WASHINGTON— The Treasury Department is seeking public comment on whether major cyber incidents are being handled adequately under the federal Terrorism Risk Insurance Program, reopening debate over whether catastrophic cyberattacks may eventually require a government insurance backstop, Bank Info Security reported.
According to Bank Info Security, a new Federal Register notice asks whether cyber risks are sufficiently covered under the post 9/11 program, known as TRIP, which was created in 2002 to stabilize insurance markets after terrorist attacks by providing a federal backstop for insured losses tied to certified acts of terrorism once industry losses pass a set threshold.
Cyber events have long sat in a gray area under the framework because questions around attribution, intent and scale make it difficult to determine when a cyberattack might qualify as terrorism and how insurers should price the risk. Treasury, working with the Cybersecurity and Infrastructure Security Agency, is asking whether that ambiguity is leaving critical infrastructure operators exposed and whether changes to the program may be needed.
Still, analysts told Bank Info Security the effort appears to be exploratory rather than a sign of imminent action. Josephine Wolff of Tufts University said another request for comment suggests policymakers remain in the early stages, while University of Tulsa professor Tyler Moore said the cyber insurance market still is not equipped to absorb a widespread catastrophic event, particularly one involving critical infrastructure or other highly correlated losses.