Can cyber-catastrophes be insured against?
Cyber-insurance: Government support to encourage reinsurance, along with quantifying of risk, would make cover for cyber-catastrophe a more viable option says research.
Some things can't be insured against
The country and industry are not prepared for the aftermath of a catastrophic cyber-attack as insurance companies have neither the data to evaluate the risk nor the reinsurance markets which are prepared to underwrite it.
Further complicating the insurance landscape is the lack of government support for a reinsurance scheme of the type that exists for terrorism (Pool Re in the UK and TRIA in the US) and flooding (Flood Re).
Fortunately, the likelihood of such an eventuality is seen as remote given that the difficulties of launching a successful attack that could bring down an economy are actually greater than most hype suggests.
These are among the findings of the Long Finance research project announced yesterday, which sought to explore how cyber-catastrophe reinsurance might help mitigate cyber-risk, establish some evidence of the appetite for such reinsurance and examine how government might best provide support for the establishment of an efficient free-market solution (Promoting UK Cyber Prosperity : Public-Private-Catastrophe Reinsurance, sponsored by APM Group, Tori Global and Z/Yen Group).
It concludes that a publicprivate cyber-catastrophe reinsurance scheme could help secure ICT-based prosperity in the UK by helping the industry insure itself and others. In the Q&As it was agreed that extending Pool Re to cover cyber would also be a viable option as the government would be left to fund recovery in such a situation anyway, so acting as an insurance guarantor would not entail undue additional risk.
The report also calls for a more uniform approach to cyber-insurance, with more standardised phrasing of policies, more standardised data collection for analytical purposes, promotion of developing ICT security and risk management standards such as Cyber Essentials, ISO 27000, NIST, or CESG's 10 Steps.
Martin Huddleston, principal cyber solutions architect, DSTL explained to SCMagazineUK.com that models incorporating these standards had been created to provide objective measurement of likely risk. Members were encouraged to jointly seek reinsurance for a cyber-catastrophe, including consideration of cybercatastrophe linked securities.
Government should facilitate but not underwrite these, says the report, and the scheme's reinsurancegovernment oversight could help the issuance of cyber-catastrophe linked bonds. Government and regulators were urged to strongly encourage cyber-insurance for essential services and critical national infrastructure including financial services, and incorporate cyber-insurance in government procurement processes.
The insurance industry was seen as having a role to play in setting benchmarks for best practice, and in the absence of actuarial data, information sharing was again encouraged, as well as government-private sector partnerships.
Adrian Leppard, commissioner, City of London Police, told delegates: “With cyber-crime, threats come from the internet which is unregulated, and traditional approaches to crime - border control, law enforcement, conventional policing, targeting and arresting the criminals - is not going to be effective... At the heart of the threat, whether criminals, foreign espionage, or hackers, is information access. Insurance has the potential to drive standards for information security that can protect our society and we, the government (law enforcement and science) are very keen to work with business to help it grow and support this industry.”
Professor Michael Mainelli, executive chairman, Z/Yen Group Limited, a coauthor the report, confirmed: “We've had an immense amount of support from the insurance industry and government."
In his presentation Mainelli went on to explain the current nature of cyber-insurance, and then compare this with the potential scale of a catastrophic threat: “Most cyber-insurance is investigation response and remediation. Breach cover is a simple form – in the US, say, you are required to notify 10 million customers, it costs US$5 (£3.20) to post so you insure for US$50 million (£32 million), which is straightforward. There is also consultancy cover. But these are not the real big areas of real physical damage, business interruption or disruption. Next is third-party liabilities – customers, employees, shareholders. Then loss of IP – valuable or needed to do the job – and reputational loss which are going to be more difficult to do anything about, and difficult for reinsurance to define the types of loss.