RIMS voices support for federal cyber insurance backstop
Cyberattacks hitting critical infrastructure could result in debilitating losses across sectors ranging from health care to retail.
The Risk and Insurance Management Society (RIMS) has voiced support for a federal cyber insurance backstop, noting risk management professionals are likely to support a “well-crafted cyber insurance backstop,” according to a letter to the Federal Insurance Office.
A survey of risk managers found 80% support a federal cyber insurance backstop, while 11% of risk managers surveyed were uncertain and 10% opposed the idea, RIMS reported.
However, risk managers have voiced some concerns with regard to a potential federal cyber insurance program. RIMS noted that any solution should consider if the scope of the program should be limited to critical infrastructure or extended to all organizations. Since cyberattacks on critical infrastructure can send shockwaves through different sectors of the economy, RIMS supports extending any federal backstop to include any organization.
“For a business that itself is critical infrastructure and is attacked, such as a utility provider or major food provider, the second-order losses caused by the attack would be widespread and deep,” Mark Prysock, general counsel & vice president of advocacy for RIMS, wrote in the letter. “But other sectors could also be severely impacted.”
Giving grocery stores, banks, health care providers and pharmacies as examples, Prysock said these businesses might only have backup capacity limited to a few days.
“Beyond that, food would spoil, certain drugs would be rendered unstable and unusable, and banks could not process transactions to allow the remaining businesses to remain functional,” Prysock wrote. “Without access to a federal backstop, these organizations could sustain debilitating losses because of a cyberattack on critical infrastructure.”
Additionally, the private market is not offering ample enough coverage for catastrophic cyber incidents. RIMS reported 91% of organizations surveyed have cyber insurance, and 53% have limits above $10 million. However, many respondents said the private market couldn’t provide them with the limits they truly desired. In fact, 73% of organizations with limits below $10 million said they would have purchased higher limits if they were available for a reasonable premium, according to RIMS.
Program shouldn’t loosen safeguard standards
The insurance trade group also noted that creating a federal cyber insurance program likely wouldn’t cause organizations to take unnecessary risks or fail to implement cybersecurity protocol. A RIMS survey found that nearly 60% of companies’ cyber policies do not require security controls that are beyond existing cybersecurity controls.
Further, 32% of survey respondents said they would purchase a cyber policy even if it required them to enhance their cybersecurity programs, according to RIMS.
In addition, RIMS reported a federal backstop shouldn’t require new cybersecurity standards, but rather adhere to one of the many standards already set by governments, regulatory bodies and nongovernment organizations such as the International Standards Office, New York State’s Department of Financial Services cybersecurity standards or those laid out in the FTC’s stipulated order and injunction against Equifax.
Related: