Potential Federal Insurance Response to Catastrophic Cyber Incidents
CBI responds to FIO’s request for public comment.
A pdf of CBI’s comments is available here → link.
The Centers for Better Insurance, LLC (CBI) is an independent organization committed to enhancing the value the insurance industry delivers to all stakeholders (including policyholders, employees, and society at large). CBI does so by making available unbiased analysis and insights about key regulatory issues facing the industry for use by insurance professionals, regulators, and policymakers. Additional information regarding CBI is available on the web at www.betterins.org or by email request at firstname.lastname@example.org.
These comments respond to Treasury’s Notice appearing at 87 FR 59161 (September 29, 2022) seeking comment on questions related to cyber insurance and catastrophic cyber incidents. Specifically, CBI addresses Question 7 with respect to an appropriate structure for a cyber catastrophe program.
The Role of the Insurance Mechanism
At its most fundamental, the role of the insurance mechanism is to aggregate a sufficiently large number of individually unpredictable and collectively uncorrelated risks of loss into a common and predictable risk pool.
The classic illustration, drawn from the origin story of insurance, is that of the separate owners of ten ships that each intend to send one ship on a perilous journey to different parts of the world. No one shipowner can predict whether their ship will fail to return, thereby casting its owner into financial ruin. However, collectively the ten shipowners can reasonably predict based on years of experience with similar such journeys that one of the ten ships will fail to return. By agreeing to spread the cost of that lost ship among themselves the ten shipowners transform an individually unpredictable and ruinous chance of a total loss into a more predictable and manageable certainty of a defined loss. For example, if each ship has a value of $10 million and each shipowner faces a 10% chance of losing their ship, without insurance each shipowner must manage the prospect of a ruinous loss of $10 million without insurance. After buying insurance, each shipowner transforms that 10% chance of a $10 million loss into a 100% chance of losing a far more manageable $1 million.
This core function of insurance — transforming individually unpredictable and ruinous chances of loss into a predictable and manageable certainty of loss — has remained largely unchanged over the centuries. Today, policyholders trade their individually unpredictable and ruinous risks (e.g., financial liability for causing a serious car accident or destruction of one’s home by fire) for the certainty of paying a set annual premium.
The insurance industry describes those individually unpredictable risks that can be aggregated into a collectively predictable frequency and severity of loss as “insurable.” Risks that cannot be transformed through aggregation into reasonably predictable outcomes (or when aggregated those outcomes become too large for the insurance mechanism to handle) are described as “uninsurable.” Of course, no exposure to loss is perfectly insurable or perfectly uninsurable. Rather than binary, it is better to think of insurability as a sliding scale on which exposures to loss are more or less insurable (or more or less uninsurable).
The Business of Insurance
Insurance companies make money in two basic ways: The Spread and The Float.
The Spread (or underwriting income) is the difference between the premiums charged for insurance and the losses payable by the insurer plus the expense of running the insurance company. According to the National Association of Insurance Commissioner’s (NAIC) review of the U.S. Property and Casualty Insurance Industry’s performance in 2021, the industry had a net (after reinsurance) loss ratio of 72.5% and expense ratio of 27.3%. These numbers tell us three things on average for property and casualty insurance:
1. 72.5¢ of each unreinsured premium dollar is returned to policyholders through claims payments and claims expense;
2. 27.3¢ of each unreinsured premium dollar is consumed in running the insurance business;
3. The remaining 0.4¢ of each unreinsured premium dollar represents The Spread or underwriting profit.
Of course, the allocation across claims, expenses, and profit differs every year and differs by line of business (and certainly differs by insurer). For example, in 2013 the net loss ratio was 67.2% and the expense ratio was 28.1% leaving a comparatively generous spread of 4.7%.
The Float represents the fact that policyholders pay their premiums upfront and insurance companies pay losses later — sometimes years after the policy has expired. During that time the insurance company earns investment income in amount representing unearned premiums and future claims payments. Long-tail lines of business such as certain liability lines and workers compensation insurance may significantly benefit from the float. Short-tail lines such as automobile insurance and property insurance benefit significantly less.
