Next Article in Journal
Clustering Network Traffic Using Semi-Supervised Learning
Next Article in Special Issue
An Architecture of Enhanced Profiling Assurance for IoT Networks
Previous Article in Journal
An Analysis of Traditional Methods and Deep Learning Methods in SSVEP-Based BCI: A Survey
Previous Article in Special Issue
Security and Trust in the 6G Era: Risks and Mitigations
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 13
Issue 14
10.3390/electronics13142768
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Resilience against Catastrophic Cyber Incidents: A Multistakeholder Analysis of Cyber Insurance

by
Brianna Bace
1,
Elisabeth Dubois
2 and
Unal Tatar
1,*
1
College of Emergency Preparedness, Homeland Security and Cybersecurity, University at Albany, State University of New York, Albany, NY 12203, USA
2
NYMIR Division, Wright Public Entity, Garden City, NY 11530, USA
*
Author to whom correspondence should be addressed.
Electronics 2024, 13(14), 2768; https://doi.org/10.3390/electronics13142768
Submission received: 30 May 2024 / Revised: 5 July 2024 / Accepted: 11 July 2024 / Published: 14 July 2024
(This article belongs to the Special Issue Security and Privacy for Modern Wireless Communication Systems, 2nd Edition)
Browse Figures
Versions Notes

Abstract

:
Catastrophic cyber incidents—events of low probability but high impact, with the potential to incur billions of dollars in damages—are prompting insurers to elevate premiums, create higher barriers for potential buyers, and tighten policies with exclusions. While these responses of the insurance industry are important to prevent its insolvency during catastrophic incidents due to excessive claims, they lead to a notable gap in market protection. Using a content analysis of multistakeholder comments submitted in response to a Treasury Department Request for Information (RFI), this study seeks to define what constitutes a catastrophic cyber event, identify mitigation strategies, evaluate the current capacity of the cyber insurance sector to handle such incidents, and investigate the potential roles and support mechanisms that the government can provide to enhance the insurance sector’s capacity to manage these extreme risks. This paper is one of the pioneering studies using data and a multistakeholder perspective to provide essential guidance for policymakers, regulators, the insurance industry, and the cybersecurity sector in formulating robust policies and strategies to address catastrophic cyber risks, ultimately enhancing national economic and technological resilience.

1. Introduction

In the realm of cybersecurity, the evolving nature of threats and the increasing sophistication of cyberattacks have necessitated a reevaluation of traditional risk management strategies. The role of cyber insurance, in this regard, has become a focal point for both the private sector and policymakers. As cyber threats transcend the digital domain, impacting the physical, financial, and reputational realms, businesses are increasingly turning to cyber insurance as a financial safeguard. However, the rise in catastrophic cyber incidents threatens the economic stability of the insurance sector and the feasibility and effectiveness of cyber insurance as a risk management tool.
The 2017 WannaCry and NotPetya attacks are two of the closest examples of catastrophic cyber incidents to date. The WannaCry ransomware attack, widely attributed to the North Korean hacking group Lazarus Group, targeted computers running the Microsoft Windows operating system in over 150 countries. Government agencies, healthcare institutions, universities, and businesses were impacted, and the costs of the hack are estimated to be USD 4 billion [1]. The NotPetya malware attack was a systemic cyber incident, as the data-destroying malware deployed by Russia against Ukraine spread outside of Ukraine to other companies and systems across the globe. It is estimated that this attack led to USD 10 billion in damages [2].
Cyberattacks like WannaCry and NotPetya have contributed to the significant hardening of the cyber insurance market. In the insurance business, it is better to have a soft market than a hard one, as hardening can cause changes to prices, terms, and conditions, as well as the availability of coverage and capacity [3]. Specifically for the cyber insurance market, the price of premiums, deductibles, and retentions has increased, while policy coverage in areas of extortion and exclusions for nation-state attacks has tightened.
In response to the hardening of the cyber insurance market, the Government Accountability Office (GAO) published a report in June 2022 recommending the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Insurance Office (FIO) “jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response” [4] (para. 12). In response to the GAO’s recommendation, the FIO in the Treasury Department issued a Request for Information (RFI) on 28 September 2022, with submissions open until 14 December 2022 [5]. The public had just under three months to submit their comments to answer the Treasury Department’s questions on this issue and provide additional information relating to cyber insurance and catastrophic cyber incidents. A total of 60 comments were submitted from private citizens and firms from different industries, including but not limited to cybersecurity and insurance.
This research aims to explore resilience mechanisms against catastrophic cyber incidents through a comprehensive multistakeholder analysis, with a focus on the role of cyber insurance. This study seeks to define what constitutes a catastrophic cyber event, identify mitigation strategies, evaluate the current capacity of the cyber insurance sector to handle such incidents, and investigate the potential roles and support mechanisms that the government can provide to enhance the insurance sector’s capacity to manage these extreme risks. In this paper, we perform a content analysis of the comments submitted in response to the Treasury Department’s RFI to identify concepts and themes present in the comments that answer our four research questions. This analysis reveals how government intervention, particularly through a federal insurance backstop, can mitigate the economic repercussions of catastrophic cyber risks. It also brings to the forefront the critical legal and regulatory aspects that need to be considered. These findings offer essential guidance for policymakers and legal experts working on formulating robust laws and regulations in the dynamically changing domain of cyber risks and insurance solutions.
This paper is structured as follows: Section 2 provides a comprehensive overview of the cyber insurance market, encompassing its historical evolution, current landscape, notable past cyberattacks, and prior federal insurance programs used to cover catastrophic risk. Section 2 also summarizes previous research efforts in this space and lays out the four research questions that guided the analysis performed in this paper. Section 3 outlines the methodology adopted in this study. In Section 4, we answer the research questions using the collected data. Section 5 includes a discussion of the concerns and benefits of creating a federal backstop for catastrophic cyber incidents as a government support mechanism for improving the capacity of the cyber insurance market. Section 6 offers suggestions as to the design of a federal backstop, considering the suggestions and concerns expressed by the commenters. Finally, in Section 7, we conclude.

2. Background

This section provides background on the cyber insurance market and catastrophic cyber incidents (CCIs), including the history of the market and past cyberattacks that are considered to be the closest examples of CCIs to date. We also discuss previous federal insurance programs and whether, in its present form, the Terrorism Risk Insurance Program (TRIP) can cover losses from a CCI. This section ends with an overview of previous research efforts in this space and lays out the four research questions that guide our investigation.

2.1. Cyber Insurance History and Current Market

The history of cyber insurance spans over two decades and reflects the ever-evolving landscape of digital threats and vulnerabilities [6]. As of 2020, it had grown to become a substantial industry, with direct premiums written amounting to around USD 4 billion [7]. Today, the United States stands as the global leader in the cyber insurance market [8,9]. This market segment is part of the broader property and casualty (P&C) insurance industry, and it offers various types of coverage to mitigate the financial impacts of cyber-related incidents, including first-party, third-party, and implicit silent cyber coverage. According to Baker and Shortland, there appears to be a trend of insurers shifting coverage for cyber risks out of general-purpose liability and property insurance policies and into specialized cyber insurance policies. These policies, which narrowly define coverage, help insurers reduce uncertainty by insuring losses of only a certain kind and for a certain amount, and not for everything cyber [10].
In its early years, cyber insurance was typically included as an addendum to commercial P&C insurance policies; however, as cyber threats became more sophisticated and the need for specialized coverage grew, standalone cyber insurance policies emerged as a significant trend. These policies are designed specifically to address the unique risks associated with cyberattacks and data breaches. The adoption of standalone cyber insurance policies varies by industry. Sectors such as financial services (59%), retail (56%), and media and entertainment (54%) are more likely to opt for standalone coverage [11]. In contrast, information technology and telecoms (35%) and energy, oil/gas, and utilities (39%) are sectors less likely to have standalone cyber insurance policies [11].
Factors such as regulatory changes, diverse cyber risks, digitalization, and supply chain vulnerabilities have propelled demand [12,13]. Threats such as ransomware, business email compromise, and fund transfer fraud are also moving organizations to seek coverage [14]. The industry grapples with challenges like risk assessment and policy standardization, which make the underwriting process for cyber insurance more complex and longer compared to traditional insurance [14]. The size of a business also plays a role in the adoption of cyber insurance [9]. According to a report by Cowbell Cyber, a cyber insurance company, 65% of small- and mid-size enterprises plan to increase spending on cyber insurance over the next two years compared to 58% of large U.S.-based enterprises [15].
By 2025, the global cost of cybercrime is estimated to be USD 10.5 trillion annually [16], underlining the significance of the cyber insurance market. As cyber threats continue to evolve and adapt to technological advancements, the demand for cyber insurance is expected to grow further [17]. Insurers will need to continually refine their policies and risk assessments to keep pace with the ever-changing landscape of cybersecurity threats and vulnerabilities. Additionally, regulatory developments and industry standards are likely to shape the future of the cyber insurance market as it continues to mature [6,18].
Unfortunately, there have been instances where insurance companies, despite entities having policies, attempt to avoid payouts due to stringent language and exclusions within the policy. We saw this in the months following NotPetya. Mondelez International, a multinational food company based in Chicago, was a victim of the NotPetya attack, with losses totaling more than USD 180 million for the company [19]. After the attack, Mondelez, who has an all-risk property insurance policy with Zurich American Insurance, filed an insurance claim seeking compensation for their NotPetya losses. Zurich denied the claim and refused to provide coverage for damages by invoking the “hostile or war-like action” exclusion [19]. The Zurich case marked the inaugural major legal conflict in the insurance sector over the recovery costs stemming from a cyber breach [20]. After a four-year legal battle, both parties came to a settlement at the end of 2022 before a judge could make a definitive ruling on the issue of war exclusions.
The Zurich case also provided important lessons for the cyber insurance market. For one, traditional property insurance or silent coverage should not be relied upon to cover cyber risks as this type is likely to fall short of needs and leave important risks outside coverage since it is not sufficiently tailored [21]. Of course, insurers also need to make sure that cyber insurance policies are crafted with clear wording that avoids ambiguity [21]. Given the likelihood of future state-sponsored or widespread attacks like WannaCry and NotPetya, several improvements to the cyber insurance market need to take place to prevent companies from invoking arguments like those used by Zurich. The creation of laws and regulations can also play a crucial role in ensuring cyber resilience for both the insurance industry and policyholders. These measures can safeguard against cyber threats at both sectoral and national levels, thereby fostering a secure environment for insurers and protecting the interests of those they insure.
It is crucial to highlight that cyber incidents are not just an issue for underwriters of cyber insurance policies; they are a significant problem for underwriters of non-cyber policies as well due to “non-affirmative” or “silent” risk. Silent risk can reside in many different types of policies, even policies written by insurers that write little or no cyber insurance policies. Many traditional liability insurance policies neither explicitly include nor exclude cyber coverage or coverage of cybersecurity incidents. This vagueness results in silent cyber coverage [21]. According to a 2020 global survey, 65% of underwriters were concerned about silent cyber coverage exposure in P&C policies [22]. This is a valid concern, as USD 2.7 billion of the USD 3 billion insurance claims that resulted from the NotPetya attack were made under P&C policies that did not explicitly cover cyber risks [22].

