Researchers warn OT attacks could swamp cyber insurance
The backstop debate is really about correlation: one industrial failure can turn underwriting categories into one shared balance-sheet problem.
TL;DR
Inside Cybersecurity reports that researchers and insurance stakeholders used the June 10 Cyber Safety Summit to press the case for a federal cyber insurance backstop. The focus was operational technology: a single OT failure could trigger property, business interruption, cyber, liability and environmental claims. Critical infrastructure owners, insurers and Treasury would feel the result. The market can price many bad incidents; systemic OT loss is the part it still wants Washington to absorb.
Inside Cybersecurity reports that the June 10 Cyber Safety Summit panel put operational technology at the center of the federal cyber insurance backstop argument. Gerry Kennedy of Observatory Strategic Management framed the problem plainly: a single OT failure can create property losses, business interruption losses, cyber losses, liability claims and environmental claims. That is not a neat cyber policy event. It is a pileup across lines of coverage that insurers usually model separately.
Nick Leiserson, a former Office of the National Cyber Director official now at the Institute for Security and Technology, is pushing a federal reinsurance approach tied to reauthorization of Treasury’s Terrorism Risk Insurance Program, which he said is set to lapse in fiscal 2027. He told Inside Cybersecurity the market faces two problems: exclusions that remove coverage, and systemic risk where coverage exists but capacity may not survive many simultaneous claims. The proposed answer is familiar because it is the same shape as the terrorism backstop: the government pays a portion of claims above some threshold.
There is an honest policy question here, and it is not whether OT attacks are bad. GAO said in 2022 that cyber insurance and the Terrorism Risk Insurance Program are limited in their ability to cover potentially catastrophic losses from systemic cyberattacks, and recommended that Treasury and Homeland Security assess whether a federal response is needed (https://www.gao.gov/products/gao-22-104256). The harder question is what the government demands in exchange for taking tail risk off private balance sheets. If exposed OT assets create the aggregation risk, a backstop without measurable security conditions becomes a subsidy for bad asset management.
For practitioners, nothing changes Monday from a summit panel. But the direction matters. If Congress eventually takes up a cyber backstop through TRIP reauthorization, insurers and critical infrastructure operators should expect the fight to move quickly from abstract market capacity to evidence: internet-exposed OT, loss modeling, exclusions and the controls that justify federal participation.
Published ·Deep Fathom