A public-private, cyber-catastrophe reinsurance arrangement would improve the UK’s resilience against the growing threat of cyber risks in this interconnected world, according to a recently-released cyber report.

Given the fact that the current market for cyber insurance is limited with significant gaps in coverage, the report explores how such a reinsurance scheme — similar to the UK’s Pool Re — could help secure the prosperity of an economy dependent on information & communications technology (ICT).

The study, which is titled “Promoting UK Cyber Prosperity: Public-Private Cyber-Catastrophe Reinsurance,” is sponsored by Long Finance, conducted by Z/Yen Group and co-sponsored by APM Group.*

The report noted that it is often difficult to buy cyber coverage for core risks, such as property damage, business interruption and third party liability, at a scale required by a financial institution or an online retailer. “Cyber threats will be more rapidly addressed if cyber insurance grows more rapidly. The cyber insurance market will not grow quickly enough to address the threats without speeding up the supply of reinsurance.”

Cyber Aggregation

The reason for such a dearth of coverage? The report indicated that it’s the systemic nature of cyber risk that makes the industry reticent to provide the needed capacity.

“Cyber risk has the potential to be the biggest, most systemic risk I have encountered in my insurance career,” said Stephen Catlin, executive deputy chairman of XL Catlin, who authored the forward in the cyber risk study.

Risk aggregation could occur when one cyber event triggers multiple claims under different policies, such as reputational risk, property damage, professional indemnity, directors & officers, and errors & omissions, the report explained. Aggregation also could occur when “one cyber event triggers multiple claims by multiple clients under different policies.”

The report listed a group of cyber-risk issues that challenge insurability and market development, including: the lack of historical data and accurate cyber models; the risk of cyber aggregation; uncertainty about maximum probable losses; difficulties in pricing; uncertainty around what is covered (wording and exclusions); and the potential lack of adequate reinsurance capacity.

Fresh Approach Needed

The global and systemic nature of cyber risk “means that insurers are restricted in their ability to work with society to manage this risk,” according to Catlin’s comments.

While regulators expect re/insurers to be able to manage their balance sheets, Catlin explained that “our balance sheets are not large enough to pay for a true cyber-catastrophe. This is where a fresh approach to reinsurance will help insurers enter the market more rapidly and usefully.”

The insurance industry does not have to capacity to deal with a catastrophic cyber event, which “could potentially leave the UK exposed to catastrophic consequences,” the report concurred. “Risk mitigation through insurance and reinsurance seems to be below what would be necessary to mitigate cyber risk at the scale of the country, given the £2 billion [$3.1 billion] to £20 billion [$30.6 billion] single event estimates.”

The report said a cyber catastrophe does not have to be the result of a malicious act. For example, it added, a geomagnetic event, caused by a solar storm, could bring massive social and economic costs in the range of $1 trillion to $2 trillion a year, with recovery taking four to 10 years, depending on the damage.

It is only a matter of time until a cyber-9/11 event occurs, and most countries, including the UK, are ill prepared for the potential threats to their security and economy, the report warned.

Public-Private Scheme Explained

The majority of industry stakeholders who were interviewed for the study favored a government-funded cyber-catastrophe reinsurer, which would “rapidly provide clarity and certainty to the market.”

“Such a framework should provide the right coverage to the right people thus giving resilience and protection to the UK economy and supporting cyber prosperity,” the report continued.

The scheme could be run independently in the UK as a “Cyber Re,” or by extending the remit of the existing Pool Re. (Pool Re was formed in 1993 in cooperation with the UK government in the wake of the IRA bombing campaign on the UK mainland. It currently excludes damage to computer systems caused by virus, hacking and similar actions, so coverage would have to be extended.)

A public-private cyber catastrophe reinsurance scheme would only cover losses resulting from an event beyond a pre-determined excess point – which some of those interviewed suggested could be above £200 million ($305.8 million) per participant. “The scheme would in effect be a pool funded by the insurance industry, seeking its own further reinsurance and possibly issuing insurance linked securities such as a cyber-catastrophe bond for further cover,” the study explained.

The UK government’s role would be as a last resort insurer – but only in the event that industry retentions and the scheme’s reserves are exhausted.

Such a scheme would provide “a way to help industry, insurers and government pull together to manage this huge risk on UK plc’s balance sheet by supporting more objective pricing of risk through premiums,” the report said. “The scheme does so by encouraging appropriate information sharing, standards and best practice alongside insurance-based incentives for investment in protection.”

Finally, the report said, the interconnected nature of ICT infrastructure and the internationalization of supply chains illustrate the global exposure of cyber risk. “Thus, a coordinated approach towards mitigating cyber catastrophic risk should not only rely on public-private cooperation within the UK but should consider international cooperation as well.”

The report listed essential points of the proposed scheme, which would start to address the risk management needed to mitigate cyber catastrophes in the UK:

  • The scheme should provide more standardized wordings, linking cyber catastrophe to the policies members write, and more standardized data collection for analytical purposes;
  • The scheme should promote the use and evolution through learning of ICT security and risk management standards such as Cyber Essentials in the UK and ISO 27000;
  • Insurance regulators should strongly encourage membership of such a scheme by insurers providing cyber cover;
  • Members should jointly seek reinsurance for a cyber catastrophe, including consideration of cyber-catastrophe linked securities;
  • The UK government should facilitate, but not underwrite, the scheme’s reinsurance; government oversight could help the issuance of cyber-catastrophe linked bonds, while government permission to extend the Pool Re concept to cover cyber catastrophe, by use of a separate scheme under the same management, would speed the scheme’s growth;
  • Government and regulators should encourage cyber insurance for essential services and critical national infrastructure, including financial services, and incorporate cyber insurance in government procurement processes.

*The findings in the report are based on more than 80 interviews carried out between May and July 2015, of which more than half were re/insurance industry professionals.