The US is exploring whether a federal insurance scheme to cover potentially catastrophic cyber attacks is needed, after a high-level government report warned the private insurance market and the country’s Terrorism Risk Insurance Program offer only limited protection.

The Federal Insurance Office and Homeland Security’s Cybersecurity and Infrastructure Security Agency have been charged with producing a joint assessment for Congress on the extent of risks facing the country’s critical infrastructure assets from catastrophic cyber attacks and the potential financial exposures resulting from these risks.

The two agencies will also set out whether a federal insurance response is warranted, the US Government Accountability Office says.

In a new report it says critical US infrastructure faces significant cybersecurity risks, with “threat actors” becoming increasingly capable of exploiting vulnerabilities to carry out such attacks.

These attacks generally have increased in frequency and cost, and while the two US agencies have taken steps to understand the financial implications of growing cybersecurity risks, they have not assessed the extent to which risks to critical infrastructure from cyber incidents and potential financial exposures warrant a federal insurance response.

Critical infrastructure refers to the systems and assets, whether physical or virtual, so vital to the US that their incapacity or destruction would have a debilitating effect on political and economic security, economic stability, national public health or safety, and/or any combination of those issues.

The report says cyber insurance and the terrorism risk insurance program are limited in their ability to cover potentially catastrophic losses from systemic cyberattacks.

Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware, but the report points out private insurers have been taking steps to limit their potential losses from systemic cyber events.

Some insurers are excluding coverage for losses from cyber warfare and infrastructure outages, the report says.

The terrorism insurance program covers losses from cyber attacks only if they are considered terrorism, but such events may not meet the program's criteria to be certified as terrorism – even if they result in catastrophic losses. Attacks must be “violent or coercive in nature” to be certified.

The US Insurance Information Institute says the Government Accountability Office’s report highlights the potential insufficiency of traditional risk-transfer products to address increasingly complex and costly threats.

Click here for the report.