Finally, the insurance mechanism must be financially prepared to honor its obligations if losses turn our worse than predicted or the predicated losses occur unevenly over time. Likewise, the insurance mechanism must be prepared to manage its finances if investment returns ultimately prove less than expected. Accordingly, insurance companies hold capital (known as policyholder surplus in the United States) against an unexpected shortfall in The Spread and The Float. Of course, the providers of that capital (e.g., shareholders) expect a return.
What Insurance Does and Does Not Do
The insurance mechanism is very effective at transforming individually unpredictable risks of loss into a predictable shared pool of loss. Insurance is not capable of transforming a dollar of loss into something less than a dollar of loss. Rather, the insurance mechanism cuts that dollar into tiny pieces and allocates those pieces out to a pool of millions of policyholders. The insurance mechanism’s fee for this service is about 25%-30% of the loss. Moreover, each insurer must hold and pay for capital (policyholder surplus) to cover losses greater than its prediction and investment returns less than its prediction.
To use our shipowner illustration, the insurance mechanism allows each shipowner to transform $10 million of unpredictable loss into $1.25 million of loss (when insurer expense is added). Accordingly, each shipowner pays a premium of $1.25 million for a total cost of $12.5 million. This arrangement is still favorable compared to each shipowner facing a loss of $10 million, but it does show that there are significant frictional costs to consider. Moreover, the insurance mechanism backing these ships must hold $10 million or $20 million extra to guard against the possibility that 2 or 3 ships are lost in a single year (rather than the 1 predicted). Finally, the insurer does earn investment returns between the time it receives the upfront premium and pays out losses. However, the insurer must select investments that are low risk and liquid so that it is certain to have the funds to immediately pay when called upon to do so.
While the main function of insurance is to aggregate and allocate risk, the mechanism does have several collateral features.
First, the insurance mechanism tends to invest in knowledge, capabilities and technology that allows it to better understand, differentiate, and measure risks, the drivers of risk, and the results of risks. For example, the insurance industry has invested heavily in developing hurricane models, both probabilistic (i.e., the likelihood of a hurricane) and deterministic (i.e., what damage would a hurricane cause). These models help insurers better understand how much risk is in their respective portfolios and how much capital should be held against those risks.
Second, the insurance mechanism sends economic signals about risk. In general, insurance companies will tend to charge less to a policyholder that has mitigated its risk (e.g., installed roof tiedowns in a hurricane zone). Likewise, insurance companies tend to charge more to a policyholder that presents a higher risk of loss (e.g., beachfront construction). In the extreme, insurance companies will simply refuse to offer insurance to an unacceptable risk.
Third, insurance companies together or separately can leverage scale to capture efficiencies and develop expertise around claims cost reduction, policyholder education, research, standards-setting, and ancillary services such as consulting.
The Catastrophic Cyber Risk
GAO has characterized the catastrophic cyber risk as:
1. Impacting critical infrastructure with increased frequency and severity; and
2. Demonstrating a potential for systemic cyber incidents.
With the basic insurance model discussed above in mind, GAO is flagging that catastrophic cyber risk is sliding (more) toward uninsurablity because of:
1. Collective Unpredictability — The aggregate frequency and severity of cyber-attacks are not stable such that insurers find it increasingly difficult to make credible predictions of how many cyber-attacks to expect and how large those cyber-attacks will be. Recall that the core function of insurance is to transform individually unpredictable risk into a pool of collectively predictable risks. GAO indicates a concern that aggregating many individual cyber risks simply creates an unpredictable pool of cyber risks.
2. Correlation Among Policyholders — Cyber-attacks are more often targeting infrastructure such as power, water, and supply chains on which many businesses, local governments, nonprofits, and families depend. Accordingly, one cyber-attack can lead to losses across a large number of separate policyholders through these interdependencies and knock-on effects.
3. Unmanageable Scale — The amount of total loss from such a cyber-attack is potentially so large as to overtake the available capital of the insurance industry. Importantly, insurers use the very same capital to back cyber-risk as they use to back automobile insurance, homeowners insurance, workers compensation insurance, liability insurance, and commercial property insurance. If an insurer’s capital cushion is overwhelmed by one line of businesses, it is overwhelmed for all lines of business.
Against these observations, FIO and CISA seek public comment whether there is some role the federal government could play in nudging the catastrophic cyber risk back toward insurability or whether the federal government should take an entirely different approach to catastrophic cyber-risk transfer.
