How London can turn the cyber-attack onslaught into an opportunity
Whether it be the spectre of terror attack or catastrophic flood, reinsurance pools across the globe have historically been developed to handle the kind of risk judged too great for the insurance industry to bear alone.
When the IRA bombed the Baltic Exchange in 1992, the scale of physical damage to buildings in the City was so colossal that re-insurers began swiftly to withdraw terrorism cover from their policies, leaving the property of many firms completely uninsured against future attack. Had another bomb followed, the inability of companies to sustain the losses would have caused far wider economic repercussions. In response, the government set up Pool Re, a partnership with insurers that pooled premiums into a single pot, backed up by government guarantee should it be insufficient to cover losses from a terrorist outrage.
Similarly, an increased incidence of flooding in the UK over the past 15 years, culminating in the devastating floods of 2013, caused many insurers to withdraw universal flood cover, leaving the most exposed households unable to secure affordable insurance. Government accepted the case for stepping in and this month launched Flood Re, which offers subsidised cover to the 350,000 homes at highest flood risk via a levy on all purchases of household insurance.
Both schemes no doubt have their imperfections. But in plugging specific insurance gaps, they make communities and the economy more robust in the face of large-scale threats, encouraging commercial insurers back to the market and giving other firms the confidence to grow. But threats evolve and government must stand ready to seal off any future gaps in cover – ideally this time before rather than after a catastrophic event has taken place.
The most obvious area in which our businesses and infrastructure remain exposed, as I have highlighted before in City A.M., is against cyber-attack. The lack of data when it comes to insuring against such an onslaught makes the modelling of loss scenarios extremely hard. As a result, significant solvency requirements are likely to be imposed on any insurer offering cover for cyber-related losses and it is hard to secure losses over £100m. No product has yet been designed to insure against cyber-terrorism, though Pool Re is reportedly analysing whether cover might be extended in this regard.
Unfortunately, the threat of cyber-attack is not only real but becoming more profound. A government-commissioned survey last year revealed that 90 per cent of large UK firms had suffered a security breach at some point in the previous 12 months, while the average cost of a cyber-attack has more than doubled since 2014 to £1.5m-£3m for large employers, and up to £300,000 for small firms. That is before taking into account the losses that might be accrued from a cyber-terror attack on critical UK infrastructure. Isis and other terror groups have shown their willingness to exploit the cyber sphere for their grim ends and there is every chance that significant economic damage could be wrought if they were to make a successful attack. We must therefore guard against the possibility of market collapse in the existing cyber insurance sphere.
Reluctance in official quarters to bestow additional, unquantifiable liabilities on government via a cyber reinsurance mechanism is understandable but perhaps misplaced. In the 23 years in which Pool Re has been operating, it has paid out over £600m from its own funds and has built up a cash buffer of over £8bn from premiums received. Treasury funds have not once been called upon. Besides, whether we like it or not, ultimate responsibility for reconstruction will always rest with government in a black swan event.
Rather than create a standalone Cyber Re which, like Flood Re, could take years to establish, we might look instead at a broader catastrophe pool that could be expanded in response to emerging threats. This could be achieved by broadening Pool Re’s scope, something for which there is precedent – chemical, nuclear, biological and radiological attacks were added to its terrorism coverage in the aftermath of 9/11.
With government taking responsibility for cyber losses at the highest levels, market providers could be encouraged to step in to insure losses beneath a certain figure. Such a collaboration could help spread information and best practice, and start to build a body of data to inform the pricing of risk in addition to accruing a larger cash buffer. It could also drive the implementation of risk management initiatives. Last year, for example, Pool Re launched a partnership with the National Counter-Terrorism Security Office to improve security measures in public and private buildings across the UK. Buildings which adopt the measures will receive a reduction in the cost of their terrorism insurance. In this way, an innovative pooling system can also improve our resilience against attack.
With a fully-functioning market in cyber insurance and in being the only country to protect against cyber-crime at scale, the UK would make itself more attractive to precisely the kinds of IT businesses that we are seeking to attract, such as financial exchanges and large internet firms. We could also ensure Britain is at the forefront of developing new cyber products and expertise for export to other jurisdictions.
In less than a decade, cyber has moved from a peripheral consideration to a central concern for politicians, risk officers and insurers. Luckily, the UK has a proven track in developing pools geared towards such threats, as well as an existing model that could be expanded. It may seem unpalatable to make government the backstop to unquantifiable risk. But government should neither underestimate the wider economic damage that could be done by an attack nor ignore the opportunities in our being prepared. By designing an invisible system of defence and resilience against a cyber onslaught, we not only guard against a rapidly evolving enemy, but once again mark London out as an insurance pioneer.