businesses must balance acquiring sufficient coverage while also investing in robust cybersecurity measures to protect against evolving threats. As cyber risks grow, the need for clear and comprehensive insurance policies becomes more critical, and the exploration of federal support mechanisms may provide additional stability in this complex landscape.
