This section provides background on the cyber insurance market and catastrophic cyber incidents (CCIs), including the history of the market and past cyberattacks that are considered to be the closest examples of CCIs to date. We also discuss previous federal insurance programs and whether, in its present form, the Terrorism Risk Insurance Program (TRIP) can cover losses from a CCI. This section ends with an overview of previous research efforts in this space and lays out the four research questions that guide our investigation.
2.1. Cyber Insurance History and Current Market
The history of cyber insurance spans over two decades and reflects the ever-evolving landscape of digital threats and vulnerabilities [
6]. As of 2020, it had grown to become a substantial industry, with direct premiums written amounting to around USD 4 billion [
7]. Today, the United States stands as the global leader in the cyber insurance market [
8,
9]. This market segment is part of the broader property and casualty (P&C) insurance industry, and it offers various types of coverage to mitigate the financial impacts of cyber-related incidents, including first-party, third-party, and implicit silent cyber coverage. According to Baker and Shortland, there appears to be a trend of insurers shifting coverage for cyber risks out of general-purpose liability and property insurance policies and into specialized cyber insurance policies. These policies, which narrowly define coverage, help insurers reduce uncertainty by insuring losses of only a certain kind and for a certain amount, and not for everything cyber [
10].
In its early years, cyber insurance was typically included as an addendum to commercial P&C insurance policies; however, as cyber threats became more sophisticated and the need for specialized coverage grew, standalone cyber insurance policies emerged as a significant trend. These policies are designed specifically to address the unique risks associated with cyberattacks and data breaches. The adoption of standalone cyber insurance policies varies by industry. Sectors such as financial services (59%), retail (56%), and media and entertainment (54%) are more likely to opt for standalone coverage [
11]. In contrast, information technology and telecoms (35%) and energy, oil/gas, and utilities (39%) are sectors less likely to have standalone cyber insurance policies [
11].
Factors such as regulatory changes, diverse cyber risks, digitalization, and supply chain vulnerabilities have propelled demand [
12,
13]. Threats such as ransomware, business email compromise, and fund transfer fraud are also moving organizations to seek coverage [
14]. The industry grapples with challenges like risk assessment and policy standardization, which make the underwriting process for cyber insurance more complex and longer compared to traditional insurance [
14]. The size of a business also plays a role in the adoption of cyber insurance [
9]. According to a report by Cowbell Cyber, a cyber insurance company, 65% of small- and mid-size enterprises plan to increase spending on cyber insurance over the next two years compared to 58% of large U.S.-based enterprises [
15].
By 2025, the global cost of cybercrime is estimated to be USD 10.5 trillion annually [
16], underlining the significance of the cyber insurance market. As cyber threats continue to evolve and adapt to technological advancements, the demand for cyber insurance is expected to grow further [
17]. Insurers will need to continually refine their policies and risk assessments to keep pace with the ever-changing landscape of cybersecurity threats and vulnerabilities. Additionally, regulatory developments and industry standards are likely to shape the future of the cyber insurance market as it continues to mature [
6,
18].
Unfortunately, there have been instances where insurance companies, despite entities having policies, attempt to avoid payouts due to stringent language and exclusions within the policy. We saw this in the months following NotPetya. Mondelez International, a multinational food company based in Chicago, was a victim of the NotPetya attack, with losses totaling more than USD 180 million for the company [
19]. After the attack, Mondelez, who has an all-risk property insurance policy with Zurich American Insurance, filed an insurance claim seeking compensation for their NotPetya losses. Zurich denied the claim and refused to provide coverage for damages by invoking the “hostile or war-like action” exclusion [
19]. The Zurich case marked the inaugural major legal conflict in the insurance sector over the recovery costs stemming from a cyber breach [
20]. After a four-year legal battle, both parties came to a settlement at the end of 2022 before a judge could make a definitive ruling on the issue of war exclusions.
