What GAO found
US infrastructure (such as utilities, financial services, and pipelines) is facing increasing cyber threats. Understanding these risks and potential risks, threats, and impacts is critical to protecting critical infrastructure.
Cybersecurity Vulnerabilities, Threats, and Impacts
Disability. Critical enterprises are increasingly vulnerable to cyber attacks for reasons that include the widespread use of interconnected electronic systems.
Intimidation. Threat actors—such as governments, criminal groups, and terrorists—have become increasingly capable of conducting cyber attacks on critical infrastructure.
Effects. Federal and industry data indicate that cyberattacks—including those affecting critical infrastructure—are on the rise. at times and prices.
Source: Original GAO report and GAO analysis of agency and industry data.
The effects of cyber-crisis can spill over from the original target to economically connected companies—increasing economic damage. For example, in May 2021 the Colonial Pipeline Company found out that it was the victim of a cyberattack that caused a temporary shortage of gasoline.
Cyber insurance and the Terrorism Risk Insurance Program (TRIP)—the government’s protection for losses from terrorism—are both limited in their ability to cover to avoid potential risks from cyber attacks. Cyber insurance can reduce costs from some of the most common cyber threats, such as data breaches and ransomware. However, private insurers are taking steps to limit their losses from cyber attacks. For example, insurers do not cover losses from cyber wars and property damage. TRIP covers losses from cyber attacks if they are acts of terrorism, among other requirements. However, cyber-attacks may not meet the program’s criteria to be considered terrorism, even if they result in serious damage. bite For example, attacks must be forced or violent in nature in order to be justified.
The Department of the Federal Insurance Office of the Ministry of Finance (FIO) and the Office of Homeland Security and the Security Agency (CISA) have already taken steps to understand the effects. financial costs of the growing risk on the internet. However, they did not consider the large scale impacts on critical infrastructure from cyber threats and financial crises that require federal insurance coverage. . CISA is the primary risk advisor on critical infrastructure and FIO is the federal watchdog of the insurance sector. Accordingly, they are well positioned to do such a review together. Doing so and reporting the results to Congress can inform the debate over whether the federal insurer’s response is appropriate.
If such a response was deemed necessary, GAO established for providing federal assistance to private market participants (GAO-10-719) can help identify its pattern. The framework notes the need to clarify the problem, reduce moral hazard (the presence of a federal background can result in in higher risk organizations), and protect the interests of taxpayers. In line with these elements, any federally mandated insurance policy should include clear guidelines for coverage, specific coverage requirements, and specific funding requirements. with consent from all market participants.
Why did the GAO conduct this study
Cyber threats to many industries represent a major economic challenge. Although cyber risk premiums are partially covered by the private insurance market, the rise of cyber threats has caused uncertainty in this market. successively.
The Supplemental Security Appropriations Act, 2020, includes a provision for the GAO to study cyber risks to US infrastructure and insurance options for these risks . This report examines the level of (1) online risk for critical infrastructure; (2) private insurance covers cyber losses and TRIP provides a limit for such losses; and (3) a federal agency has investigated a federal response to cyberattacks.
The GAO reviewed books and reports on the internet and the insurance market. GAO interviewed CISA and FIO officials and stakeholders (eg, owners of critical infrastructure, insurers, and business owners) selected to based on things like skills and market share.