2.2. Catastrophic Cyber Incidents

There is not yet a widely accepted definition of what constitutes a “catastrophic” cyber incident, and the ambiguity that exists around the term is a major problem for the insurance industry. The Treasury Department states the term “catastrophic” is generally related to the magnitude of the loss, its dispersion among multiple entities, and the degree of critical services affected [5]. In many cases, the way we define catastrophic cyber incidents/risk is “in the eye of the beholder” [23]. Depending on the industry or sector, the definition of catastrophe varies widely based on the scale and scope of the impacts considered. Yet, there is broad agreement that a widespread cyberattack on critical infrastructure would be catastrophic [23].
From an insurance perspective, catastrophic cyber risk is typically defined as a single event exceeding a certain amount in insurable losses or a certain number of affected insurers [23]. They are often estimated to be 1-in-100 low-probability but high-impact events, while some vendors believe an industry-wide cyber event could result in 1-in-200 year potential losses [24]. Without a clear definition, measuring and modeling catastrophic cyber risk is a challenge. In risk modeling, access to accurate and relevant data is important to develop disaster scenarios [25]. The more data available, the more credibility the modeled outcomes have [25]. Cyber risk modeling has always been a challenge due to the lack of historical data for cyberattacks. There is even less data available for those that may be considered “catastrophic”, if there is any.
Fortunately, efforts have been made by researchers to gather and analyze datasets for cyber risk quantification and modeling. Dubois et al. (2022) conducted a systematic interdisciplinary literature review for actuaries that consisted of collecting and classifying twenty different datasets including the academic and grey literature across multiple disciplines [26]. Cremer et al. (2022) performed a similar systematic review of data availability of the academic and industry literature on cybersecurity and cyber risk management that resulted in seventy-nine unique datasets [27]. Despite these efforts, several issues and challenges were identified in both projects that severely limit actuarial work in cyber insurance. Challenges identified include a lack of cyber data, information asymmetry, and correlated and interdependent risks that hinder efficient pooling [26]. Another issue identified by Cremer et al. (2022) was that the majority of datasets identified were not on cyber risks but related to the field of intrusion detection and machine learning, making them useful for technical cybersecurity aspects but less useful for actuarial purposes [27].
In terms of measuring catastrophic risk, it was suggested in an expert panel discussion that the economic impact, network effects, and severity are three aspects that make a cyber incident “catastrophic” [23]. Other dimensions include physical manifestations such as property damage and injury, irreversibility, and systemic nature [23]. Both the incident itself and the aftermath of the event can make a cyberattack catastrophic.
The SolarWinds, Colonial Pipeline, and Maersk attacks are a few examples of cyber incidents that caused significant economic and network impacts to critical infrastructure inside the United States. The SolarWinds supply chain attack spread to thousands of computers in both private corporations and U.S. government agencies and departments [28]. The Colonial Pipeline had knock-off effects that impacted multiple sectors, including gas stations across the East Coast [29]. Finally, the world’s biggest shipping company, A.P. Moller-Maersk MAERSKb. C.O., experienced a global I.T. outage as a result of the NotPetya cyberattack that disrupted the global supply chain [2]. Seventy-six of the company’s ports around the world, including those in the U.S., were affected, and it took several weeks for Maersk to restore its systems [2].
The NotPetya attack demonstrated that cyber catastrophes are not just a problem for the U.S.; they are a looming threat to nations around the world. The 2021 Conti ransomware attack on Ireland’s health service was described as “catastrophic” by the head of the Republic of Ireland’s health service [30]. The attack was said to have impacted every aspect of patient care, including causing substantial cancellations to outpatient services and encrypting 80% of electronic health records [31]. Recovery from this incident took over four months [31].
Governments abroad recognize the threat of catastrophic cyber incidents and are taking steps to improve their cyber resiliency. For example, a cybersecurity strategy was developed for the energy sector at the request of the European Parliament’s Committee on Industry, Research, and Energy as it has become evident that “[t]he immediate and potentially catastrophic nature of the cyber threat across the Energy sector… demands an urgent and focused policy response” [32] (p. 8). Furthermore, the Global Cybersecurity Outlook 2023 report published by the World Economic Forum found that 91% of all respondents—global organizational leaders—believe that due to global geopolitical instability “a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years” [33] (p. 8). This includes 86% of business leaders and 93% of cyber leaders [33].
The European Union Agency for Cybersecurity (ENISA) has also issued several publications related to cyber insurance and cyber risk. Though ENISA does not have any publications related to catastrophic cyber risk, the agency has been studying the cyber insurance market—including the barriers to a strong and mature market and ways to incentivize its development—since at least 2012 [34]. ENISA has also studied the lack of commonality in risk assessment language that creates a major obstacle to market growth [35]. They have also surveyed over 260 operators of essential services across twenty-five EU member states to collect their opinions and recommended improvements regarding the contracting of cyber insurance [36]. Most recently, the agency published a study that looks at how machine learning models and artificial intelligence can be used in cyber risk modeling and insurance [37].
Insurance providers have tried to assess catastrophic cyber risk by creating disaster scenarios that could conceivably be considered “catastrophic”. For instance, Lloyd’s of London developed a realistic attack scenario in which the U.S. power grid was targeted, and a blackout in 15 states occurred for approximately 24 h [38]. In this scenario, multiple companies and insurers are impacted at the same time as effects are spread across several critical infrastructure sectors. In addition to the loss of life, as health and safety systems become inaccessible and fail, property damage of this size is estimated to cause USD 243 billion in losses. In the most extreme version of the scenario, losses could rise to more than USD 1 trillion [38].
The Geneva Association, in their study, explored the insurability of catastrophic cyber risks, utilizing scenario analysis by having its member cyber re/insurers rank potential cyber incidents by the level of concern based on the size of possible extreme cyber losses. A denial-of-service attack, an interruption to operations caused by a worm-like malware epidemic, and a widespread ransomware attack were among the highest-ranked scenarios [24]. Disruptions to critical infrastructure, such as a cyberattack on a key utility provider or a cross-sector IT failure, were also among the scenarios of most concern to cyber re/insurers. Drawing on insights from the study, it is evident that while the insurers and reinsurers play a pivotal role in mitigating financial losses, their capacity is not unlimited. This underscores the potential benefits of creating a government support mechanism to handle major cyber incidents, bolstering insurers’ ability to extend coverage and enhance their risk absorption capabilities [24].

2.3. Past Federal Insurance Programs

The U.S. government has a long history of creating federal insurance programs, such as the National Flood Insurance Program (NFIP), the Federal Crop Insurance Program (FCIP), and the Terrorism Risk Insurance Program (TRIP). These programs are mechanisms for the FIO to provide federal assistance for coverage of catastrophic incidents caused by natural disasters or acts of terrorism. Essentially, the U.S. government becomes an insurer of last resort, taking on the risk that the private insurance market cannot handle through the creation of a backstop. Each program was created for a specific purpose with a unique structure, funding mechanism, and requirements. Reviewing these programs is useful while investigating potential governmental support mechanisms to enhance the insurance sector’s capacity to manage extreme cyber risks.
The NFIP began in 1968 to reduce future flood damage and protect property owners in the event of flood disasters. The NFIP is managed by FEMA and covers more than 22,000 communities with nearly 5 million policies and almost USD 1.3 trillion in coverage [39]. Communities are not required to participate in the program, though some homeowners in high-risk flood zones are required to purchase flood insurance. If communities do choose to participate, they are required to adopt land use and control measures with effective enforcement provisions and to regulate the floodplain [39]. The NFIP is funded from premiums, fees, and surcharges paid by NFIP policyholders and from direct annual appropriations. When the balance of the NFIP is insufficient to pay insurance claims, the program can also borrow from the Treasury.
The FCIP began in 1938 and is a central component of the federal farm safety net as it offers farmers coverage against financial losses caused by adverse growing and market conditions. The FCIP is not mandatory but is heavily utilized, with more than 2 million policies sold and USD 116 billion in coverage provided as of 2019 [40]. The FCIP is funded with mandatory appropriations of “such sums as necessary” [41] (p. 1).
The TRIP was established by the Terrorism Risk Insurance Act (TRIA) of 2002 following the 9/11 terrorist attacks when coverage for acts of terrorism became impossible to obtain. TRIP requires insurers to make terrorism risk coverage available within certain lines of commercial P&C insurance. Through the program, certain insurance losses, like those resulting from an “act of terrorism”, are eligible for reimbursement [7]. TRIP uses a recoupment mechanism, meaning that if federal payments are made to insurers, the Secretary of the Treasury will collect “terrorism loss risk-spreading premiums” from insurers [7].
When it comes to cyber risk management, the creation of a federal insurance program or backstop is an attractive method for addressing risks that the private market cannot be expected to handle [42]. Vicevich (2018) outlines several potential benefits of creating such a backstop, including improving information-sharing between government and businesses, promoting education by requiring the disclosure of risk to those purchasing insurance, and creating a mechanism to cap private market losses and recoup insurance costs [42].

