Treasury’s ACRSM Meets

The Department of the Treasury’s Advisory Committee on Risk-Sharing Mechanisms met Feb. 1 focusing entirely on cyber insurance, a timely and relevant topic given NAMIC’s belief that a federal mechanism is coming this year.

At the meeting, the committee focused on the Federal Insurance Office’s work related to consideration of whether a potential federal insurance response to catastrophic cyber loss to U.S. critical infrastructure is warranted and its implications for the Terrorism Risk Insurance Program. There was also a discussion with major cyber modeling firms on the current state of cyber modeling, including the modeling of catastrophic events and the potential impact of such events upon TRIP. A presentation was given from an insurance rating agency on how it evaluates cyber insurance risk in its considerations and how the existence of programs such as TRIP factor into that evaluation.

The meeting opened with an introduction and update on recent activities – security upgrades to the TRIP Claims System, reauthorization of TRIP Claims System forms and processes, and calculation of the insurance marketplace aggregate retention amount for 2024 – in addition to upcoming activities. When discussing terrorism and cyber risk modeling, FIO representatives shared that they are in the process of “installing a cyber risk model that will permit it to model the impacts of various cyber terrorism events and cyber incidents.”

The panel consisting of the modeling firms Cybercube, Guidewire, and Moodys, discussed the frequent comparisons of natural catastrophes to cyber insurance and how the two should not be linked. Natural catastrophes have decades of modeling and hundreds, if not thousands, of data points, while cyber has only 10 years of modeling history, the number of data points is not the same. Every cyber incident is unique to the actor and no cyber-attack follows the same attack path.

During the next discussion, representatives from AM Best shared that it is working on a cyber insurance survey/questionnaire to its top 60 companies and acknowledged that it was still in a fact-gathering stage. Best, they said, is not scoring “performance” but measuring cyber and ascertaining the overall business position. This questionnaire would include topics such as enterprise risk management and cyber strategy, company profile, and performance in addition to evaluating the balance sheet.

The most notable part of the presentation was the update from FIO on the assessment and next steps. FIO reported that it has completed the initial phase of work on the potential federal insurance response and that it has begun undertaking which appropriate form of a federal insurance response would be warranted. This Phase 2 is in coordination with the federal Cybersecurity and Infrastructure Security Agency and the Office of the National Cyber Director.