TRIP May Not Cover Most Cyberattacks

The Government Accountability Office has issued a warning. The government’s Terrorism Risk Insurance Program (TRIP) cover cyberattacks if they can be considered “terrorism,” but “cyberattacks don’t necessarily meet the program’s criteria to be certified as terrorism. Attacks must be “violent or coercive in nature” to be certified, the GAO said. The question of how to label a cyberattack is central to insurability in the private market as well. For example, some of the most egregious attacks have been attributed to hostile governments rather than private actors, and several insurers have cited those attributions to avoid paying on policies that don’t cover “acts of war.” The GAO recommends that the Cybersecurity and Infrastructure Security Agency (CISA) work with the Director of the Federal Insurance Office to “produce a joint assessment for Congress on the extent to which the risks to the nation’s critical infrastructure from catastrophic cyberattacks, and the potential financial exposures resulting from these risks, warrant a federal insurance response.”