A list of industry trade groups have submitted a cautioning joint letter to the Federal Insurance Office (FIO) in response to its request for comments on a “Potential Federal Insurance Response to Catastrophic Cyber Incidents.”
The industry groups involved in the formation of the letter include the American Property Casualty Insurance Association (APCIA), The Council of Insurance Agents and Brokers, CyberAcuView, and The Wholesale & Specialty Insurance Association.
APCIA’s senior vice president of federal government relations, Nat Wienecke, suggests that the APCIA shares FIO’s objectives to examine catastrophic cyber risk for critical infrastructure, however, it strongly believes consideration of a federal insurance program may be premature.
Wienecke states, “First, the cyber insurance marketplace should be studied to identify whether there are specific long-term gaps impacting sectors that the private insurance market may not currently address.
“This is important to avoid the possibility of unintended consequences with developing a federal program. We look forward to continued engagement with FIO as it studies the cyber insurance market.”
In the joint letter, the industry groups state that the cyber insurance market is relatively young, with expectations that it will double in size every three years.
It notes, “Reinsurance is available and new carriers are entering the market. Establishing a federal program would need to identify specific long-term gaps that the private sector cannot address.
“If the program truly addresses gaps not provided in the private market, then the impacts on the market may be positive. There also may be no change to the availability of cyber insurance as the gaps that would be identified are not currently priced by insurers.”
The letter also cites experience with the Terrorism Risk Insurance Program (TRIP) suggesting that if a federal insurance program for catastrophic cyber risks was warranted, the group would have concerns with a TRIP-like structure.
For example, the letter notes that “mandatory make available” may not work, as it is hard to know what types of perils may be under consideration for such a structure that insurers would be willing to cover in whole, in part, or at all.
Additionally, the industry groups state that a TRIA-like certification requirement may not be workable. In sum, should such a system be contemplated, a TRIA-type approach may not be the right solution even if federal involvement is appropriate.
The letter concludes the groups appreciate the opportunity to provide comments to the FIO on this important analysis of the cyber insurance market.
It writes, “The study should also evaluate any potential impacts to the cyber insurance markets, positive or negative, in order to ensure no harm is done to any stakeholders. A thoughtful, deliberative approach to the study will help to prevent unintended consequences.”