2.4. Using TRIP for Cyber Catastrophes

The TRIP/TRIA is especially important when discussing catastrophic cyber incident coverage as the Treasury Department has a “longstanding interest in terrorism risk insurance for cyber losses” [7] (p. 58). The Treasury has confirmed that requirements found in the TRIA apply to any policy covering cyber risk written in a line of insurance. This means that the TRIP can be triggered if a policy does not specifically exclude losses arising from a cyber incident. To maintain this possibility, some insurers have worked to create carveouts in their policies for cyber incidents certified by the Treasury as acts of terrorism, as many war exclusions already extend beyond war to “encompass a range of hostile activity that could include crime, political unrest, and terrorism” [7] (p. 61). Some proponents view the TRIP/TRIA as the remedy for the catastrophic cyber risk issue, advocating for minor legislative tweaks and the inclusion of cyber definitions within the TRIA to eliminate the need for a separate federal cyber risk backstop [43]; however, this approach faces several shortcomings.
For the TRIP to be triggered, the incident must be a certified act of terrorism. Achieving this certification would be extremely difficult for a cyber incident as the TRIA requires that the incident be violent or dangerous to human life, property, or infrastructure. While it is certainly true that cyberattacks can meet these requirements, especially if the attack takes place against critical infrastructure, not all cyberattacks have these types of impacts. Instead, cyberattacks can cause significant business impacts and monetary losses due to exfiltrated data or disruptions to command-and-control systems. These types of behaviors are serious but not necessarily violent or dangerous to human life. Another impediment to triggering the TRIP is that a significant amount of cyber coverage is included in non-standalone insurance policies, which are specifically excluded from the TRIA. Further, experts believe that it would be “legislatively awkward” [44] (p. 50) to add cyber provisions into the TRIA that only apply to catastrophic cyber incidents.

2.5. Prior Research on Catastrophic Risk and Insurance

A review of past research reveals that there is a modest amount of literature in this area, with researchers having previously examined the potential effect of catastrophic cyber incidents and government mechanisms to improve the resiliency of the private insurance market. Researchers have investigated the severity of catastrophic cyber risk in the digital domain, in particular, the potential effects of cyber catastrophes in Internet of Things (IoT) societies or smart cities in which IoT technologies connect industries and sectors, increasing the chance for widespread cyberattacks [45,46]. Other research has focused on identifying the problems in the private insurance market and discussing potential government interventions to combat these problems, including creating new models for cyber war exclusions that no longer result in coverage gaps [47,48], developing safety standards to reduce risky activity through regulation [49], and increasing investment in public funds that directly aim to reduce risks [49]. In an effort to create a consistent economic-impact analysis for cyber-risk scenarios, Eling et al. developed a dynamic inoperability input–output model that allows users to compare the economic impacts of certain scenarios while also accounting for the frequently omitted qualitative context of the hypothetical cyber events [50].
As we discuss in this paper, a commonly proposed government mechanism to combat the escalating threat of cyber catastrophes is the implementation of a federal backstop specific to cyber risk. Previous research has examined the potential benefits and drawbacks of this approach [42] and considered if existing insurance programs and legislation, like the TRIP and the SAFETY Act, could be used as a starting point in developing the backstop [51]. In their paper, Cunningham and Talesh (2021) went as far as to draft the “Catastrophic Cyberattack Resilience Act”, a bill that would create a federal backstop for catastrophic cyber events [44]. Since the creation of a federal backstop for cyber risk is not expected soon, short-term solutions have also been discussed, including a proposal for a state solution that includes minimum security requirements for policyholders [52].

2.6. Research Questions

Despite existing research in this area, there are still significant knowledge gaps in the field that this paper seeks to fill. While catastrophic cyber risk has been discussed broadly by researchers, there has been little investigation into the specifics of the issue, such as how to define or measure catastrophic cyber risk or how to mitigate against catastrophic cyber incidents. Furthermore, this paper investigates the capacity of the cyber insurance market and the roles the government can employ to enhance the market’s capacity. Our approach is distinctive in that we answer our research questions utilizing public comments shared by stakeholders that are directly related to the issue. This paper’s analysis was guided by the four following research questions:
  • What specific factors and conditions elevate a cyber incident to the level of a catastrophe, impacting businesses and society at large?;
  • How can the impact of catastrophic cyber incidents be effectively mitigated, and what role does insurance play in this mitigation strategy?;
  • Does the current cyber insurance sector possess the necessary capacity to address potential catastrophic cyber incidents adequately?;
  • If the current cyber insurance sector lacks sufficient capacity, what roles and methods of support can the government employ to enhance this capacity, and how can these governmental support mechanisms be effectively implemented?

3. Methodology

In this paper, we conducted a mixed-method content analysis of 56 unique comments submitted in response to the Treasury Department’s RFI to answer our four research questions. These comments came from stakeholders belonging to entities in critical infrastructure sectors, the insurance industry, and the cybersecurity industry. Private citizens also provided comments.

3.1. Research Design and Approach

Content analysis is a methodological approach associated with the study of inscription contained in varying forms of documentation, such as newspapers, journal articles, and other types of written records [53]. It is a mixed-method analysis that combines qualitative steps (grouping and assignment of text segments to categories) and quantitative steps (analyzing the frequency of concepts and terms) [54]. By systematically analyzing textual material (the comments), we identified the presence and frequency of certain concepts and themes. As a method that allows researchers “to make valid inferences from text” [55] (p. 9), we used this approach to answer our research questions, including how to define and mitigate catastrophic cyber incidents, whether the cyber insurance sector has the capacity to address these incidents adequately, and if the federal government should step in. Figure 1 provides a step-by-step view of conducting content analysis.
Content analysis has been utilized recently to investigate aspects of the cyber insurance market, including the underwriting process and cyber liability risk. Romanosky et al. (2019) used this method to examine state cyber insurance policies to determine the kinds of losses covered by these policies, how insurers assess risk, and how premiums are determined [13]. Wrede et al. (2020) used this method in conjunction with conducting interviews to examine affirmative and silent coverage in traditional insurance policies for select product lines on the German market [56].

3.2. Data Selection

For the data selection process, we utilized the sample of 60 comments that were submitted in response to the RFI. The dataset comprises comments from major stakeholders in the cybersecurity and insurance industries. The dataset also allows for greater validity and reliability as all comments were written for the same purpose and in the same context, and the views conveyed within the comments are less than two years old. Having this sample also contributed to the trustworthiness of our results as the findings are based on rich, appropriate, and well-saturated data [57] in the comments.
During their review of the comments, coders recognized that some comments were submitted more than once. After removing duplicates, the final sample consisted of 56 unique comments.

3.3. Conducting the Conceptual Analysis

3.3.1. Coding Scheme

In our review of the comments, we used a deductive category structuring. As shown in Figure 2, this meant that coders started with a defined set of categories before reading the comments, with a slight revision to the categories after 20% of the comments were reviewed. We created most of the categories using the questions provided in the RFI, as each RFI question dealt with a different concept related to catastrophic cyber incidents and risk. For example, one of the categories aimed to capture commenter answers to the RFI question about how to define catastrophic cyber incidents. Another category aimed to capture answers to which cybersecurity measures commenters consider most useful in mitigating catastrophic cyber incidents.
In addition to the categories derived from the RFI questions, we also added two categories to code for concerns and regulations. The “concern” category was created to capture any mention of concern or worry about federal government intervention that was conveyed in the comments. The “regulation” category was used to capture any discussion including regulatory language or support of regulation such as the implementation of a federal backstop to improve the capacity of the cyber insurance sector. In total, we outlined 19 different categories to capture opinions conveyed in the comments. Figure 3 shows the 19 distinct categories in this content analysis and indicates which categories we used to answer each research question.

3.3.2. Intercoder Reliability

To ensure the reliability of the analysis, several tests such as percentage agreement, Holsti’s method, Scott’s pi (p), Cohen’s kappa (k), and Krippendorff’s alpha can be used [58]. In this paper, we chose to calculate Cohen’s kappa (k) as it measures agreement by considering the agreement observed between coders and what would be expected by chance. Kappa ranges between −1 and 1, with 1 indicating perfect agreement beyond chance, 0 indicating agreement equivalent to chance, and −1 indicating agreement worse than chance. To perform an intercoder reliability test, a minimum of two coders are required, and it is suggested that the second coder code for at least 10% of the full sample [58]. The second coder in our analysis coded 20% of the comments. Our Cohen’s kappa (i.e., the ratio of the observed agreement above chance to the maximum possible agreement above chance) was 0.85. This indicates a substantial level of agreement beyond chance between the two coders, and high intercoder reliability. The slight disagreement between coders can likely be attributed to individual coder biases or variations in interpretation due to different backgrounds and knowledge [59].

4. Results

In this section, we discuss the most prominent findings from the content analysis. First, we will start with a review of how we organized our sample and the response rate of each group; then, we answer our four research questions using the responses to specific questions in the Request for Information (RFI).