Three Basic Models of Government Insurance-Related Programs
Governments possess one unique capability unavailable to private insurance companies: The authority to levy taxes. Most importantly, the ability to levy tax allows governments to wholly or partially post-fund insurance risks. While a private insurance company must collect an adequate premium upfront and hold capital (policyholder surplus) against the risks it assumes, a government is obliged to do neither.
A government-backed insurance program can charge inadequate or even no premiums at all and hold little or no capital against the risks it assumes. The Terrorism Risk Insurance Program is a perfect example. TRIP assumes up to $100 billion of annual risk without collecting a penny of premium or holding a dollar of capital. Instead, TRIP backs its promises solely on the full faith and credit of the United States government (i.e., the federal government’s ability to levy taxes to satisfy its obligations). Similarly, the NFIP charges demonstrably inadequate premiums and survives only because it has a $30 billion line of credit (most of which it has used) with U.S. Treasury.
State governments have far less credit than the federal government. Accordingly, state insurance programs are typically constructed through off-balance sheet entities granted statutory authority to levy special assessments.
While government intervention opens the door to a wide range of low-cost risk financing options, post-event financing can profoundly corrupt risk-based pricing by disconnecting the cost of risk from those that create the risk. For example, the Florida Hurricane Catastrophe Fund (FHCF) largely supports coastal residential windstorm risks. When the FHCF runs a deficit, it is authorized by statute to levy multiyear assessments on statewide policyholders of automobile insurance, liability insurance, and commercial and personal property insurance. Through this tax, the FHCF spreads the cost of risk created by coastal residents onto all Florida families, businesses, and nonprofits. Moreover, by securitizing future assessments the FHCF is spread this cost over many years such that the cost of risk created by current Florida residents will be borne by future Florida residents.
Over the last fifty years, three basic models have evolved for government support of “uninsurable” property and casualty risks:
1. State-Based Programs — By far the most prolific model does not involve the federal government at all. There are well over one hundred state-based involuntary market mechanisms in the United States spanning natural catastrophe risks, workers compensation, automobile insurance, and medical malpractice insurance. The mechanics of these programs vary widely. In general, state-based programs force the aggregation and allocation of uninsurable risks through the insurance mechanism while imposing the excess cost of these risks onto a broader policyholder base through assessments or increased insurer expenses. The most sophisticated of these programs have developed techniques to also spread excess costs over time through securitized debt financing. Examples of state-based programs include the Florida Hurricane Catastrophe Fund, Florida Citizens Property Insurance Company, Mississippi Windstorm Underwriting Association, Texas Windstorm Insurance Association, and the California Earthquake Authority.
2. Pure Federal Programs — Under pure federal programs, the private insurance sector provides fee-based services on both the frontend (e.g., distribution, underwriting, premium collection) and backend (e.g., claims handling). The excess cost of risk stays entirely with the federal taxpayer. The National Flood Insurance Program is the most prominent example of a pure federal program.
3. Hybrid Programs — More recently, Congress has explored hybrid programs in which the various state legislatures and regulators manage the day-to-day regulatory framework, the insurers provide frontend and backend services, and the cost of risk is divided among insurers, a broad base of policyholders, and the federal taxpayer. The Terrorism Risk Insurance Act is the most noteworthy example of a hybrid program.
Each of these models has advantages and disadvantages in the context of a particular risk. For example,
1. Spread of Cost of Risk — A state-based program is capable of spreading the cost of risk only through insurers that do business in the state and only onto policyholders that reside in the state. Limiting the cost-spreading to a single state may be appropriate where the peril is regional (e.g., hurricane, earthquake) and the state political process decides controllable drivers of insurability (e.g., building codes, enforcement, insurance pricing regulation). A pure federal program may be best suited where the peril exists throughout the country, national policymakers regulate the drivers of risk, and policymakers prefer to subsidize the cost of that risk on a national rather than regional basis (e.g., NFIP).
2. Economic Signals about Risk — State-based and pure federal programs tend to both dampen and distort economic signals about risk-taking by policyholders. These programs dampen economic signals by charging individual policyholders less than the true cost of their respective risks. These programs also distort pricing signals by making arbitrary or scientifically unsupported differentiations among similar risk attributes to favor or disfavor certain classes of risk or certain constituencies. Hybrid programs tend to somewhat dampen but not distort pricing signals by relying on market pricing. However, hybrid programs are far more easily gamed by participating insurers and sophisticated policyholders.
