When a bank fails, as with California-based Silicon Valley Bank in March 2023, the federal government steps in to cover depositors’ losses up to at least $250,000.

National Flood Insurance covers people and businesses affected by major flooding.

And since 9/11, the U.S. Terrorism Risk Insurance Program reimburses insurers for certain losses resulting from an act of terrorism.

Meanwhile, internet crime has soared. Between 2018 and 2022, complaints to the FBI more than doubled to over 800,000, and potential losses nearly quadrupled to $10.3 billion.

Although companies can buy private cyber insurance, participation is voluntary, and many companies forgo coverage due to high premiums, coverage exclusions or other reasons. If there is a catastrophic incident, no national cyber insurance program exists to cover damages.

John T. Harvey, the Hal Wright Professor of Economics at TCU’s AddRan College of Liberal Arts, said a protective plan is overdue.

In an article published by the Army Cyber Institute, Harvey makes the case that federally sponsored insurance should cover an organization’s losses from major online crimes, from electronic theft to a ransomware attack.

“I don’t think the average person understands how vulnerable the United States is to cyberattacks from countries like China and Russia and terrorist organizations,” TCU’s John T. Harvey said.

“I don’t think the average person understands how vulnerable the United States is to cyberattacks from countries like China and Russia and terrorist organizations,” Harvey said. “Economies and national defense systems exist increasingly on the internet, an existence that’s continuously vulnerable to attack, intrusion and theft.”

A cyberattack could threaten “our ability as individuals to enjoy the standard of living we do,” Harvey said. Americans, for example, might lose access to electricity, water or gas if the technology behind those utility grids is attacked.

Already, millions of Americans have received a notice along the lines of “Your personal information may have been compromised” as cybercriminals have infiltrated major companies, including Capital One, Equifax and Facebook, and public entities such as hospitals and schools.

“We must absolutely get serious about protecting ourselves,” Harvey said. “Because our commitment to individual freedom prevents us from simply mandating nationwide standards and practices, we need to be creative. National cyber insurance represents that creative solution.”

FACTS AND FOLKSY WISDOM

Past proposals for national cyber insurance have called for expanding the Terrorism Risk Insurance Program or replicating the Insurance Institute for Highway Safety, a nonprofit focused on reducing automobile crashes and related insurance losses through data analysis and education.

Those proposals have languished, but Harvey has a viable solution.

Calling himself a cowboy economist who provides folksy wisdom, Harvey takes pride in making complex economic concepts understandable for the average person. He has taught at TCU for 36 years.

Harvey suggests modeling a national cyber insurance program on the Federal Deposit Insurance Corp., which covers deposits up to at least $250,000 if a financial institution fails. He would call it the Federal Cyber Insurance Corp., or FCIC.

Harvey said he sees similarities in risks and vulnerabilities between cybersecurity today and banking during the Great Depression, when 9,000 banks failed, erasing $7 billion in depositors’ money. In 1933, the U.S. government created a deposit insurance corporation to protect consumers’ funds in banks and safeguard the entire financial system.

Similarly, federal cyber insurance would cover companies’ losses from major cyberattacks. Harvey said policies wouldn’t need to be mandatory because market forces would create an incentive for organizations to join.

“That’s exactly what happened with the FDIC,” Harvey said. “Banks rallied against it at first, but then everyone wanted to join because it was used to market the safety of a bank.”

OFFERING A CARROT

Harvey proposes that the federal government fund the FCIC. He estimates the expenses would add about 3 percent to the annual budget, or about $192 million today.

The federal government is the only entity that can afford to pay for such a program and coordinate all of the moving parts, Harvey said. “This is not something we leave to the private sector; see how well that worked out with health care.”

TCU economics professor John T. Harvey suggests modeling a national cyber insurance program on the Federal Deposit Insurance Corp., which covers deposits up to at least $250,000 if a financial institution fails. Photo by Rodger Mallison

National cyber insurance must be a coordinated effort, he said, which wouldn’t be easy among rival insurers whose aim is to turn a profit.

Lisa Plaggemier, executive director of the National Cybersecurity Alliance, said Harvey’s idea is interesting, but she remains cautious. “I don’t think [national] cyber insurance should be a get out of jail free card for some of the security steps that should be done at organizations.”

Harvey expects the opposite would happen. His proposal calls for data sharing, monitoring, employee training and other measures to be required conditions for FCIC coverage.

Tom Gann, chief public policy officer for cybersecurity company Trellix, said a national cyber insurance program makes sense.

“There’s a need for it,” he said, while raising some caveats. “You want to make sure the federal government’s level of exposure is rational,” he said. Any program “should have guardrails.”

REINING IN RISK

Harvey said cybersecurity is a question of national security.

“It’s not about insurance. The insurance program would be a carrot to get companies to follow best practices and share information they’re not voluntarily sharing.”
John T. Harvey

The U.S. government has warned that bigger and bolder cybercrimes present increased national and public security risks to critical infrastructure, such as electric grids and information systems, including those at hospitals, and even presidential elections.

Last year the U.S. government upgraded ransomware attacks to a national security threat. Hackers ensnared Colonial Pipeline Co. in a ransomware attack in 2021, which led to interrupted fuel deliveries and gas shortages along the East Coast. Cybercriminals also caused JBS USA, one of the nation’s biggest meatpackers, to shut down production temporarily in 2021. JBS paid an $11 million ransom. Colonial paid $4.4 million.

More than 88 million Americans were affected by data breaches in 2023, up 60 percent from 2022, the U.S. Department of Health and Human Services reports.

“The real goal of the FCIC is to get businesses and other institutions to follow practices that make them safer from cyberattacks,” Harvey said. “If [a company’s insured] losses were actually consumer losses, then that could certainly be passed on. But if the firm is being safer, then the consumer is protected, too.”

Data sharing is the crux of the package.

“It’s not about insurance,” Harvey said. Since the FCIC would ask companies “to give up considerable control and information, you have to offer a carrot of some sort. The insurance program would be a carrot to get companies to follow best practices and share information they’re not voluntarily sharing.”

THE FUTURE

While the $7.2 billion private cyber insurance market has grown, many companies aren’t covered. A report by Marsh, the world’s largest insurance broker, reports only about a third of its clients buy cyber insurance.

Cybersecurity Ventures projects the cost of global cybercrime damages, including ransomware, will reach $10.5 trillion by 2025, up from $3 trillion in 2015.

In the face of such challenges, the federal government is starting to pay more attention to cybersecurity — and renewed interest is brewing in federal insurance for cybercrimes. Per a U.S. Government Accounting Office recommendation, the Treasury and Homeland Security departments are studying the risks for the country’s critical infrastructure and assessing a potential federal response for cyberattacks. Harvey stresses acting now, rather than waiting until disaster occurs.

“It’s really about a coordinated national plan for cyberdefense,” Harvey said. “A federal cyber insurance would be part of that.”