The Zurich case also provided important lessons for the cyber insurance market. For one, traditional property insurance or silent coverage should not be relied upon to cover cyber risks as this type is likely to fall short of needs and leave important risks outside coverage since it is not sufficiently tailored [
21]. Of course, insurers also need to make sure that cyber insurance policies are crafted with clear wording that avoids ambiguity [
21]. Given the likelihood of future state-sponsored or widespread attacks like WannaCry and NotPetya, several improvements to the cyber insurance market need to take place to prevent companies from invoking arguments like those used by Zurich. The creation of laws and regulations can also play a crucial role in ensuring cyber resilience for both the insurance industry and policyholders. These measures can safeguard against cyber threats at both sectoral and national levels, thereby fostering a secure environment for insurers and protecting the interests of those they insure.
It is crucial to highlight that cyber incidents are not just an issue for underwriters of cyber insurance policies; they are a significant problem for underwriters of non-cyber policies as well due to “non-affirmative” or “silent” risk. Silent risk can reside in many different types of policies, even policies written by insurers that write little or no cyber insurance policies. Many traditional liability insurance policies neither explicitly include nor exclude cyber coverage or coverage of cybersecurity incidents. This vagueness results in silent cyber coverage [
21]. According to a 2020 global survey, 65% of underwriters were concerned about silent cyber coverage exposure in P&C policies [
22]. This is a valid concern, as USD 2.7 billion of the USD 3 billion insurance claims that resulted from the NotPetya attack were made under P&C policies that did not explicitly cover cyber risks [
22].
2.2. Catastrophic Cyber Incidents
There is not yet a widely accepted definition of what constitutes a “catastrophic” cyber incident, and the ambiguity that exists around the term is a major problem for the insurance industry. The Treasury Department states the term “catastrophic” is generally related to the magnitude of the loss, its dispersion among multiple entities, and the degree of critical services affected [
5]. In many cases, the way we define catastrophic cyber incidents/risk is “in the eye of the beholder” [
23]. Depending on the industry or sector, the definition of catastrophe varies widely based on the scale and scope of the impacts considered. Yet, there is broad agreement that a widespread cyberattack on critical infrastructure would be catastrophic [
23].
From an insurance perspective, catastrophic cyber risk is typically defined as a single event exceeding a certain amount in insurable losses or a certain number of affected insurers [
23]. They are often estimated to be 1-in-100 low-probability but high-impact events, while some vendors believe an industry-wide cyber event could result in 1-in-200 year potential losses [
24]. Without a clear definition, measuring and modeling catastrophic cyber risk is a challenge. In risk modeling, access to accurate and relevant data is important to develop disaster scenarios [
25]. The more data available, the more credibility the modeled outcomes have [
25]. Cyber risk modeling has always been a challenge due to the lack of historical data for cyberattacks. There is even less data available for those that may be considered “catastrophic”, if there is any.
Fortunately, efforts have been made by researchers to gather and analyze datasets for cyber risk quantification and modeling. Dubois et al. (2022) conducted a systematic interdisciplinary literature review for actuaries that consisted of collecting and classifying twenty different datasets including the academic and grey literature across multiple disciplines [
26]. Cremer et al. (2022) performed a similar systematic review of data availability of the academic and industry literature on cybersecurity and cyber risk management that resulted in seventy-nine unique datasets [
27]. Despite these efforts, several issues and challenges were identified in both projects that severely limit actuarial work in cyber insurance. Challenges identified include a lack of cyber data, information asymmetry, and correlated and interdependent risks that hinder efficient pooling [
26]. Another issue identified by Cremer et al. (2022) was that the majority of datasets identified were not on cyber risks but related to the field of intrusion detection and machine learning, making them useful for technical cybersecurity aspects but less useful for actuarial purposes [
27].
In terms of measuring catastrophic risk, it was suggested in an expert panel discussion that the economic impact, network effects, and severity are three aspects that make a cyber incident “catastrophic” [
23]. Other dimensions include physical manifestations such as property damage and injury, irreversibility, and systemic nature [
23]. Both the incident itself and the aftermath of the event can make a cyberattack catastrophic.