4.1. Organizing the Sample

The 56 comments were placed into one of five groups—Insurance Providers, Insurance-Affiliated Entities, Critical Infrastructure, Cybersecurity, and Private Citizens—based on the person or entity that submitted the comment. “Insurance Providers” included all comments submitted by insurers, reinsurers, and insurance-related trade associations. “Insurance-Affiliated Entities” included all comments submitted by insurance risk modeling analytics organizations and insurance think tanks. “Critical infrastructure” included all comments submitted by an entity that worked in or represented one of the sixteen critical infrastructure sectors identified by the Critical Infrastructure and Security Agency (CISA). “Cybersecurity” consists of all comments submitted by entities with a cybersecurity or cyber risk management focus. Finally, “Private Citizens” included all comments submitted by individuals, academic experts, or anonymous sources.

4.1.1. Comment Distribution across Groups

Table 1 shows the breakdown of our sample by group.
Unsurprisingly, insurers, reinsurers, brokers, and insurance-related trade associations made up one of the two groups with the most comments. Critical Infrastructure also had 15 comments, followed by Cybersecurity, Insurance-Affiliated Entities, and Private Citizens, with 10, 8, and 8 comments, respectively.
Of the comments that fell within the Critical Infrastructure group, 40% were submitted by entities within the healthcare and public health (HPH) sector. Other sectors represented with at least one comment include financial services, energy, communications, government facilities, food and agriculture, and emergency services. There are several reasons why several HPH entities could have submitted comments, but their interest in the topic of catastrophic cyber incidents is likely due to the unprecedented rate of cyberattacks that healthcare entities have endured in recent years. These attacks cost HPH entities millions of dollars and, in some cases, threaten to cause injury and death to patients [60,61].
There was considerable variation in the Private Citizens group as this group included comments submitted anonymously and from academic experts with differing backgrounds. The disciplines and research interests of the experts included cybersecurity policy and research, cyber risk modeling, economics of information security, and cyber insurance. One respondent has over ten years of experience working at a cybersecurity insurance firm that performs risk analysis and modeling, while another has over 20 years of experience working with corporate and military organizations as a cybersecurity management consultant. Most respondents in this group appear to be from the U.S., though at least one of the respondents hails from the United Kingdom.

4.1.2. Variety of Questions Answered and Response Rate

There was considerable variation between the groups regarding which questions they answered. Surprisingly, while Insurance-Affiliated Entities only had eight comments, that group had the highest response rate and answered the widest variety of questions. This is likely due to entities in this group having a combination of specialties, providing services such as insurance risk modeling and cyber insurance analytics, making them familiar with both the insurance and cybersecurity sides of the issue. Table 2 shows the average response rate for each group. The higher the percentage, the more questions that commenters in that group responded to on average. Entities that fell in the Insurance Providers and Insurance-Affiliated Entities groups answered more questions, filling more categories in our coding than comments from the Critical Infrastructure, Cybersecurity, and Private Citizens groups.
It should be noted that while the Cybersecurity group had a low response rate overall, it did have the highest rate for the two cybersecurity-focused RFI questions, including the question asking about cybersecurity measures to prevent and mitigate catastrophic cyber incidents.

4.2. Findings

From our coding of the 56 comments, we collected responses from multiple stakeholders to answer our four research questions. Table 3 shows the RFI question categories used predominantly to answer each research question.

4.2.1. Defining Catastrophic Cyber Incidents (CCIs)

To answer our first research question, we analyzed how commenters responded to questions 1 and 2 of the Request for Information. Question 1 asked, “What type of cyber incidents could have a catastrophic effect on U.S. critical infrastructure? How likely are such incidents? Are particular sectors of U.S. critical infrastructure more susceptible to such incidents? How should the federal government and/or the insurance industry address the potential for cascading, cross-sector impacts from a cyber incident? What type of potential “catastrophic” cyber incident could justify the creation of a federal insurance response?” Question 2 asked, among other things, “What amount of financial losses should be deemed “catastrophic” for purposes of any potential federal insurance response?” Questions 1 and 2 had total average response rates of 55% and 30%, respectively. Question 1 was the fourth most answered question, with most comments coming from the Insurance-Affiliated Entities, Insurance Providers, and Private Citizens groups with response rates of 88%, 73%, and 63%, respectively.
Several comments discussed the difficulty in creating a definition and recognized that being able to estimate the likelihood of a CCI without a clear definition would be nearly impossible. As one commenter put it, “[t]he definition of a catastrophic event in cyber is one of the challenges the industry faces, and it has become one of those ‘we will know it when we see it’ scenarios” [62] (p. 2). Another commenter went as far as to say that a CCI definition would not be possible without clarification being made to other language, such as “war-like action” and “infrastructure”. Nevertheless, several comments did provide terms and definitions that they believed could work for CCIs, including “widespread cyber events”, “cyber warfare”, and even “war-like actions”. It was also recommended that the final definition for “catastrophic” be “consistent with Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) notification and reporting requirements” [63] (p. 1).
Another interesting point was made in regard to which sectors are most at risk. The healthcare and public health sector, financial services sector, and electric grid were all referenced more than once in the responses. Yet, while there appeared to be support for using the term critical infrastructure in the definition, one commenter warned that CCIs should not respond to only critical infrastructure attacks. Additionally, one respondent added that “[w]hile all sectors are potentially vulnerable, those whose legacy infrastructure, ‘tech debt’, and inability to attract top security talent tend to be more susceptible to successful cyberattacks and incidents” [64] (p. 4).
It was the opinion of one commenter that CCIs be defined through the lens of the effect of a cyber incident rather than its cause “[a] cyber incident resulting in significant, far-reaching insured (and/or uninsured) losses could have a catastrophic impact on the U.S. economy. It is about scale and scope, more than type of loss” [65] (p. 3). In terms of types of cyberattacks that could become CCIs, the attack types that commenters were most worried about included mass outages, distributed denial-of-service attacks, widespread malware attacks, attacks targeting PLCs and SCADA systems, a mass cloud outage, and attacks that specially target the energy grid or supply chain.
Many commenters feel that there are not sufficient data available to estimate the amount of losses that make a cyber incident “catastrophic”. Commenters that did suggest trigger points varied significantly in their estimates, ranging from USD 200 million to USD 100 billion. For example, one commenter suggested implementing a trigger amount of aggregate insured losses similar to the threshold for the TRIP—about USD 200 million—so that it is “high enough to encourage the insurance market to manage all but worst-case events” [66] (p. 4). Some commenters also suggested that since “insurers transfer risk to reinsurance in the context of 1 in 200/250 year return periods... anything in excess of this level likely would be ‘catastrophic’” [65] (p. 8).
Based on these responses, there appear to be several criteria for defining a catastrophic cyber incident. Consistent with the Treasury Department’s definition, commenters stated that a cyber incident could be deemed catastrophic based on the amount of monetary losses, its dispersion across multiple entities and industries, and the degree of critical services affected. In terms of losses, commenters considered looking at both insured loss and overall business loss. Additionally, commenters considered looking at the type of threat actor, that is, if the threat actor is a state actor and the incident is a war-like action. According to some commenters, whether critical infrastructure is impacted and if the orchestrator is a state actor just represent potential indicators and not requirements for an incident to be deemed a catastrophe.

4.2.2. Mitigating Catastrophic Cyber Incidents

To answer our second research question, we analyzed how commenters answered question 3 of the Request for Information which asked in part “What cybersecurity measures would most effectively reduce the likelihood or magnitude of catastrophic cyber incidents?” Question 3 had the third highest response rate of 59%, with responses coming mostly from the Cybersecurity, Insurance Provider, and Insurance-Affiliated Entities groups with response rates of 100%, 73%, and 50%, respectively.
Several different security controls and best practices were discussed in answering how entities could reduce the likelihood and magnitude of a catastrophic cyber incident, including multifactor authentication, mandated employee cyber training, anti-data exfiltration software, endpoint detection and response software, robust patch management, use of backups, and network segmentation. Strategies to improve business resiliency and redundancy were also mentioned, such as supply chain risk management and operational technology (OT) management [67]. Essentially, most commenters felt that implementing a minimum of basic cybersecurity controls was the best way to improve resilience and reduce the magnitude of catastrophic cyber incidents [67,68]. An important point was also made that “...adoption [of cybersecurity measures] is a constant process... Incentives need to be built to encourage regular engagement instead of once and done implementation. Unlike fire, cyber risk is not static” [69] (p. 4).
In answer to the second part of our research question, multiple comments seemed to support using the cyber insurance sector to encourage the adoption of basic cyber hygiene. Already, insurers are requiring their clients to implement and maintain certain security controls in order to receive coverage. For example, Marsh McLennan promotes to their clients a list of 12 key controls that are “most necessary for successful cyber insurance renewals” [64] (p. 7). One commenter even suggested that entities be required to demonstrate compliance with chosen security procedures and practices through periodic third-party assessment [70]. This kind of requirement can motivate organizations who have been slow to adopt such controls as the failure to do so would mean no longer having cyber insurance coverage. Commenters suggested using NIST and ISO/IEC frameworks as resources for organizations looking to achieve high levels of protection.