3. Policyholder Education and Risk Mitigation Investment — Pure federal programs and to a lesser extent state-based programs are better positioned to make investments in improving policyholder education about risk and leading risk mitigation research, strategies, and implementation. The diffuse responsibility for managing and operating hybrid programs results in a lack of ownership over education and mitigation of risk. For example, the National Flood Insurance Program is far more heavily committed to education, research, and risk reduction of the flood risk than the hybrid Terrorism Risk Insurance Program is committed to education, research, and risk reduction of the terrorism risk.
The scale, complexity and dynamics of the catastrophe cyber risk suggests it would be best managed through some sort of a hybrid program. Catastrophe cyber is not a regional risk but a national risk suggesting a federally led program is more appropriate. Catastrophe cyber is also a rapidly evolving risk suggesting some level of private market agility would be beneficial. It is also believed individual policyholders can take mitigatory action to reduce risk and limit impact suggesting the utility of appropriate risk-based economic signaling. Finally, catastrophe cyber risk presents an enormous potential economic and operational impact leaving the federal government as the only credible financial backer for extreme events.
A hybrid cyber catastrophe program offers policymakers far greater flexibility in program design and a range of options in terms of federal financial and administrative investment. A well-designed hybrid cyber catastrophe risk program has the potential to harness market efficiency and pricing by leveraging the private insurance industry’s frontend and backend capabilities coupled with mandatory strategic private market capital commitments.
As evidenced by the Terrorism Risk Insurance Program, the main risks of a hybrid program for catastrophe cyber risks include:
1. Lack of Clear Regulatory Accountabilities — While the Federal Insurance Office (FIO) has authority to issue regulations under TRIP and administer insurer reimbursements, day-to-day regulation of and enforcement actions against participating insurers is left entirely to the 56 state insurance commissioners with no reporting to or discernible oversight from FIO. As a result, it is not clear whether any regulatory authority feels responsibility to drive mitigation of the terrorism risk through the insurance mechanism. It may not even be clear where ultimate responsibility for the success or failure of the program resides. Fortunately, the program has not had to respond to any terrorism events such that this uncertainty in accountability has largely remained below the surface. In contrast, the cyber exposure should be expected to constantly test regulatory accountabilities.
2. Gaming of the System — A hybrid program like TRIP can achieve great efficiencies by leveraging private market underwriting, pricing, and claim management discipline. Along with those positive attributes necessarily comes private market ingenuity in gaming the program for unfair advantage. The Terrorism Risk Insurance Program is rife with gaming by both participating insurers that do not fairly disclose the premium charged for terrorism coverage, and large corporate policyholders that have set up their own personal insurance companies (captives) to exploit the program.
3. Overplaying the Hand — A hybrid program such as TRIP engineers a quid pro quo between the federal government and private insurers. In that case, the program requires every insurer to offer coverage against terrorism losses within its commercial property and casualty insurance policies, such as commercial property insurance and commercial liability insurance. In exchange, the federal government reimburses participating insurers for part of the losses incurred under that coverage. Accordingly, if an insurance company wants to be in the commercial property insurance business it also must be in the terrorism insurance business. Conversely, if an insurance company wants to get out of the terrorism insurance business it also must leave the commercial property insurance business — which it would be loath to do. So far, Congress has struck the right balance with respect to terrorism risk (which has turned out to have a much lower frequency than originally expected). There is no reason to believe that the program calibration that currently works for TRIA (e.g., the levels of the insurer deductible, co-share, and liability cap) would work for cyber.
The Terrorism Risk Insurance Program is the best starting point from which to consider a cyber catastrophe insurance program. However, policymakers should appreciate that many of the most vital aspects of TRIP (such as claims payments, compliance, policyholder rejections of coverage, taxpayer acceptance of post-event assessments, exploitation by captives, and program resiliency) are entirely untested. Therefore, TRIP should be seen as a reasonable jumping off point to consider a cyber program but very unlikely to be an appropriate ending point.
With regard to the specific points raised in Question 7:
· Participation — A hybrid program such as TRIP relies on market forces to set underwriting standards, set risk-based pricing, detect fraud, and manage claim payouts. Accordingly, only insurers that are reliably and demonstrably subject to market forces in underwriting, pricing and claim handling should be permitted to participate. Most importantly, captive insurers (which are secretive, personal insurance companies operating largely outside of market forces and public or regulatory oversight) cannot be included.
