The country and industry are not prepared for the aftermath of a catastrophic cyber-attack as insurance companies have neither the data to evaluate the risk nor the reinsurance markets which are prepared to underwrite it.
Further complicating the insurance landscape is the lack of government support for a reinsurance scheme of the type that exists for terrorism (Pool Re in the UK and TRIA in the US) and flooding (Flood Re).
Fortunately, the likelihood of such an eventuality is seen as remote given that the difficulties of launching a successful attack that could bring down an economy are actually greater than most hype suggests.
These are among the findings of the Long Finance research project announced yesterday, which sought to explore how cyber-catastrophe reinsurance might help mitigate cyber-risk, establish some evidence of the appetite for such reinsurance and examine how government might best provide support for the establishment of an efficient free-market solution (Promoting UK Cyber Prosperity : Public-Private-Catastrophe Reinsurance, sponsored by APM Group, Tori Global and Z/Yen Group).
It concludes that a publicprivate cyber-catastrophe reinsurance scheme could help secure ICT-based prosperity in the UK by helping the industry insure itself and others. In the Q&As it was agreed that extending Pool Re to cover cyber would also be a viable option as the government would be left to fund recovery in such a situation anyway, so acting as an insurance guarantor would not entail undue additional risk.
The report also calls for a more uniform approach to cyber-insurance, with more standardised phrasing of policies, more standardised data collection for analytical purposes, promotion of developing ICT security and risk management standards such as Cyber Essentials, ISO 27000, NIST, or CESG's 10 Steps.
Martin Huddleston, principal cyber solutions architect, DSTL explained to SCMagazineUK.com that models incorporating these standards had been created to provide objective measurement of likely risk. Members were encouraged to jointly seek reinsurance for a cyber-catastrophe, including consideration of cybercatastrophe linked securities.
Government should facilitate but not underwrite these, says the report, and the scheme's reinsurancegovernment oversight could help the issuance of cyber-catastrophe linked bonds. Government and regulators were urged to strongly encourage cyber-insurance for essential services and critical national infrastructure including financial services, and incorporate cyber-insurance in government procurement processes.
The insurance industry was seen as having a role to play in setting benchmarks for best practice, and in the absence of actuarial data, information sharing was again encouraged, as well as government-private sector partnerships.
Adrian Leppard, commissioner, City of London Police, told delegates: “With cyber-crime, threats come from the internet which is unregulated, and traditional approaches to crime - border control, law enforcement, conventional policing, targeting and arresting the criminals - is not going to be effective... At the heart of the threat, whether criminals, foreign espionage, or hackers, is information access. Insurance has the potential to drive standards for information security that can protect our society and we, the government (law enforcement and science) are very keen to work with business to help it grow and support this industry.”
Professor Michael Mainelli, executive chairman, Z/Yen Group Limited, a coauthor the report, confirmed: “We've had an immense amount of support from the insurance industry and government."
In his presentation Mainelli went on to explain the current nature of cyber-insurance, and then compare this with the potential scale of a catastrophic threat: “Most cyber-insurance is investigation response and remediation. Breach cover is a simple form – in the US, say, you are required to notify 10 million customers, it costs US$5 (£3.20) to post so you insure for US$50 million (£32 million), which is straightforward. There is also consultancy cover. But these are not the real big areas of real physical damage, business interruption or disruption. Next is third-party liabilities – customers, employees, shareholders. Then loss of IP – valuable or needed to do the job – and reputational loss which are going to be more difficult to do anything about, and difficult for reinsurance to define the types of loss.
“There is a framework of cyber-threats produced by the Cambridge Centre for Risk Studies (report p15), like a Richter scale to define the magnitude of cyber-events – and an event of magnitude four is where we are looking – immense economic disruption typically conducted by a security agency or mafia level criminal group, or magnitude five would be intense military level interference. These are against known threats. But defining cyber- catastrophe is difficult. It's not always from a cyber-attacker – eg the Carrington event, a solar storm of 1859 which fried telegraph copper cables. If something like that hit our delicate phone transistors...the US estimate for that event is approximately US $2.6 trillion (£1.7 trillion) worth of damages. The GPS industry, which would be blown out, is a one billion dollar industry on its own. So we are looking at that four or five magnitude event, going beyond any insurable capacity. For comparison, 9/11 losses were US$32 billion (£20.5 billion) and Hurricane Karina losses were US $80.3 billion (£51.5 billion).”
However, surprisingly, Mainelli said how they'd started out thinking it was essential to have the government as the insurer of last resort and ended up thinking it would be a ‘nice to have' as there's a lot industry can do with government support, without it having to put up any money. But this would likely require government support such as requiring companies bidding for government contracts to have cyber-insurance.
In advice to insurers themselves, Tom Bolt, director of performance management, Lloyds, advised that they confirm cyber-insurance is not included in ‘all-risks' policies but forms part of specialist policies – which would also ensure that companies who wrongly think they are already covered, but are not (due to standard exclusion clauses) get appropriate insurance.
Bolt explained that insurance is about charging the right price, so they need to understand aggregations of risk. He said that it's important that Lloyds provides cyber protection – it currently has about 15 percent of the world cyber-protection market – adding: “We're further ahead on breach response cover than others which we also think are equally important such as physical damage which we are calling a Malicious Electronic Event.
“You'll see some moves out of Lloyds in the near term to try and clarify (what is covered). You cover it or you don't, and if you do there are clear limits so we can make sure we can meet our obligations.
“In addition to moving for clarity, another key thing we are doing is paying for our datasets – we'd like better knowledge. People are reluctant to report breaches,” he said.
He concluded: “If you know what your exposures are it's surprisingly easy to get reinsurance. Swiss Re said earlier this year that it is excluding cyber. If we could tell them, ‘this is the exposure,' then it will be easier to get the cover.”