4.2.3. Capacity of the Cyber Insurance Industry

To answer our third research question, we analyzed how commenters answered question 6 of the Request for Information, which asked “Is a federal insurance response for catastrophic cyber incidents warranted? Why or why not?” Question 6 had the second highest response rate in our analysis at 61%. Of those who provided a comment, 62% said yes, definitively, that they support the federal government’s effort to create a federal backstop due to the failing capacity of the private insurance market. A total of 12% stated that they did not support the creation of a federal backstop. The rest of the comments (26%) seemed to offer “cautious support” to the idea of a federal backstop. These comments did not definitively state that they supported the creation of a backstop, but they did posit that a federal government response may be warranted or that a federal response could be the right measure. Table 4 provides a look at the opinions of each group. The percentages shown were created based on the total number of comments from each group that answered the question—not every commenter in each group provided an answer to this question.
While question 6 may not seem directly related to our research question, responses typically described the current conditions of the private cyber insurance market to explain why or why not a federal backstop was warranted, which does directly answer our third research question. For example, one comment indicated support for a federal backstop because in their view “[i]nsurance companies and reinsurance companies cannot provide sufficient coverage while making a profit” [71] (p. 2). Another commenter said “there could be extraordinary cyber incidents that rise to the level of a catastrophic exposure that could exhaust the capacity of the private market and may warrant a Federal response” [72] (p. 4).
In addition to assessing the industry’s capacity to address this risk, we must also consider the industry’s intent to cover it. For example, Lloyd’s “acknowledges that there are two clear areas in which the cyber insurance market presently has little to no appetite to provide cover—namely, broad infrastructure outages and state backed cyber-attacks” [73] (p. 3). It was clear that many of the commenters felt that the cyber insurance market does not have sufficient capacity or the intent to bear the costs of a catastrophic cyber incident.
Answers to other questions examined during this analysis also provided useful responses to our research question. In response to insurance coverage availability, one commenter stated that “some insurers have sought to reduce coverage for incidents deemed catastrophic, either through sub-limits or co-insurance” and the use of exclusions or narrow definitions [74] (p. 12). Another part of the problem, according to one commenter, is the fact that “[t]here has also been little movement in establishing a retro reinsurance market for cyber catastrophe risk”, leaving catastrophic cyber incident coverage to the traditional reinsurance market [75] (p. 11). Overall, the ability to “provide the coverage required to keep U.S. companies afloat in the time of a catastrophic event is critical but difficult for the private insurance market” [76] (p. 4).

4.2.4. Potential Governmental Support Mechanism

To answer our fourth and final research question, we analyzed how commenters addressed questions related to the structuring of a federal backstop for catastrophic cyber incidents, including sub-questions 7.1 and 7.4. Creating a federal backstop was widely supported by multiple stakeholders as a government method to enhance the cyber insurance sector’s capacity. By establishing a backstop, the government, as it has done in the past with the FCIP, NFIP, and TRIP, can take on the risk that is causing uncertainty and hardening of the cyber insurance market and create a mechanism for mandating certain cybersecurity controls and best practices.
Question 7.1 asked, “Should an existing federal insurance program (e.g., NFIP or TRIP) or other U.S. or international public-private insurance mechanism serve as a model for, or be modified to address catastrophic cyber incidents?” There appeared to be broad agreement that the TRIP could serve as a model for a backstop for CCIs. More specifically, of those comments that answered the question (63%), 43% of comments either supported using the TRIP as a model for a new backstop (31%) or recommended that the TRIP be extended to include CCIs (17%). Only 20% of comments recommended against using the TRIP as a model and cited several reasons why. Reasons included issues with the “mandatory make available” aspect of the TRIP structure, the uncertainty around the attribution of cyberattacks, covering cyberattacks under the definition of terrorism, and the inability of the TRIP to “to financially cover the projected catastrophic financial losses arising from certified cyber acts of terrorism” [77] (p. 3). The rest of the comments (31%) that provided a response took the opportunity to recommend several different models other than the TRIP that could be good reference points when the time comes to create a federal backstop for CCIs. These models include the NFIP, the United Kingdom’s Pool Re, the Federal Deposit Insurance Corporation (U.S.), and a Capital Markets solution. Table 5 shows how each group responded to this question.
Question 7.4 asked “Should cybersecurity and/or cyber hygiene measures be required of policyholders under the structure? If so, which measures should be required?” This question had a response rate of 59%. Of those who answered, the majority agreed that cyber measures should be required (66%) for policyholders. Only 7% (two comments) said cybersecurity measures should not be required, while the rest of the commenters (28%) did not make a clear choice about requiring the measures; they still discussed their use. Table 6 shows responses to question 7.4 by group.
Many of these commenters supported baseline cybersecurity requirements or a “back to basics” approach like that discussed in Section 4.2.2. Again, some recommended measures that were referenced in the comments included mandatory multifactor authentication, regular patching, backups, mobile device security, employee cyber training, anti-data exfiltration, complex passwords, developed incident response plans, and endpoint detection and response software.
According to one commenter, “[t]he most efficient and effective means for the federal government to establish and enforce cybersecurity measures would be to do so directly” [78] (p. 9). This could be achieved by implementing an eligibility requirement for any federal insurance program the government creates. Implementing and maintaining certain best practices would then be an expectation for access to any federal program or solution [65].
Only two comments, both in the Insurance Providers group, stated that cybersecurity measures should not be required through the program. They reasoned that the threat landscape is changing so fast that requiring control measures would be impractical and very challenging. One comment further stated that “requiring particular cyber hygiene measures to be met, could, in some instances quickly prove to be out of date and become burdensome to amend” [64] (p. 17).

5. Concerns and Benefits of a Federal Backstop

Here we summarize the concerns and benefits shared by multiple stakeholders regarding the federal government potentially stepping in to solve the hardening of the cyber insurance sector due to the risk of catastrophic cyber incidents.

5.1. Concerns Surrounding a Federal Backstop

In addition to capturing respondents’ answers to the RFI questions, we coded for respondents’ concerns for the backstop. Some of these were captured within the RFI questions asking about moral hazard and limitations to a backstop, while the rest were captured in our “concerns” and “regulation” categories. It was clear throughout our analysis that many commenters have worries about the backstop and how it may or may not be structured. The top concerns related to the backstop include the moral hazard problem, the coverage of physical losses, and the fear that a backstop would result in restrictive regulation. Fortunately, there are solutions available to ease these concerns.
The moral hazard problem is the phenomenon in which those who are insured take advantage of the fact that they have insurance and engage in dangerous or risky behavior that they otherwise would not. In this circumstance, some commenters fear that because insured entities would be covered from financial losses through the backstop, they will not maintain the appropriate level of cybersecurity and resilience. Fortunately, there are ways to ensure that insured entities do not have an undue reliance on the backstop. One strategy that many commenters support is deciding if an entity is eligible to participate in the federal insurance program or backstop based on their adoption and maintenance of certain cybersecurity controls and risk management practices. Another strategy discussed by a commenter was to utilize “public transparency” with respect to the backstop. If all products backed by a federal program were required to be filed with state regulators, then public review would help to prevent any exploitation by those participating [78].
Another concern surrounding the backstop was whether physical losses resulting from a CCI could or would be covered by the backstop. Often, cyberattacks, especially those that are widespread, result in physical damage, whether direct damage to computer hardware and systems or indirect damage to infrastructure due to the loss of communication and internet services. For example, in the 2010 Stuxnet attack, a malicious computer worm caused substantial damage to an Iranian uranium enrichment plant, as the worm was able to change the centrifuges’ rotor speed so excessively that the change in force destroyed the centrifuges [79]. The traditional cyber insurance market often delineates between physical and cyber damages and, in some cases, may not cover financial losses from physical damage. Yet, some commenters were hopeful that a program for CCIs could in fact provide a backstop to events with both kinds of damages, essentially “bridging the gap” between cyber insurance and traditional insurance.
A final concern conveyed by the commenters was the potential for a federal insurance program to add more regulatory requirements to the sector that prove to be burdensome. That is, if the backstop is not focused where it is needed most, it could end up hindering the competitive nature of the private market [80]. These views were unsurprising as past discussions of the backstop by major insurers also conveyed a worry that potential strings could be attached to the federal program, such as the backstop enabling the federal government to dictate insurers’ capacity. This includes Jeremy Gittler’s remarks shared at the 2023 Professional Liability Underwriting Society’s cyber symposium. Gittler, who is head of cyber and technology-Americas at AXA XL, stated that “[w]e don’t want a situation where they’re saying … you can only deploy this much capacity, you have to get this much reinsurance” [81] (para. 3). Though Gittler later goes on to support the idea of a “true” federal backstop (one where the government only comes in and takes over after losses hit a specific number so that the insurance industry can survive), his comments and some of the comments examined in this analysis show that there is fear that a federal backstop will enable the government to step in and stifle innovation, impose costly burdens, and otherwise lessen the power the private market currently has [81]. To alleviate this fear, the federal government will have to engage multiple stakeholders, ranging from private insurers to sector representatives (e.g., sector risk management agencies), to comprehensively grasp and accommodate the significant distinctions existing among different industry sectors. An inclusive approach can help enable the development of strategies that are specifically attuned to the diverse cybersecurity and insurance requirements within each sector.

5.2. Potential Benefits of a Federal Backstop

The benefits of a federal backstop were discussed throughout most of the comments in this analysis, particularly in responses to RFI question 8, which asked about the potential effects of a federal backstop on the cyber insurance market. A federal backstop could raise the level of cybersecurity of participating entities, help insurers avoid litigation, and remove significant uncertainty in the market.
Arguably, the most significant advantage that can arise from the creation of a new backstop for CCIs is the potential to raise the overall cybersecurity and cyber resiliency of U.S. entities to a higher level. If a minimum level of cybersecurity was required for participation in the program, then more entities would take the time and resources to ensure their level of security is adequate enough to meet eligibility requirements. With greater cyber hygiene, the severity of future CCIs is likely lowered, and fewer entities would fall victim to attacks.
With the creation of a federal backstop, U.S. entities, insurance, and reinsurance companies will also be relieved of the burden of assuming CCI risk. One commenter indicated that if a CCI were to happen today, the attack would not only cause devasting losses due to a lack of cybersecurity posture in the U.S. but many insurers would find themselves dealing with significant litigation [82]. As we saw following the NotPetya malware attack, Mondelez International engaged in a four-year legal battle with Zurich American Insurance after the insurer denied covering Mondelez’s NotPetya losses. With a backstop in place to cover losses from CCIs, insurers will be relieved of carrying the risk and companies can avoid this kind of time-consuming and costly litigation.
Finally, a federal backstop for CCIs would have positive effects on the availability and affordability of the cyber insurance market as it could increase insurers’ willingness to provide cyber coverage. By reducing the uncertainty that exists today in the cyber insurance market, insurers will be more willing to reduce prices and premiums and increase the size of the limits that those insured can access. Stabilizing the cyber insurance market could help insurers provide better and more comprehensive coverage to policyholders overall.

