Building a Cyber Insurance Backstop is Harder than it Sounds

This article explores the possibility of a federal cyber insurance backstop to support cyber insurance companies who cannot afford to pay cyberattack claims. The authors focus on the $700 million dollar claim made by Merck in 2017, which resulted from a state-led cyberattack. They compare the insurance backstop to existing models such as the Terrorism Risk Insurance Act. However, clarifying cyberattack characteristics, such as risk, impact, and attribution remains difficult. Correctly constraining and defining organization’s role in cyber insurance makes the initial definition crucial to reduce unforeseen costs to the government. Further issues arise regarding a backstop’s inadvertent incentive to not have solid cyber hygiene. The authors explore the different arguments for and against a cyber insurance backstop and further emphasize investments in cyber hygiene before the federal government implements a backstop.