Uncle Sam Re: Improving Cyber Hygiene and Increasing Confidence in the Cyber Insurance Ecosystem via Government Backstopping

H. Bryan Cunningham and Shauhin A. Talesh
Published in the Connecticut Insurance Law Journal.

The year 2020 was a wake-up call, for the world and specifically for the cyber insurance ecosystem. The COVID-19 global pandemic reminded insurers, observers, and policymakers that actual or newly plausible attacks—including catastrophic cyberattacks—could pose existential threats to the cyber insurance ecosystem. This article examines this risk through a hypothetical catastrophic cyberattack, interviews with sixty participants across the cyber insurance ecosystem, and recent scholarly work. We find that the risk of a catastrophic cyberattack to the solvency of the global insurance ecosystem is real and that cyber insurers have not, as yet, fulfilled their promise to meaningfully improve our collective cyber hygiene. We examine several key reasons for these findings, including both a lack of data and of stability in the cyber insurance market, problems of attribution in cyberspace, and increasing uncertainty about the enforcement of war exclusions in cyber insurance coverage disputes. We offer a prioritized and interconnected set of proposals to shore up the cyber insurance ecosystem and incentivize needed improvements to our overall cyber hygiene.

Specifically, we propose the “Catastrophic Cyberattack Resilience Act,” which would create a federally-funded financial backstop for the cyber insurance ecosystem. In order to be eligible for such backstopping, insurers would be required to: comply with new data and infrastructure security and cyber incident reporting requirements; accept United States Government certifications of attribution as conclusive; and forego enforcement of war exclusions in stand-alone cyber policies. Although scholars have explored aspects of the topics covered in this article, we believe ours is the first article to rely on in-depth interviews across the cyber insurance ecosystem, to specifically incorporate key findings and recommendations of the Cyberspace Solarium Commission and recent guidance from one of the first U.S. state financial regulators to address these issues in cyber coverage, and to provide a draft legislative solution addressing these reform needs, with specific implementing language. We offer these proposals not as a “silver bullet” but as part of an urgently needed debate to spur meaningful action before—not after—the catastrophe(s) likely to come, particularly in the absence of such reforms.

View the entire PDF published in the Connecticut Insurance Law Journal