6. Picturing the Backstop

Likely, the most important aspect of this analysis is that it can tell us what a federal backstop for catastrophic cyber incidents could look like using the attitudes captured in the comments. Based on the aspects of the structure that had the greatest consensus, the base structure of a backstop for CCIs would start out looking similar to the TRIP. The backstop will most likely have cybersecurity requirements associated with participation, whether or not participation is mandatory or voluntary. Finally, while there is not yet a finalized definition for CCIs, attacks on critical infrastructure sectors, entities domiciled in the U.S., and the supply chain appear to be targets that would fall within the scope of coverage of the backstop as attacks on these targets would have a widespread impact on multiple entities and industries. Additionally, these types of attacks would result in significant losses, which, according to commenters, is another important criterion for deciding if a cyber incident reaches the level of a catastrophe.
While there was some variation in the comments regarding the need for a federal insurance response, the considerable potential benefits accompanying the creation of a federal backstop appear sufficient to overcome any current disagreement and there are strategies to combat concerns. For example, making the adoption and maintenance of cybersecurity measures and practices mandatory for participants will help to combat the moral hazard problem. When it comes to the coverage of physical losses and fear of restrictive regulation, there is plenty of time for public and private stakeholders to work with the government to structure the program in such a way that all parties are satisfied. By taking into consideration the answers and suggestions left in the comments submitted in response to the Treasury’s RFI, the government will be well on its way to creating and implementing a federal backstop for catastrophic cyber incidents that not only protects and stabilizes the insurance industry but increases the level of cyber resilience in the United States.

7. Conclusions

By conducting a multistakeholder analysis using the comments submitted in response to the Treasury Department’s Request for Information, we were able to capture the thoughts and opinions of 56 different stakeholders to help answer our four research questions related to defining and mitigating catastrophic cyber incidents, assessing the capacity of the cyber insurance sector to address catastrophic cyber incidents and how the government could enhance the capacity of the private cyber insurance sector. Table 7 summarizes the research questions explored along with the corresponding findings.
It was clear from our analysis of the comments that there is considerable variation in how commenters would define, measure, and mitigate catastrophic cyber incidents, though their responses provided helpful insights to use as starting points. It was also made clear by commenters that the cyber insurance market does not have the capacity to bear the losses associated with a catastrophic cyber incident. For this reason, most commenters support the government stepping in to create a backstop for catastrophic cyber incidents to enhance the industry’s capacity. Yet, before the government can begin creating a backstop, finalized definitions for a “catastrophic cyber incident” and other related terms must be developed to remove uncertainty from the market and give the stakeholders a clearer path forward. Without a clear definition for “catastrophic”, it is difficult to say definitively what the best strategies for mitigating catastrophic cyber risk are and what level of losses should trigger a government response.
This study holds significance given the dynamic cyber threat landscape and increased risk of catastrophic cyber incidents in an unstable geopolitical climate. The government’s potential involvement in establishing a backstop mechanism for cyber insurance carries costs and benefits. While it can boost economic resilience and cybersecurity of the nation, the backstop will need to be carefully structured to avoid the moral hazard problem and burdensome cybersecurity requirements and other restrictions that could impede innovation and competition in the cyber insurance sector. Additionally, the research findings, which represent one of the initial data-driven studies on the subject, offer insights from diverse stakeholders, including the public and private sectors. These insights serve as crucial input for policymakers in addressing the issue effectively. The federal government should continue to engage with stakeholders from different industries and sectors, including private insurance entities and cybersecurity experts to study this issue.

Author Contributions

Conceptualization, U.T.; methodology, B.B., E.D. and U.T.; investigation, B.B. and U.T.; formal analysis, B.B.; writing—original draft preparation, B.B., E.D. and U.T.; writing—review and editing, B.B. and U.T.; supervision, U.T. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The original contributions presented in the study are included in the article, further inquiries can be directed to the corresponding author.