The SolarWinds, Colonial Pipeline, and Maersk attacks are a few examples of cyber incidents that caused significant economic and network impacts to critical infrastructure inside the United States. The SolarWinds supply chain attack spread to thousands of computers in both private corporations and U.S. government agencies and departments [
28]. The Colonial Pipeline had knock-off effects that impacted multiple sectors, including gas stations across the East Coast [
29]. Finally, the world’s biggest shipping company, A.P. Moller-Maersk MAERSKb. C.O., experienced a global I.T. outage as a result of the NotPetya cyberattack that disrupted the global supply chain [
2]. Seventy-six of the company’s ports around the world, including those in the U.S., were affected, and it took several weeks for Maersk to restore its systems [
2].
The NotPetya attack demonstrated that cyber catastrophes are not just a problem for the U.S.; they are a looming threat to nations around the world. The 2021 Conti ransomware attack on Ireland’s health service was described as “catastrophic” by the head of the Republic of Ireland’s health service [
30]. The attack was said to have impacted every aspect of patient care, including causing substantial cancellations to outpatient services and encrypting 80% of electronic health records [
31]. Recovery from this incident took over four months [
31].
Governments abroad recognize the threat of catastrophic cyber incidents and are taking steps to improve their cyber resiliency. For example, a cybersecurity strategy was developed for the energy sector at the request of the European Parliament’s Committee on Industry, Research, and Energy as it has become evident that “[t]he immediate and potentially catastrophic nature of the cyber threat across the Energy sector… demands an urgent and focused policy response” [
32] (p. 8). Furthermore, the Global Cybersecurity Outlook 2023 report published by the World Economic Forum found that 91% of all respondents—global organizational leaders—believe that due to global geopolitical instability “a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years” [
33] (p. 8). This includes 86% of business leaders and 93% of cyber leaders [
33].
The European Union Agency for Cybersecurity (ENISA) has also issued several publications related to cyber insurance and cyber risk. Though ENISA does not have any publications related to catastrophic cyber risk, the agency has been studying the cyber insurance market—including the barriers to a strong and mature market and ways to incentivize its development—since at least 2012 [
34]. ENISA has also studied the lack of commonality in risk assessment language that creates a major obstacle to market growth [
35]. They have also surveyed over 260 operators of essential services across twenty-five EU member states to collect their opinions and recommended improvements regarding the contracting of cyber insurance [
36]. Most recently, the agency published a study that looks at how machine learning models and artificial intelligence can be used in cyber risk modeling and insurance [
37].
Insurance providers have tried to assess catastrophic cyber risk by creating disaster scenarios that could conceivably be considered “catastrophic”. For instance, Lloyd’s of London developed a realistic attack scenario in which the U.S. power grid was targeted, and a blackout in 15 states occurred for approximately 24 h [
38]. In this scenario, multiple companies and insurers are impacted at the same time as effects are spread across several critical infrastructure sectors. In addition to the loss of life, as health and safety systems become inaccessible and fail, property damage of this size is estimated to cause USD 243 billion in losses. In the most extreme version of the scenario, losses could rise to more than USD 1 trillion [
38].
The Geneva Association, in their study, explored the insurability of catastrophic cyber risks, utilizing scenario analysis by having its member cyber re/insurers rank potential cyber incidents by the level of concern based on the size of possible extreme cyber losses. A denial-of-service attack, an interruption to operations caused by a worm-like malware epidemic, and a widespread ransomware attack were among the highest-ranked scenarios [
24]. Disruptions to critical infrastructure, such as a cyberattack on a key utility provider or a cross-sector IT failure, were also among the scenarios of most concern to cyber re/insurers. Drawing on insights from the study, it is evident that while the insurers and reinsurers play a pivotal role in mitigating financial losses, their capacity is not unlimited. This underscores the potential benefits of creating a government support mechanism to handle major cyber incidents, bolstering insurers’ ability to extend coverage and enhance their risk absorption capabilities [
24].
2.3. Past Federal Insurance Programs
The U.S. government has a long history of creating federal insurance programs, such as the National Flood Insurance Program (NFIP), the Federal Crop Insurance Program (FCIP), and the Terrorism Risk Insurance Program (TRIP). These programs are mechanisms for the FIO to provide federal assistance for coverage of catastrophic incidents caused by natural disasters or acts of terrorism. Essentially, the U.S. government becomes an insurer of last resort, taking on the risk that the private insurance market cannot handle through the creation of a backstop. Each program was created for a specific purpose with a unique structure, funding mechanism, and requirements. Reviewing these programs is useful while investigating potential governmental support mechanisms to enhance the insurance sector’s capacity to manage extreme cyber risks.
