White House working on cyber insurance policy proposal for ‘catastrophic’ incidents

LAS VEGAS — The White House is working on a new policy centered around cyber insurance used for catastrophic cyber incidents. 

At the Black Hat cybersecurity conference on Thursday, National Cyber Director Harry Coker said his office is working with the Department of Treasury’s federal insurance office as well as officials at the Cybersecurity and Infrastructure Security Agency (CISA) on the effort. 

Coke said a policy proposal from the three departments will be released by the end of the year that will address cyber insurance — which he said should be designed to “manage risk and not avoid risk.”

Officials at the Office of the National Cyber Director (ONCD) said the effort was hinted at in the National Cybersecurity Strategy released last year, which stipulated the federal government would explore ways to “stabilize insurance markets against catastrophic risk to drive better cybersecurity practices and to provide market certainty when catastrophic events do occur.”

“In the event of a catastrophic cyber incident, the Federal Government could be called upon to stabilize the economy and aid recovery. Structuring that response before a catastrophic event occurs — rather than rushing to develop an aid package after the fact — could provide certainty to markets and make the nation more resilient,” the strategy said. 

“The Administration will assess the need for and possible structures of a Federal insurance response to catastrophic cyber events that would support the existing cyber insurance market. In developing this assessment, the Administration will seek input from, and consult with, Congress, state regulators, and industry stakeholders.”

Coker told the audience that one of the biggest issues is around actuaries, who perform risk assessments for insurance policies that include examinations of companies' cybersecurity practices, protections and more. 

“We're working through one of the challenges, which is around the actuaries. Do we have sufficient data to make the cyber insurance market more mature? That's an area that we're focused on,” he said.

ONCD officials were tight-lipped about the specifics of the effort and what the end goal will be, but a spokesperson told Recorded Future News that their office, alongside CISA and the Department of the Treasury have since determined that there “exists a gap with respect to the insurance market’s ability to respond to catastrophic cyber incidents.” 

The agencies are now exploring policy interventions that would “both improve national cybersecurity posture and provide market certainty when catastrophic events occur.” 

“ONCD, Treasury’s Federal Insurance Office, and CISA are in lockstep on this effort, working on a proposal together. We are also actively engaging with both the insurance industry and policyholder community to understand different stakeholder needs,” the spokesperson said. 

The cyber insurance market has long been a source of controversy due to many experts’ belief that insurance payments are fueling the increase in ransomware attacks. Organizations have often paid ransoms with the understanding being that payments will eventually be covered by cyber insurance policies. 

Some ransomware gangs even target victims and calibrate ransom demands based on the insurance policies discovered during hacks. There have also been protracted legal fights over what role the cyber insurance market should play when it comes to cyberattacks launched by nation-states.