Acknowledgments

We would like to express our deepest gratitude to the reviewers for their invaluable feedback and insightful comments, which greatly enhanced the quality of this work.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Beer, J. “WannaCry” Ransomware Attack Losses Could Reach $4 Billion. CBS News. 2017. Available online: https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/ (accessed on 6 September 2023).
  2. Greenberg, A. The Untold Story of NotPetya, The Most Devastating Cyberattack in History. Wired. 2018. Available online: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ (accessed on 6 September 2023).
  3. Kreese, B. The Insurance Market Is Hardening: What Does That Mean for Your Business? Buffalo Business First. 2021. Available online: https://www.bizjournals.com/buffalo/news/2021/01/25/the-insurance-market-is-hardening-what-does-that.html (accessed on 6 September 2023).
  4. GAO (U.S. Government Accountability Office). Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks. (GAO-22-104256). 2022. Available online: https://www.gao.gov/products/gao-22-104256 (accessed on 6 September 2023).
  5. U.S. Treasury Department. Potential Federal Insurance Response to Catastrophic Cyber Incidents, 87 FR 59161. Federal Register. 2022. Available online: https://www.federalregister.gov/documents/2022/11/09/2022-24476/potential-federal-insurance-response-to-catastrophic-cyber-incidents (accessed on 6 September 2023).
  6. Marotta, A.; Martinelli, F.; Nanni, S.; Orlando, A.; Yautsiukhin, A. Cyber-insurance survey. Comput. Sci. Rev. 2017, 24, 35–61. [Google Scholar] [CrossRef]
  7. FIO (Federal Insurance Office). Report on the Effectiveness of the Terrorism Risk Insurance Program. U.S. Department of the Treasury. 2022. Available online: https://home.treasury.gov/system/files/311/2022%20Program%20Effectiveness%20Report%20%28FINAL%29.pdf (accessed on 6 September 2023).
  8. Woods, D.; Simpson, A. Policy measures and cyber insurance: A framework. J. Cyber Policy 2017, 2, 209–226. [Google Scholar] [CrossRef]
  9. Xie, X.; Lee, C.; Eling, M. Cyber insurance offering and performance: An analysis of the U.S. cyber insurance market. Geneva Pap. Risk Insur. Issues Pract. 2020, 45, 690–736. [Google Scholar] [CrossRef]
  10. Baker, T.; Shortland, A. Insurance and enterprise: Cyber insurance for ransomware. Geneva Pap. Risk Insur. Issues Pract. 2022, 48, 275–299. [Google Scholar] [CrossRef]
  11. Sophos. The Critical Role of Frontline Cyber Defenses in Cyber Insurance Adoption. [Whitepaper]. 2023. Available online: https://assets.sophos.com/X24WTUEQ/at/qmqkh63jxfbpmtpfftrxsnq/sophos-cyber-insurance-adoption-survey-2023-wp.pdf (accessed on 14 November 2023).
  12. Falco, G.; Eling, M.; Jablanski, D.; Miller, V.; Gordon, L.A.; Wang, S.S.; Schmit, J.; Thomas, R.; Elvedi, M.; Maillart, T.; et al. A Research Agenda for Cyber Risk and Cyber Insurance. In Proceedings of the Workshop on the Economics of Information Security (WEIS), Boston, MA, USA, 3–4 June 2019; Available online: https://cyber.fsi.stanford.edu/publication/research-agenda-cyber-risk-and-cyber-insurance (accessed on 6 September 2023).
  13. Romanosky, S.; Ablon, L.; Kuehn, A.; Jones, T. Content analysis of cyber insurance policies: How do carriers price cyber risk? J. Cybersecur. 2019, 5, tyz002. [Google Scholar] [CrossRef]
  14. Tsohou, A.; Diamantopoulou, V.; Gritzalis, S.; Lambrinoudakis, C. Cyber insurance: State of the art, trends and future directions. Int. J. Inf. Secur. 2023, 22, 737–748. [Google Scholar] [CrossRef] [PubMed]
  15. Cowbell Cyber. Survey Results: The Economic Impact of Cyber Insurance (Small and Mid-Size Enterprises in the U.S.). 2020. Available online: https://cowbell.insure/wp-content/uploads/2020/06/Cowbell-Cyber-data-report.pdf (accessed on 14 November 2023).
  16. Morgan, S. Cybercrime to Cost the World $10.5 Trillion Annually by 2025. Cybercrime Magazine. 2020. Available online: https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/ (accessed on 6 September 2023).
  17. Biener, C.; Eling, M.; Wirfs, J.H. Insurability of Cyber Risk: An Empirical Analysis. Geneva Pap. Risk Insur. Issues Pract. 2015, 40, 131–158. [Google Scholar] [CrossRef]
  18. Kshetri, N. The evolution of cyber-insurance industry and market: An institutional analysis. Telecommun. Policy 2020, 44, 102007. [Google Scholar] [CrossRef]
  19. Mondelez, V. Zurich (Mondelez International Inc. v. Zurich American Insurance Co.), No. 2018L11008 (Circuit Court of Cook County, Illinois). 2018. Available online: https://regmedia.co.uk/2022/11/02/pacer_mondelez_zurich_complaint.pdf (accessed on 6 September 2023).
  20. Ferland, J. Cyber insurance—What coverage in case of an alleged act of War? Questions raised by the Mondelez v. Zurich case. Comput. Law Secur. Rev. 2019, 35, 369–376. [Google Scholar] [CrossRef]
  21. Tatar, U.; Nussbaum, B.; Gokce, Y.; Keskin, O.F. Digital force majeure: The Mondelez case, insurance, and the (un)certainty of attribution in cyberattacks. Bus. Horiz. 2021, 64, 775–785. [Google Scholar] [CrossRef]
  22. Department of Financial Services. Insurance Circular Letter No. 2. New York State. 2021. Available online: https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_02 (accessed on 7 September 2023).
  23. Tatar, U.; Nussbaum, B.; Keskin, O.F.; Dubois, E.; Foti, D.; Setting the Scene: Framing Catastrophic Cyber Risk An Expert Panel Discussion Part 1. The Society of Actuaries Research Institute. 2023. Available online: https://www.soa.org/resources/research-reports/2023/cat-cyber-risk/ (accessed on 6 September 2023).
  24. The Geneva Association. Cyber Risk Accumulation: Fully Tackling the Insurability Challenge. 2023. Available online: https://www.genevaassociation.org/sites/default/files/2023-11/cyber_accumulation_report_91123.pdf (accessed on 14 November 2023).
  25. CyberCube. Designing a Cyber Catastrophe: A Guide to the Thought Process behind Creating Cyber Disaster Scenarios. 2020. Available online: https://insights.cybcube.com/en/a-guide-to-designing-scenario-narratives-for-cyber-catastrophe (accessed on 7 September 2023).
  26. Dubois, E.V.; Keskin, O.F.; Tatar, U. Cyber Risk Modeling Methods and Data Sets. SOA. 2022. Available online: https://www.soa.org/4a81c2/globalassets/assets/files/resources/research-report/2022/cyber-risk-modeling.pdf (accessed on 19 June 2024).
  27. Cremer, F.; Sheehan, B.; Fortmann, M.; Kia, A.N.; Mullins, M.; Murphy, F.; Materne, S. Cyber risk and cybersecurity: A systematic review of data availability. Geneva Pap. Risk Insur. Issues Pract. 2022, 47, 698–736. [Google Scholar] [CrossRef] [PubMed]
  28. Sylvester, J. Two Years Later: An Analysis of SolarWinds and the Impact on the Cyber Insurance Industry. Gallagher USA. 2022. Available online: https://www.ajg.com/us/news-and-insights/2022/aug/two-years-later-an-analysis-of-solarwinds-and-the-impact-on-the-cyber-insurance-industry/ (accessed on 25 September 2023).
  29. CISA (The Cybersecurity and Infrastructure Security Agency). The Attack on Colonial Pipeline: What We’ve Learned & What We’ve Done over the Past Two Years [Blog]. 2023. Available online: https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years (accessed on 25 September 2023).
  30. BBC. Cyber-Attack on Irish Health Service ‘Catastrophic’. 2021. Available online: https://www.bbc.com/news/world-europe-57184977 (accessed on 19 June 2024).
  31. PwC. Conti Cyber Attack on the HSE: Independent Post Incident Review. 2021. Available online: https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf (accessed on 19 June 2024).
  32. European Parliament. Cyber Security Strategy for the Energy Sector [Study]. 2016. Available online: https://www.europarl.europa.eu/RegData/etudes/STUD/2016/587333/IPOL_STU(2016)587333_EN.pdf (accessed on 19 June 2024).
  33. World Economic Forum. Global Cybersecurity Outlook 2023. 2023. Available online: https://www3.weforum.org/docs/WEF_Global_Security_Outlook_Report_2023.pdf (accessed on 19 June 2024).
  34. ENISA; Robinson, N.; RAND Europe. Incentives and Barriers of the Cyber Insurance Market in Europe. 2012. Available online: https://www.enisa.europa.eu/publications/incentives-and-barriers-of-the-cyber-insurance-market-in-europe (accessed on 19 June 2024).
  35. ENISA. Cyber Insurance—Models and Methods and the Use of AI. 2024. Available online: https://www.enisa.europa.eu/publications/cyber-insurance-models-and-methods-and-the-use-of-ai (accessed on 19 June 2024).
  36. ENISA. Commonality of Risk Assessment Language in Cyber Insurance. 2017. Available online: https://www.enisa.europa.eu/publications/commonality-of-risk-assessment-language-in-cyber-insurance (accessed on 19 June 2024).
  37. ENISA. Demand Side of Cyber Insurance in the EU. 2023. Available online: https://www.enisa.europa.eu/publications/demand-side-of-cyber-insurance-in-the-eu (accessed on 19 June 2024).
  38. Lloyd’s of London. Business Blackout: The Insurance Implications of a Cyber Attack on the U.S. Power Grid. 2015. Available online: https://www.lloyds.com/news-and-insights/risk-reports/library/business-blackout/ (accessed on 7 September 2023).
  39. Congressional Research Service. A Brief Introduction to the National Flood Insurance Program. 2023. Available online: https://crsreports.congress.gov/product/pdf/IF/IF10988 (accessed on 6 September 2023).
  40. Congressional Research Service. Federal Crop Insurance: A Primer. 2021. Available online: https://crsreports.congress.gov/product/pdf/R/R46686 (accessed on 6 September 2023).
  41. Congressional Research Service. Farm Bill Primer: Federal Crop Insurance Program. 2022. Available online: https://crsreports.congress.gov/product/pdf/IF/IF12201 (accessed on 6 September 2023).
  42. Vicevich, D.L. The Case for a Federal Cyber Insurance Program. Neb. L. Rev. 2018, 97, 555. Available online: https://digitalcommons.unl.edu/nlr/vol97/iss2/7 (accessed on 19 June 2024).
  43. Bace, B. The Insurer of Last Resort: Investigating a Federal Insurance Backstop for Catastrophic Cyber Incidents. 2023. Available online: https://scholarsarchive.library.albany.edu/honorscollege_pos/43/ (accessed on 7 September 2023).
  44. Cunningham, B.; Talesh, S.A. Uncle Sam RE: Improving Cyber Hygiene and Increasing Confidence in the Cyber Insurance Ecosystem via Government Backstopping. Conn. Insur. Law J 2021, 28, 1–84. Available online: https://cilj.law.uconn.edu/wp-content/uploads/sites/2520/2022/10/CILJ-Vol.-28.1.pdf (accessed on 6 September 2023).
  45. Pal, P.; Huang, Z.; Yin, X.; Liu, M.; Lototsky, S.; Crowcroft, J. Sustainable Catastrophic Cyber-Risk Management in IoT Societies. In Proceedings of the 2020 Winter Simulation Conference (WSC), Orlando, FL, USA, 14–18 December 2020; pp. 3105–3116. [Google Scholar] [CrossRef]
  46. Pal, R.; Huang, Z.; Lototsky, S.; Yin, X.; Liu, M.; Crowcroft, J.; Sastry, N.; De, S.; Nag, B. Will Catastrophic Cyber-Risk Aggregation Thrive in the IoT Age? A Cautionary Economics Tale for (Re-)Insurers and Likes. ACM Trans. Manag. Inf. Syst. 2021, 12, 17. [Google Scholar] [CrossRef]
  47. Cremer, F.; Sheehan, B.; Mullins, M.; Fortmann, M.; Ryan, B.J.; Materne, S. On the insurability of cyber warfare: An investigation into the German cyber insurance market. Comput. Secur. 2024, 142, 103886. [Google Scholar] [CrossRef]
  48. Bateman, J. War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions. Carnegie Endowment. 2020. Available online: https://carnegieendowment.org/research/2020/10/war-terrorism-and-catastrophe-in-cyber-insurance-understanding-and-reforming-exclusions?lang=en (accessed on 25 June 2024).
  49. Baker, T.; Shortland, A. The government behind insurance governance: Lessons for ransomware. Regul. Gov. 2023, 17, 1000–1020. [Google Scholar] [CrossRef]
  50. Eling, M.; Elvedi, M.; Falco, G. The Economic Impact of Extreme Cyber Risk Scenarios. N. Am. Actuar. J. 2023, 27, 429–443. [Google Scholar] [CrossRef]
  51. Knake, R.K. Creating a Federally Sponsored Cyber Insurance Program. Council on Foreign Relations. 2016. Available online: https://www.cfr.org/report/creating-federally-sponsored-cyber-insurance-program (accessed on 25 June 2024).