The NFIP began in 1968 to reduce future flood damage and protect property owners in the event of flood disasters. The NFIP is managed by FEMA and covers more than 22,000 communities with nearly 5 million policies and almost USD 1.3 trillion in coverage [
39]. Communities are not required to participate in the program, though some homeowners in high-risk flood zones are required to purchase flood insurance. If communities do choose to participate, they are required to adopt land use and control measures with effective enforcement provisions and to regulate the floodplain [
39]. The NFIP is funded from premiums, fees, and surcharges paid by NFIP policyholders and from direct annual appropriations. When the balance of the NFIP is insufficient to pay insurance claims, the program can also borrow from the Treasury.
The FCIP began in 1938 and is a central component of the federal farm safety net as it offers farmers coverage against financial losses caused by adverse growing and market conditions. The FCIP is not mandatory but is heavily utilized, with more than 2 million policies sold and USD 116 billion in coverage provided as of 2019 [
40]. The FCIP is funded with mandatory appropriations of “such sums as necessary” [
41] (p. 1).
The TRIP was established by the Terrorism Risk Insurance Act (TRIA) of 2002 following the 9/11 terrorist attacks when coverage for acts of terrorism became impossible to obtain. TRIP requires insurers to make terrorism risk coverage available within certain lines of commercial P&C insurance. Through the program, certain insurance losses, like those resulting from an “act of terrorism”, are eligible for reimbursement [
7]. TRIP uses a recoupment mechanism, meaning that if federal payments are made to insurers, the Secretary of the Treasury will collect “terrorism loss risk-spreading premiums” from insurers [
7].
When it comes to cyber risk management, the creation of a federal insurance program or backstop is an attractive method for addressing risks that the private market cannot be expected to handle [
42]. Vicevich (2018) outlines several potential benefits of creating such a backstop, including improving information-sharing between government and businesses, promoting education by requiring the disclosure of risk to those purchasing insurance, and creating a mechanism to cap private market losses and recoup insurance costs [
42].
2.5. Prior Research on Catastrophic Risk and Insurance
A review of past research reveals that there is a modest amount of literature in this area, with researchers having previously examined the potential effect of catastrophic cyber incidents and government mechanisms to improve the resiliency of the private insurance market. Researchers have investigated the severity of catastrophic cyber risk in the digital domain, in particular, the potential effects of cyber catastrophes in Internet of Things (IoT) societies or smart cities in which IoT technologies connect industries and sectors, increasing the chance for widespread cyberattacks [
45,
46]. Other research has focused on identifying the problems in the private insurance market and discussing potential government interventions to combat these problems, including creating new models for cyber war exclusions that no longer result in coverage gaps [
47,
48], developing safety standards to reduce risky activity through regulation [
49], and increasing investment in public funds that directly aim to reduce risks [
49]. In an effort to create a consistent economic-impact analysis for cyber-risk scenarios, Eling et al. developed a dynamic inoperability input–output model that allows users to compare the economic impacts of certain scenarios while also accounting for the frequently omitted qualitative context of the hypothetical cyber events [
50].
As we discuss in this paper, a commonly proposed government mechanism to combat the escalating threat of cyber catastrophes is the implementation of a federal backstop specific to cyber risk. Previous research has examined the potential benefits and drawbacks of this approach [
42] and considered if existing insurance programs and legislation, like the TRIP and the SAFETY Act, could be used as a starting point in developing the backstop [
51]. In their paper, Cunningham and Talesh (2021) went as far as to draft the “Catastrophic Cyberattack Resilience Act”, a bill that would create a federal backstop for catastrophic cyber events [
44]. Since the creation of a federal backstop for cyber risk is not expected soon, short-term solutions have also been discussed, including a proposal for a state solution that includes minimum security requirements for policyholders [
52].