A authorities watchdog has warned that personal insurance coverage corporations are more and more backing out of overlaying damages from main cyberattacks — leaving American companies going through “catastrophic financial loss” except one other insurance coverage mannequin will be discovered.
The rising problem of overlaying cyber risk is outlined in a new report from the Government Accountability Office (GAO), which requires a authorities evaluation of whether or not a federal cyber insurance coverage possibility is required.
The report attracts on menace assessments from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Justice to quantify the risk of cyberattacks on important infrastructure, figuring out susceptible applied sciences that could be attacked and a variety of menace actors able to exploiting them.
Citing an annual threat assessment launched by the ODNI, the report finds that hacking teams linked to Russia, China, Iran, and North Korea pose the best menace to US infrastructure — together with sure non-state actors like organized cybercriminal gangs.
Given the vast and more and more expert vary of actors prepared to focus on US entities, the variety of cyber incidents is rising at an alarming price.
“Although federal agencies do not have a comprehensive inventory of cybersecurity incidents,” the report reads, “several key federal and industry sources show (1) an increase in most types of cyberattacks across the United States— including those affecting critical infrastructure, and (2) significant and increasing costs for cyberattacks.”
In 2016, US companies and public our bodies had been hit with a complete of 19,060 incidents within the 4 main classes — ransomware, information breaches, enterprise e-mail compromise, and denial of service assaults — with a complete value of $470 million, per a GAO evaluation of FBI stories. In 2021, there have been 26,074 incidents, and the entire value was near $2.6 billion.
The report additionally cites particular incidents which have had a spillover impact on the broader economic system, notably the cyberattack on the Colonial Pipeline that took a 5,500-mile-long gas transporting operation offline. In that assault, the pipeline operator paid a ransom of $4.4 million to the hackers — regardless of recommendation from regulation enforcement companies that ransom calls for ought to at all times be rejected.
Spooked by the potential of having to cowl such giant losses, non-public insurers are backing out of the market by excluding a number of the most high-level cyberattacks from being coated by insurance coverage insurance policies. While information breaches and ransomware assaults are usually nonetheless coated, the report finds that “private insurers have been taking steps to limit their potential losses from systemic cyber events,” declining to cowl losses incurred by acts of cyber warfare or deliberate infrastructure focusing on.
According to the US Department of the Treasury, some insurers have additionally been mitigating their publicity by decreasing the utmost quantity {that a} coverage can pay out within the case of a cyberattack and / or rising premiums in an try to guard themselves from losses. There’s additional proof that some insurance coverage corporations are pulling again from protection in infrastructure sectors solely, the GAO discovered, judging the risk of assault as too excessive.
Overall, the GAO report means that CISA and the Federal Insurance Office undertake an evaluation into whether or not the above elements necessitate a federal insurance coverage response alongside the strains of FDIC insurance coverage for financial institution deposits and the National Flood Insurance Program.