  52. Sayre, M. Impossible Math: The Need for Government-Backed Cyber Insurance. Tort Trial Insur. Pract. Law J. 2022. Available online: https://ssrn.com/abstract=4699671 (accessed on 25 June 2024).
  53. Prior, L. Content Analyses. In The Oxford Handbook of Qualitative Research, 1st ed.; Leavy, P., Ed.; Oxford University Press: Oxford, UK, 2014; p. 359. ISBN 9780199811755. [Google Scholar]
  54. Mayring, P.A.E. Qualitative content analysis. In International Encyclopedia of Education, 4th ed.; Tierney, R.J., Rizvi, F., Ercikan, K., Eds.; Elsevier Inc.: Amsterdam, The Netherlands, 2023; pp. 314–322. [Google Scholar] [CrossRef]
  55. Weber, R. Basic Content Analysis, 2nd ed.; Sage: Newbury Park, CA, USA, 1990. [Google Scholar]
  56. Wrede, D.; Stegen, T.; Von der Schulenburg, J.M.G. Affirmative and silent cyber coverage in traditional insurance policies: Qualitative content analysis of selected insurance products from the German insurance market. Geneva Pap. Risk Insur. Issues Pract. 2020, 45, 657–689. Available online: https://link.springer.com/article/10.1057/s41288-020-00183-6 (accessed on 8 September 2023). [CrossRef]
  57. Elo, S.; Kääriäinen, M.; Kanste, O.; Pölkki, T.; Utriainen, K.; Kyngäs, H. Qualitative Content Analysis: A Focus on Trustworthiness. SAGE Open 2014, 4. [Google Scholar] [CrossRef]
  58. Lombard, M.; Snyder-Duch, J.; Bracken, C.C. Practical Resources for Assessing and Reporting Intercoder Reliability in Content Analysis Research Projects. 2005. Available online: https://www.researchgate.net/publication/242785900 (accessed on 25 June 2024).
  59. Drisko, J.W.; Maschi, T. Content Analysis; Oxford University Press: Oxford, UK, 2016; pp. 81–121. [Google Scholar]
  60. IBM Security & Ponemon Institute. Cost of Data Breach Report 2023. IBM. 2023. Available online: https://www.ibm.com/downloads/cas/E3G5JMBP (accessed on 8 September 2023).
  61. Miller, M. The Mounting Death Toll of Hospital Cyberattacks. Politico. 2022. Available online: https://www.politico.com/news/2022/12/28/cyberattacks-u-s-hospitals-00075638 (accessed on 8 September 2023).
  62. Association of Bermuda Insurers and Reinsurers. Comment from Association of Bermuda Insurers and Reinsurers. TREAS-DO-2022-0019-0042. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0042 (accessed on 15 November 2023).
  63. Berger, M. Comment from Berger, Mitchell. TREAS-DO-2022-0019-0010. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0010 (accessed on 15 November 2023).
  64. McLennan, M. Comment from Marsh McLennan. TREAS-DO-2022-0019-0025. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0025 (accessed on 15 November 2023).
  65. Reinsurance Association of America. Comment from Reinsurance Association of America. TREAS-DO-2022-0019-0028. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0028 (accessed on 15 November 2023).
  66. Axio. Comment from Axio. TREAS-DO-2022-0019-0017. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0017 (accessed on 15 November 2023).
  67. American Property Casualty Insurance Association. Comment from American Property Casualty Insurance Association (APCIA). TREAS-DO-2022-0019-0050. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0050 (accessed on 15 November 2023).
  68. CyberCube Analytics Inc. Comment from CyberCube Analytics Inc. TREAS-DO-2022-0019-0029. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0029 (accessed on 15 November 2023).
  69. Zurich North America. Comment from Zurich North America. TREAS-DO-2022-0019-0047. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0047 (accessed on 15 November 2023).
  70. HITRUST. Comment from HITRUST. TREAS-DO-2022-0019-0062. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0062 (accessed on 15 November 2023).
  71. Rasmussen, G.T. Comment from Rasmussen—Federal Cyber Insurance Feedback. TREAS-DO-2022-0019-0005 Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0005 (accessed on 15 November 2023).
  72. Institute of International Finance. Comment from Institute of International Finance. TREAS-DO-2022-0019-0031 Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0031 (accessed on 15 November 2023).
  73. Underwriters at Lloyd’s London. Comment from Underwriters at Lloyd’s, London. TREAS-DO-2022-0019-0026. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0026 (accessed on 15 November 2023).
  74. Aon. Comment from Aon. TREAS-DO-2022-0019-0040. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0040 (accessed on 15 November 2023).
  75. Cowbell. Comment from Cowbell. TREAS-DO-2022-0019-0022. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0022 (accessed on 15 November 2023).
  76. Converge Inc. Comment from Converge Inc. TREAS-DO-2022-0019-0006. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0006 (accessed on 15 November 2023).
  77. Fedtribe. Comment from Fedtribe. TREAS-DO-2022-0019-0014. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0014 (accessed on 15 November 2023).
  78. Centers for Better Insurance LLC. Comment from Centers for Better Insurance, LLC. TREAS-DO-2022-0019-0024. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0024 (accessed on 15 November 2023).
  79. Roscini, M. Cyber Operations and the jus ad bellum. In Cyber Operations and the Use of Force in International Law; Oxford University Press: Oxford, UK, 2014; pp. 43–116. [Google Scholar]
  80. Gallagher, R.; Comment from Gallagher Re. TREAS-DO-2022-0019-0048. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0048 (accessed on 15 November 2023).
  81. Greenwald, J. Experts Weigh Cyber Risks, Need for Federal Backstop. Business Insurance. 2023. Available online: https://www.businessinsurance.com/article/20230302/NEWS06/912355809/Experts-eigh-cyber-risks,-need-for-federal-backstop (accessed on 15 November 2023).
  82. Marius Insurance. Comment from Marius Insurance. TREAS-DO-2022-0019-0052. Regulations.gov. 2022. Available online: https://www.regulations.gov/comment/TREAS-DO-2022-0019-0052 (accessed on 15 November 2023).
Electronics 13 02768 g001
Figure 1. Step-by-step view of content analysis method.
Figure 1. Step-by-step view of content analysis method.
Electronics 13 02768 g001
Electronics 13 02768 g002
Figure 2. The utilized process model of deductive category application (adapted from [54] p. 319).
Figure 2. The utilized process model of deductive category application (adapted from [54] p. 319).
Electronics 13 02768 g002
Electronics 13 02768 g003
Figure 3. Conceptual mapping.
Figure 3. Conceptual mapping.
Electronics 13 02768 g003
Table 1. Comment totals by group.
Table 1. Comment totals by group.
Group# of Comments
Insurance Providers15
Critical Infrastructure15
Cybersecurity10
Insurance-Affiliated Entities8
Private Citizens8
Total Sample56
Table 2. Average group response rate.
Table 2. Average group response rate.
GroupAverage Response Rate
Insurance-Affiliated Entities61%
Insurance Providers52%
Critical Infrastructure28%
Cybersecurity25%
Private Citizens25%
Table 3. Corresponding RFI question categories to research questions.
Table 3. Corresponding RFI question categories to research questions.
Research Question No.Request for Information
Question Category
11, 2
23
36
47
Table 4. Support for a federal backstop by group.
Table 4. Support for a federal backstop by group.
Q: Do You Support the Creation of a Federal Backstop?
GroupYesNoCautious Support
Insurance-Affiliated Entities87.5%-12.5%
Private Citizens66.7%-33.3%
Cybersecurity66.7%33.3%-
Critical Infrastructure50.0%-50.0%
Insurance-Providers50.0%25.0%25.0%
Table 5. Potential models for a federal backstop by group.
Table 5. Potential models for a federal backstop by group.
Q: Do You Support Using TRIP as a Model for a New Backstop for CCIs?
GroupYesExtend TRIP to CCIsNoMentions/Endorses Some Other Model
Critical Infrastructure55.6%-22.2%22.2%
Insurance-Affiliated Entities37.5%25.0%12.5%25.0%
Private Citizens33.3%33.3%-33.3%
Insurance Providers16.7%16.7%25.0%41.7%
Cybersecurity-33.3%33.3%33.3%
Table 6. Opinion on cyber hygiene eligibility requirement by group.
Table 6. Opinion on cyber hygiene eligibility requirement by group.
Q: Do You Support Using TRIP as a Model for a New Backstop for CCIs?
GroupYesNoDoes Not Explicitly Say
Private Citizens100%--
Cybersecurity87.5%-12.5%
Insurance-Affiliated Entities66.7%-33.3%
Critical Infrastructure50.0%-50.0%
Insurance Providers42.8%28.6%28.6%
Table 7. Research questions and findings on catastrophic cyber incidents and insurance sector responses.
Table 7. Research questions and findings on catastrophic cyber incidents and insurance sector responses.
Problem: Catastrophic cyber incidents—events of low probability but high impact, with the potential to incur billions in damages—are prompting insurers to elevate premiums, create higher barriers for potential buyers, and tighten policies with exclusions. These responses have led to a notable gap in market protection.
Method: Content analysis of 56 unique comments submitted in response to the Treasury Department Request for Information. The answers commenters provided to the RFI questions were used to answer our research questions.
Research QuestionsFindings
What specific factors and conditions elevate a cyber incident to the level of a catastrophe, impacting businesses and society at large?
  • Suggested definition criteria: commenters stated that a cyber incident could be deemed catastrophic based on the total amount of business or insured losses, its dispersion across multiple entities and industries, the degree of critical services affected, and the type of threat actor responsible.
How can the impact of catastrophic cyber incidents be effectively mitigated, and what role does insurance play in this mitigation strategy?
  • Suggested mitigations: Multifactor authentication, employee cyber training, anti-data exfiltration software, endpoint detection and response software, robust patch management, data backups, and network segmentation.
  • The insurance industry can continue to require their policyholders meet a base level of cybersecurity to maintain their eligibility.
Does the current cyber insurance sector possess the necessary capacity to address potential catastrophic cyber incidents adequately?
  • It was the opinion of several commenters that the private insurance industry does not have the want or the capacity to address catastrophic cyber risk adequately.
  • Of those who answered the RFI question, 62% said yes, definitively, that they support the federal government stepping in to create a federal backstop for catastrophic cyber incidents.
If the current cyber insurance sector lacks sufficient capacity, what roles and methods of support can the government employ to enhance this capacity, and how can these governmental support mechanisms be effectively implemented?
  • Commenters largely support the federal government stepping in to create a federal backstop for catastrophic cyber incidents.
  • There was broad agreement that the Terrorism Risk Insurance Program could serve as a model for the backstop.
  • Most commenters felt that a base level of cybersecurity should be required of entities looking to be eligible for the backstop. Adding this requirement would help to combat a potential moral hazard problem.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Bace, B.; Dubois, E.; Tatar, U. Resilience against Catastrophic Cyber Incidents: A Multistakeholder Analysis of Cyber Insurance. Electronics 2024, 13, 2768. https://doi.org/10.3390/electronics13142768

AMA Style

Bace B, Dubois E, Tatar U. Resilience against Catastrophic Cyber Incidents: A Multistakeholder Analysis of Cyber Insurance. Electronics. 2024; 13(14):2768. https://doi.org/10.3390/electronics13142768

Chicago/Turabian Style

Bace, Brianna, Elisabeth Dubois, and Unal Tatar. 2024. "Resilience against Catastrophic Cyber Incidents: A Multistakeholder Analysis of Cyber Insurance" Electronics 13, no. 14: 2768. https://doi.org/10.3390/electronics13142768

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop