US businesses struggle to obtain cyber insurance, lawmakers are told

Experts and industry representatives told lawmakers at a Thursday hearing that U.S. businesses face obstacles in obtaining the cybersecurity insurance they need to hedge against the impact of breaches.

At the hearing before the House Homeland Security Committee’s cyber-focused subcommittee, Kimberly Denbow, the vice president of security and operations at the American Gas Association, said that cyber insurers willing to write policies for natural gas utilities are limited and that when policies are available their terms are difficult to understand.

“The terms of exclusions vary widely and are difficult for many operators, particularly smaller ones, to understand what is covered,” Denbow said. “Owner-operators would benefit from standardized cyber insurance policy language definitions and applications that are simpler and more streamlined.”

Cyber insurance typically does not cover acts of war, and at a time when cyber operations by states that target critical infrastructure are becoming more common, businesses are questioning whether their insurance policies will cover damages that might be linked to an ongoing conflict, said Matthew McCabe, the managing director of cyber broking at the insurance agency Guy Carpenter & Company.

The difficulty of modeling cyberattacks and their impact has led to increasing insurance premiums, leading some to call for a so-called “backstop” for the market in which the federal government would step in and guarantee large-scale insurance losses.

“What the backstop is about is the companies that are going to be left with that risk on their own books, and how is the government going to help those small, medium-sized and large businesses that are going to be impacted?” McCabe said.

While insurers are eager for the financial protection of the federal government, experts caution that building such a backstop faces major hurdles. In its national cybersecurity strategy, the Biden administration said it would explore the creation of a backstop, but such a mechanism is far from being enacted.

“Lack of models to accurately assess risk and lack of consistency in terminology and coverage have created a lot of friction in the cyber insurance market,” said Rep. Eric Swalwell, D-Calif. “These dynamics have created a perfect storm, demand for cyber insurance has increased, premiums have gone up and some insurers are reluctant to write policies. So we are in a unique position to bring certainty and stability to the market.”

Uncertainty regarding the state of the cyber insurance market comes as officials at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency have warned that the sprawling and largely privately owned critical infrastructure sectors should not expect to be entirely successful at fending off hackers. Owners and operators should also focus on ensuring that critical systems are resilient against attacks to fend off worst-case scenarios, officials have warned, citing increasingly aggressive efforts by Chinese-backed hackers to embed in critical infrastructure networks.

Speaking at an event on resilience Wednesday, Brandon Wales, executive director of CISA, called Beijing’s shifting operations “game changing.” Pointing to the cyberattack by Russia at the start of the Ukraine invasion, he noted that it is likely “the first shot in the next war will also be in cyber targeting critical infrastructure.”

“Ultimately, we’re never going to stop them everywhere,” Wales said, “and our goal is to build more resilient critical infrastructure that can withstand the disruptive attacks that they hope to achieve.”