Thoughts on a Federal Cyber Insurance Backstop

As a strong supporter of the recent U.S. National Cybersecurity Strategy and its implementation , Microsoft is working alongside our customers and partners to foster the implementation of its objectives.??

We believe the Strategy raises an important conversation about the potential for a catastrophic cyber incident to destabilize the economy and the role of the Federal government in mitigating that risk. In the most basic terms, a catastrophic cyber incident would be a cyber-attack that results in large economic costs across multiple entities. For example, the 2021 cyber-attack on Colonial Pipeline caused gasoline shortages for short period of time, but if the shortages had lasted longer, the economic consequences could have been more far reaching.??

We support the Administration’s efforts to increase the nation’s capacity to respond to a catastrophic cyber incident, including the Strategy’s call to explore a federal cyber insurance backstop. The goal of a federal backstop is, in essence, proactivity, putting a program in place before an incident occurs to provide certainty to markets and bolster national resilience, rather than rushing to act after an incident occurs. Proponents of a backstop argue that it would enable insurers to increase cyber coverage to more entities because the risk of catastrophic losses would be transferred to the federal government and expanded coverage would result in widescale improvement in cybersecurity risk management because insurers would stipulate better security controls to provide coverage.?

The federal backstop proposal is a meaningful concept – and in considering it, we think critical questions about efficiency, fairness, and security should be discussed.???

In exploring the federal cyber insurance backstop, we think the government should establish comprehensive risk analysis, ensure that insurance is incentivizing cyber risk reduction, and evaluate the suitability of a federal backstop against alternative solutions.?

1. Develop Data-driven Risk Analysis: The government should lead a comprehensive effort to define, collect, and analyze the relevant information to create a rigorous, data-driven understanding of the risk. The data will increase clarity about where markets are failing to efficiently handle catastrophic risk and what interventions will be most effective. For example, if the risk of a catastrophic incident is greatest within particular critical infrastructure sectors, such as the financial or energy sector, policymakers might consider limiting the federal backstop to those sectors. A Cyber Statistics Bureau, as recommended by the Cyberspace Solarium Commission’s report would be well situated to conduct this analysis, but even without the Bureau, government could bring together ongoing efforts across multiple universities, international institutions, nonprofits, insurance providers, tech companies, and other private sector stakeholders.??
2. Ensure Insurance Reduces Cyber Risk: In general, a federal backstop may result in broader insurance coverage, reducing risk across the board because insurers will require customers to increase investment in cyber risk management. However, a federal backstop could also have unintended consequences. Insurers’ increased business opportunity and competition could incent them to reduce cybersecurity standards to secure new business. Insurance customers may also choose to reduce cybersecurity investments and rely on their insurance policy to manage the financial risks from an incident. A federal backstop proposal, therefore, will need to include effective minimum-security requirements for policies eligible for the backstop to counter these risks.?
3. Evaluate Alternative Solutions: The government should openly evaluate the federal backstop against alternative solutions that may help manage catastrophic cyber risk. A federal cyber disaster relief fund, similar to the FEMA disaster relief fund, could be established to directly fund impacted entities instead of backstopping insurance losses. This approach would provide greater flexibility in responding to impact that falls outside the scope of insurance coverage. Other jurisdictions, including the European Union, are also considering establishing a “Cyber Emergency Mechanism ” to support crucial sectors with incident response services and mutual assistance across Member States.?

As we grapple with these complex issues, one thing is clear: collaboration is key.??

At Microsoft, we believe cybersecurity is a team sport. Our commitment to tackling cybersecurity risks and promoting digital peace is unwavering. An example of our dedication to this cause is our ongoing contribution to the Carnegie Endowment for International Peace’s Cloud Reassurance Project . As part of this project, we are diligently working with an array of stakeholders to assess the effect of cloud adoption on aggregate risk. This venture allows us to proactively shape the future of cybersecurity, fostering a safer digital world for all.?

In the face of cyber threats, we stand united with the broader community of defenders. Through shared knowledge, concerted effort, and a steadfast commitment to cybersecurity, we can collectively build resilience against even the most catastrophic cyber risks. Together, we are shaping a more secure and resilient digital future.?

?