Insurers that operate outside of state market conduct protections should likewise be excluded from the program. State insurance regulators have little or no oversight with respect to the market conduct of alien insurers (such as Lloyd’s syndicates) and domestic insurance companies operating as surplus lines or nonadmitted insurers. Instead, participation should be limited to insurers that are properly licensed and rigorously supervised by the jurisdictions in which they write insurance.
· Scope of Coverage — The scope of eligible policyholders and eligible lines of insurance must reflect the objectives of the program. If the objective of the program is to provide financial support to owners and operators of critical infrastructure so that they can restore service as soon as possible, the program should be limited to commercial property insurance (including business income coverage) for owners and operators of critical infrastructure. If the objective of the program is to provide financial support to small businesses, nonprofits, families, and others impacted by disruption to critical infrastructure then the scope of eligible policyholders necessarily enlarges, and the lines of business should be expanded to include homeowners and renters insurance. If the objective of the program includes shielding negligent businesses from liability, then certain immunities such as those enacted pursuant to the Support Anti-terrorism by Fostering Effective Technologies Act of 2002.
· Cybersecurity Measures — The most efficient and effective means for the federal government to establish and enforce cybersecurity measures would be to do so directly. While certain insurers may have developed proprietary units specialized in analyzing and advising on cyber risks, most do not and are unlikely to develop those capabilities in the near term. Even those insurers that do have such technical capabilities are unlikely to have the bandwidth to handle a large number of policyholders or the expertise to cover cyber risks across a wide range of industries. It may be practical to require eligible policyholders to obtain a cyber-security audit or other certification administered by a qualified firm as a condition of applying for cyber coverage within the scope of the program.
· Moral Hazards — Moral hazard can be controlled through public transparency with respect to the cyber-insurance products sold by participating insurers. In general, admitted or licensed insurers are required to file their products and pricing methodologies with state insurance regulators who in turn make those documents available to the public. Requiring all products backed by a federal program to be filed with state regulators and available for public review will help to control exploitation of the program by participating insurers and sophisticated policyholders.
· Risk Sharing — The insurer’s share of liability under the program should be structured with a co-share element sufficiently large that the insurer is motivated to maintain underwriting, pricing, and claims management discipline. Such a co-share is typically thought to be at least 10%. The program’s industrywide loss triggering threshold and individual insurer deductibles should be structured in a manner to keep small industry events and smaller impacts on individual insurers outside of the program. The threshold and deductibles should be sufficiently high to encourage insurers to purchase private catastrophe reinsurance and to consider developing risk pools or other innovative risk sharing mechanisms. However, a deductible level that is too high risks overplaying the government’s hand as described above.
· Reinsurance and Capital Markets — Like surplus lines and nonadmitted insurers, reinsurers and alternative risk transfer mechanisms are generally outside of the jurisdiction of the insurance regulators of the states in which the reinsured risks are located. Given the remoteness from regulatory oversight and public opacity, reinsurance and alternative risk transfer mechanisms should not be permitted to directly participate in any taxpayer supported catastrophe insurance program. However, a sufficiently high program trigger and insurer deductible would leave adequate room for reinsurance and capital market solutions to develop.
· Funding — The singular advantage of a government-backed insurance mechanism is the ability to post-fund major loss events and in doing so spread the cost of those events onto a broad but appropriate base. A funding mechanism built on significant pre-funding of the risk of catastrophic loss undermines the very purpose of bringing government into the program. It is also useful to recall that private insurers are prohibited from building pre-event loss reserves under U.S. tax laws. Pre-event funding (whether paid to the government or private insurers) should be:
o Adequate to send accurate and meaningful economic signals to policyholders about the cost of the risk they create; and
o Limited to financing small to medium sized loss events in order to avoid the administrative and political burden of triggering an assessment or other tax.
Beyond that targeted pre-event funding, program funding should be centered on post-event assessments or other taxes levied in an administratively efficient manner upon those classes of taxpayers that benefit from the existence of the program.
