SHARE

June 24, 2022

GAO Report Recommends DHS and Treasury Assess Federal Response to Cyber Attacks

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

Key Takeaways

  • The report notes the potential financial exposures from these risks warrant a federal insurance response.

In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury's (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant a federal insurance response, and to inform Congress of the results of their assessment. CISA is the primary risk advisor on critical infrastructure, and FIO is the federal monitor of the insurance sector.

The GAO prepared this report pursuant to the Terrorism Risk Insurance Program Reauthorization Act of 2019, which, among other things, directed the GAO to conduct a study on: (1) the risks and potential costs of cyberattacks to U.S. public and private infrastructure; (2) whether states' definition of cyber liability under a property and casualty line of insurance is adequate coverage for an act of cyber terrorism; (3) whether such risks can be adequately priced by the private market; and (4) whether the risk-share system established under the Terrorism Risk Insurance Act of 2002, which created the Terrorism Risk Insurance Program (TRIP), is appropriate for covering cyber terrorism events.

In the report, the GAO highlighted the significant and growing cybersecurity risks facing U.S. critical infrastructure and examined how the insurance market against cyberattacks is evolving, often in a way that means less coverage against potentially catastrophic financial losses. The report noted that although cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware, private insurers have been taking steps to limit their potential losses from cyberattacks with systemic effects. Coverage under TRIP, which requires the federal government to share certain insured losses with private insurers in the event of an act of terrorism, is limited to attacks that meet certification criteria specified by the program, among other requirements. As the GAO notes, even very large cyberattacks on critical infrastructure resulting in catastrophic losses and risk to national security might not be covered if they do not meet all the certification criteria. For example, one criterion is that the event must be a "violent act or an act that is dangerous" to human life, property, or infrastructure. Even though a data breach or denial of service attack may result in stolen data or IT system disruption, it may not necessarily be a violent act or dangerous to human life, property, or infrastructure. To date, the federal government has not certified any such acts of terrorism.

The report also noted that while CISA and FIO have taken some steps to understand the financial implications of cyber risk, neither agency has fully assessed the extent to which the risks to the nation's critical infrastructure from catastrophic cyber incidents, and the potential financial exposures from these risks, warrant a federal insurance response. In their comments to the report, both DHS and Treasury agreed with the GAO's recommendation to work together to produce such an assessment for Congress. DHS stated that it would review the aggregate data generated by incident disclosures under the Cyber Incident Reporting for Critical Information Act of 2022 (previously discussed here), once available, and work with Treasury in the interim to determine other data needed. Treasury confirmed that it had reached out to DHS to begin collaboration on this effort.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Ballard Spahr

New York Restricts Automated Decision Making in Employment

By Timothy Dickens Ballard Spahr August 29 , 2022

Businesses operating in New York City should be aware of a local law addressing the use of automated employment screening and decision-making tools coming into effect on January 1, 2023.

Status Update: Federal Contractor Vaccine Mandate Injunction Narrowed

By Lila A. Sevener Ballard Spahr August 29 , 2022

On August 26, 2022, the United States Court of Appeals for the Eleventh Circuit narrowed the nationwide injunction of Executive Order 14042, which requires federal contractors and employees who work on or in connection with a covered federal contract, or share a workplace with another employee who works on or in connection with such contracts, to be fully vaccinated against COVID-19.

Unions Cannot Force OSHA to Issue Permanent COVID Standard

By Shannon D. Farmer Ballard Spahr August 26 , 2022

On August 26, 2022, the U.S. Court of Appeals for the District of Columbia Circuit turned back efforts by a group of unions seeking to force the Occupational Safety and Health Administration (OSHA) to quickly issue a permanent rule establishing protections for healthcare workers from COVID-19.

More From Financial Services and Banking

Data Subject (EEA) → Processor Z (non-EEA) → Processor Y (non-EEA)

By David A. Zetoony Greenberg Traurig September 12 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A (EEA) → Processor Z (EEA) → Controller B (Non-EEA)

By David A. Zetoony Greenberg Traurig September 09 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Understanding the differences in the state privacy laws: What factors must be considered by an organization when conducting a DPIA?

By David A. Zetoony Greenberg Traurig September 08 , 2022

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities.

Featured Stories
Closeclose
Search
Menu

Working...