The UK needs to better insure itself against the cyber-terrorism threat
In the week after the devastating atrocities in Paris, the chancellor announced that infiltration of our online infrastructure ranks alongside “guns, bombs and knives” as a terrorist threat against which the UK needs urgently to defend itself. Elevating cyber-terrorism in such a public manner, backed up with commendably generous financial resources for our security services, is a critical first step in tackling the evolving dangers to Britain’s national security. But how capable are our major institutions and the broader economy of withstanding damage from a cyber-onslaught?
So concerned is the Bank of England about the systemic risk posed to the financial system of a targeted cyber-attack that, for almost two years, it has worked hand in glove with GCHQ to test resilience in the Square Mile. This work recognises both the potential financial impact of a cyber-attack on businesses and citizens, and implicitly concedes that our institutions are not adequately prepared to handle the physical impacts of the cyber-terrorist threat.
In October, telecommunications firm TalkTalk was hacked by two teenage schoolboys who stole thousands of people’s bank details, costing the company around £35m. Meanwhile, the Federation of Small Businesses claims that August’s tube strike came with a price tag of £600m in economic disruption. A terrorist cyber-attack would likely seek to replicate both of these events, albeit on a much larger scale. With UK cities becoming ever “smarter” and more reliant on sophisticated computer software, it is vital that we have the confidence that these systems can be backed-up, protected or swiftly rebuilt in the event of a catastrophic breach.
Unfortunately, however, there is serious concern about whether the existing insurance cover for such events is robust enough. This is where a reinsurance vehicle, which effectively guarantees insurers and governments against heavy losses, stands to play a crucial role.
The IRA bombing of the Baltic Exchange in my constituency in 1992 proved a seminal moment in the Square Mile’s centuries-old insurance industry. The scale of damage was so colossal that re-insurers began to withdraw cover for terrorism in double-quick time. It swiftly became clear that the gap could only be plugged if the insurance industry and government worked together. The result was Pool Re, a partnership between the UK Treasury and Britain’s insurers which – for the first time ever – made government the insurer of last resort. Following the 9/11 attacks, its coverage was extended to include chemical, biological, radiological, and nuclear terrorism risks. Just as the terrorists have evolved, so have we.
With the threat now more dispersed but no less deadly, the question for the insurance industry is how to calculate and manage that unpredictability. One area where surely we require better cover before a major incident occurs is cyber-terrorism. This is not wholly unfamiliar territory for this government. A similar insurance gap was identified following the serious floods of 2013, with the industry and government stepping in to create Flood Re to ensure that those domestic properties in the UK at the highest risk of flooding could receive affordable cover. Now that the cyber threat is so clearly tied up with terrorism, the time may be ripe for the UK government to create a new, standalone reinsurance fund – “Cyber Re” – to ensure that major British businesses and institutions are covered in the event of cyber-attack.
This made it all the more curious that, as recently as March, the erstwhile coalition government declared that there was no need for state intervention in this area. Despite all the emerging evidence and vocal campaigning from security experts and academics, as well as insurance underwriting insiders, the Cabinet Office (the government department with chief responsibility for cyber issues) concluded that the insurance industry could handle known risks without the need for a Pool Re type structure.
I accept that a Cyber Re proposition is not without difficulties, particularly when it comes to defining what constitutes a “terror attack” – it can be tricky to assign responsibility in the online world, sorting industrial espionage from security threat. However, the importance of financial, professional and business services to the UK economy as a whole should now incentivise government to take a lead alongside our world-leading insurance sector to withstand one of the greatest systemic risks that UK Plc currently faces. As we all know in the insurance business, providing the right cover – at the right cost – relies on our ability accurately to predict the probability and severity of future losses. But as the Baltic Exchange and the Twin Towers showed to such devastating effect, single events can turn assumptions on their head in a flash.
While I am a free marketeer, bringing all these perils under one roof might ensure a much more resilient economy in the face of threats otherwise difficult to insure. It could give the insurance industry the confidence it needs to expose its balance sheet in the knowledge that it has a safety net, simply because the potential losses at stake cannot be handled by the private sector alone.
So the chancellor is right to raise the issue of cyber-terrorism. As nations prepare themselves against bomb plots, gun attacks and airline hijackings, so terrorists will adapt, finding new weaknesses to exploit. The provision of insurance and reinsurance for such threats will become an increasing factor in the government’s fight against terrorists and their criminal gang cohorts. We must face facts: in the event of a catastrophic cyber-attack, it will only be re-insurance that will collectively enable us to get back on our feet.