· Evaluation and Data Collection — By way of reference, TRIP suffers from a disappointing lack of transparency to stakeholders. While FIO publishes an every-second-year Effectiveness report to Congress, limitations on FIO’s authority to collect data and publish data severely constrain the amount, quality, and granularity of data FIO is able to obtain and make available to Congress and the public. Neither the NAIC nor individual state insurance regulators appear to develop and make available to FIO, Congress, or the public detailed information about their own performance and activities with respect to the program. For example, there is no public list (or even a nonpublic list) of insurance companies participating in TRIP and no data on the extent to which individual participating insurers (including non-U.S. insurers) expose federal taxpayers to loss under the program. Given the extent of risk a meaningful cyber catastrophe program would shift onto U.S. taxpayers, FIO, Congress, and the public deserve a detailed understanding about who participates in the program, who their beneficial owners are, and how much risk they are shifting into the program, and an accounting by state insurance regulators as to the discharge of their responsibilities under the program.
· Limitations — Any cyber catastrophe insurance program should be limited to products that are regarded as “insurance” under both state and federal law. For example, certain alien and other nonadmitted insurers are developing and marketing parametric insurance relating to cyber exposures. In general, parametric contracts are swaps subject to the jurisdiction of the Commodity Futures Trading Commission and not insurance. Similarly, certain state laws define property insurance as insurance indemnifying against loss or damage to real or personal property and consequential loss or “upon such loss or damage.”
 Evaluating the Role of Insurance in Managing Risk of Future Pandemics, Kunreuther and Schupp, NBER Working Paper No. w28968 at page 6 (June 28, 2021).
 A Framework for Defining a Role for Insurance in “Uninsurable” Risks: Insights from COVID-19, Journal of Insurance Regulation, Kunruether and Schupp (Jan. 2022).
 See PRIA — Rewarding Risk Concentration, Jason M. Schupp (July 20, 2020).
 See TRIA Compliance Risks, Jason M. Schupp (July 26, 2020).
 CBI Comments submitted in response to Treasury’s Notice appearing at 87 FR 18473 (March 30, 2022); and TRIA Program Falls Short on NBCR, Jason M. Schupp (April 20, 2022).
 See TRIA Effectiveness Report: Terrorism Insurance Captives, Jason M. Schupp (July 26, 2020).
 See TRIA — Analysis of Treasury’s Modeled Loss Scenarios, Jason M. Schupp (Aug. 6, 2020).
 CBI Comments submitted in response to Treasury’s Notice appearing at 85 FR 23435 (April 27, 2020) and 86 FR 17265 (April 1, 2021).
 CBI Comments submitted in response to Treasury’s Notice appearing at 85 FR 23435 (April 27, 2020), 85 FR 71588 (November 10, 2020); 87 FR 18473 (March 30, 2022). See The Write Your Own Bailout Program (or Why TRIA Would Not Work for Pandemics, Jason M. Schupp (July 25, 2020).
 See Cyberterrorism Daunting Challenge for TRIA, Jason M. Schupp (May 3, 2022).
 See CBI’s Statement on PRIA to Congressional Subcommittee, Jason M. Schupp (Nov. 11, 2020).
 See A Call for Public Disclosure of Captive Arrangements, Jason M. Schupp (Nov. 13, 2020); and A Case for Captive Transparency, Jason M. Schupp (Dec. 1, 2020).
 See CBI’s Comments to FACI on Pandemic Risk Insurance, Jason M. Schupp (Sept. 17, 2022).
 See Transparency for PPP, Secrecy for PRIA, Jason M. Schupp (June 22, 2020).
 See Two Decades of the Terrorism Risk Insurance Program, Jason M. Schupp (May 2, 2022).
 See Secrecy Laws Leave Insurance Consumers Exposed, Jason M. Schupp (Feb. 19, 2021).
 See TRIA / PRIA Eligible Insurers include Subsidiaries of a Sanctioned “Communist Chinese Military Company”, Jason M. Schupp (April 13, 2021).
 See The Case for Transparency of Captive Arrangements, Jason M. Schupp (Nov. 17, 2020).
 7 USC § 16(h); 17 CFR § 1.3. See The Regulatory Environment for Parametric Insurance, Jason M. Schupp (July 20, 2021).
 See The Property Damage Prerequisite, Jason M. Schupp (July 16, 2020); and Pandemic Proposals Test the Boundaries of “Insurance”, Jason M. Schupp (Feb. 22, 2021).