Enhancing cybersecurity through a targeted backstop
The past year has seen increased regional physical conflicts that heighten the risk of escalated cyber operations by state-backed actors, exemplified by recent U.S. agency warnings urging critical infrastructure to remain vigilant following strikes against Iran.
Their warning underscores how critical infrastructure sectors, including electric utilities, telecommunications, financial institutions and transportation entities such as airlines and Class I freight railroads, form the foundation of our economy and national security. Predominantly owned and managed by the private sector, these companies bear the responsibility of defending against cyber threats from various actors, including hostile nation-states with sophisticated capabilities.
This dynamic compels the U.S. government to establish programs that bolster cyber defense and resilience of critical infrastructure. For years, discussions have taken place between industry and government about developing a federal backstop that would offer private companies the option to insure against catastrophic losses resulting from cyberattacks. Federal support of risk transfer for catastrophic cyber losses would ultimately strengthen national cyber resilience. While many insurers and policyholders support this idea, consensus has yet to be reached on key issues such as the scope of coverage and the conditions under which coverage would trigger. The current divided political climate further complicates support for such initiatives.
Industry and government should not give up on a federal cyber backstop. Such a program would take minimal cost to establish while providing significant incentives for enhancing resilience. Rather than abandon the initiative, policymakers should pivot to adopting a targeted approach that focuses on the most critical infrastructure sectors.
High priority sectors such as electric utilities, telecommunications, financial institutions and transportation systems are crucial for sustaining societal functions. By focusing on these industries, we can simplify the analysis required to determine retention and risk-sharing factors, leading to more efficient and effective risk management strategies. A targeted reinsurance program could offer these sectors the financial support needed to manage risks often excluded from traditional insurance policies. Targeted risk transfer could also offer an effective method for delivering payments to the numerous downstream businesses that depend on these essential infrastructure companies and would face losses due to their outages. Eventually, the targeted backstop could be expanded across industry based on lessons learned from the early adopters.
Pilot programs for sector-specific solutions
Potentially, Congress could implement a targeted reinsurance program by treating each industry sector as an individual pilot program. This approach would allow for a tailored examination of the unique risks and challenges each sector faces, facilitating the development of customized solutions that meet their specific needs. For example, systemically important financial institutions may require different risk assessments and coverage options than transportation companies. By addressing each sector separately, we can develop targeted and effective reinsurance programs that will support the most vital U.S. infrastructure.
Reducing federal exposure
A targeted reinsurance program focused on critical infrastructure will also help mitigate the federal government’s exposure. Policymakers have often hesitated to endorse larger government initiatives due to concerns about costs and potential liabilities. By concentrating on the most critical sectors, we can explore the benefits of a reinsurance backstop that encourages companies to transfer the financial impact risk of a large cyber event. Industry-specific solutions may clarify for policymakers the benefits of preparing for large financial losses, versus responding to large events with major spending bills. This focused strategy not only clarifies the associated risks but also emphasizes the potential for a more sustainable and manageable government role in supporting critical infrastructure.
Shifting the focus from insurance to industry
By concentrating on highly critical infrastructure, we can shift the emphasis from insurance to industry. A key component of a federal reinsurance backstop would be to underwrite risks currently not covered in the market. This includes losses typically excluded due to acts of war or hostilities, as well as losses stemming from outages of essential services such as utilities or internet providers. These risks are often omitted from cyber insurance policies because they potentially pose catastrophic financial implications for insurers. By providing a federal backstop for these exposures, we can establish a more comprehensive risk-transfer mechanism that enhances the resilience of critical infrastructure.
This approach does not create a windfall for the insurance industry; rather, it strategically facilitates risk transfer for exposures that insurers are currently unwilling to accept. By offering a federal reinsurance backstop, we can encourage the insurance industry to engage with these high-risk areas, ultimately leading to a more robust and resilient insurance market. This collaboration between government and the private sector can drive innovation and create new opportunities for risk management solutions.
Minimal cost with significant impact
In establishing this program, we can ensure that the federal government is prepared to respond effectively to catastrophic events while minimizing the financial burden on taxpayers during non-crisis periods. A targeted reinsurance program would require minimal cost to establish and existing offices at the Treasury Department could administer and oversee its development.
The existence of the backstop to respond to catastrophic cyber losses could ultimately save millions of dollars in reducing wasteful spending and fraud by alleviating the need for post-event government intervention and eliminating the rapid release of funds with limited oversight, as occurred in the wake of Covid-19 or Hurricane Katrina. Most importantly, a targeted reinsurance program focused on critical infrastructure ultimately enhances the resilience of our economy and society.
Looking forward
The reality of geopolitical risk is that malicious cyber operations can disrupt critical infrastructure, inflict catastrophic losses and jeopardize economic and national security. A federal cyber backstop that prioritizes highly critical infrastructure can be more easily achieved, while still demonstrating an effective risk management strategy that reduces federal exposure and clarifies the need for government support. Through sector-specific pilot programs, we can tailor solutions to address the unique challenges faced by each industry, ultimately fostering collaboration between the government and the private sector. This effort to prepare for major events is a pivotal step toward building a more resilient infrastructure capable of withstanding future challenges. By investing in this targeted approach, we can protect our critical infrastructure and provide a more secure and prosperous future.
DISCLAIMER: Matt McCabe is the U.S. and Canada Cyber Coverage Leader for Marsh McLennan, a broker in both the cyber insurance and cyber reinsurance markets, and has testified in support of a federal reinsurance program for catastrophic cyber risk.