The Bank of America (BoA) has reportedly raised concerns over cyber war exemption clauses for insurers written by Lloyd’s of London that came into effect last month. But US businesses like the bank could get an additional safety net in the form of a federal “backstop” which would cover the losses sustained by businesses in large-scale cybersecurity incidents.
The BoA, one of the ‘Big Four’ US financial institutions, expressed unease at the exemption clauses during several meetings with Lloyd’s, according to a report in the FT. The new clauses mean the impact of state-backed cyberattacks are excluded from cyber insurance policies.
Why cyber war exemption clauses in insurance are controversial
The threat of large scale attacks to the private sector has been exacerbated by the Ukraine war and is getting larger by the week, the UK’s National Cybersecurity Centre said yesterday. A new class of cybercriminal has emerged that is aligned with the Russian state and seeks to incite chaos as well as implement financially motivated attacks.
The line between state-sponsored attacks and financially-motivated cyberattacks is blurred and companies find themselves at risk of major losses if they are hit. The loss of insurance cover provides a further anxiety for businesses such as the BoA.
However, the insurance industry argues the potential losses it could sustain by covering large-scale cyberattacks is so great that premiums would have to be astronomically high to sufficiently cover businesses. Andrea Rebora, cybersecurity associate at PwC told Tech Monitor last year: “They don’t have enough money for everyone. The amount of money necessary to cover the potential clients is too great. It’s an absurd amount of money.”
Paul Benda, senior vice-president for operational risk and cybersecurity at the American Bankers Association, said that such changes may cause ripples through US financial regulation. “The US banking industry takes its commitment to cybersecurity very seriously,” he told the FT. “[That] includes a layered approach to managing operational risks, and cyber-risk insurance is one of those layers. Any changes in those protections [are] understandably a cause for concern.”
US government could introduce a federal cyber backstop
An alternative safety net, which does not lean so heavily on the insurance industry has been suggested in the US recently published National Cybersecurity Strategy. The document suggests the exploration of a federal cyber insurance backstop. “In the event of a catastrophic cyber incident, the Federal Government could be called upon to stabilise the economy and aid recovery,” it explains.
Responses to this suggestion, gathered by the US Federal Insurance Office at the end of March, are favourable. It was suggested the US government could “create a new structure loosely modelled on, but separate from, the Terrorism Risk Insurance Act (TRIA) and the Terrorism Risk Insurance Program (TRIP),” but dedicated to addressing catastrophic cyber risk, rather than the fall-out from a large scale terrorist attack.
This is similar to that proposed by insurance industry body Pool Re and the UK government earlier this year. Insurance industry leaders reportedly held talks with the Treasury in January to discuss whether Pool Re’s terrorism reinsurance scheme might be tweaked to cover large-scale cyberattacks. The Treasury has yet to take a public position on the matter.