The rising threat of cyber attacks to economies and businesses across the globe can be mitigated through public and private sector relationships, utilising the benefits of alternative risk transfer solutions such as catastrophe bonds, according to Z/Yen Group Limited.
Cyber risks are seen as one of the great opportunities for the insurance and reinsurance sector, as well as a great unknown and a key risk. Not only is the potential exposure enormous, so needing insurance and reinsurance capacity to cover it, but right now quantifying the risks is extremely difficult due to a lack of data and re/insurers risk accumulations and exposure concentrations.
The world today is reliant on electronic systems that operate global, and regional economies and, as international assets and business values continue to grow, the potential threat of property damage, business interruption and third-party liabilities as a result of cyber attacks, increases also.
The general opinion of many industry experts and analysts is not ‘if’ the next large cyber attack is going to happen, but ‘when,’ as the greater the volume of information and sensitive data that exists in the electronic landscape, the more it seems data is leaked, stolen, or misplaced.
It’s a vast, burgeoning risk that the insurance and reinsurance industry could help to protect against, but one that would require the support of the public sector, according to a recent report by Z/Yen Group Limited, published by Long Finance.
Cyber is seen as a catastrophic risk, thus requiring an approach akin to that taken to provide insurance, reinsurance and retrocession for large global natural disaster risks and other exposures such as terrorism or nuclear risks.
“If society wishes to bring insurance to bear on helping to manage cyber-risk, then cyber-catastrophe reinsurance needs to be available for property damage, business interruption, and third party liabilities in order to remove blockages to rapid take-up of cyber insurance by businesses,” says the report, which despite focusing on the UK, is applicable to other nations.
The report argues the case for a public-private sector cyber catastrophe reinsurance scheme, which would act like a pool that was funded by the insurance, reinsurance and the insurance-linked securities (ILS) industry, but utilises the expertise and support of the public sector.
Interestingly, the study highlights the potential for cyber catastrophe bonds and explains how ILS structures could be used as a successful means of mitigating the potential impacts of cyber attacks.
The report says; “The scheme would in effect be a pool funded by the insurance industry, seeking its own further reinsurance and possibly issuing insurance linked securities such as a cyber-catastrophe bond for further cover.”
Continuing to provide a couple of examples of what the trigger might look like for such a catastrophe bond, as follows: “More than 10% of the nation’s computers unusable for more than 12 hours,” or, “a power loss of more than one hour for more than 15% of the nation.”
These are use-cases that might make more sense to the ILS market than the random uncertainty associated with how and when a corporation could be hit by cyber attack. Distilling the risk down to something easier to understand and parameterise could help to encourage engagement both with reinsurance markets and ILS investors.
The issue with cyber coverage, whether in the forms of cat bonds, traditional reinsurance or even primary protection concerns pricing and the inherent uncertainty surrounding the risk, due to a lack of historical data and limitations with modelling such exposures.
But this is where the government relationship can come into play, as apart from acting as a last resort insurer for the scheme, which is proposed in the report, the public sector can help the risk transfer participants to develop tools and examine data, utilising analytics and technology to aid in the assessment of cyber threats.
The report offers some key recommendations for the scheme, listed below:
- The scheme should provide more standardised wordings linking cyber-catastrophe to the policies members write, and more standardised data collection for analytical purposes;
- The scheme should promote the use and evolution through learning of ICT security and risk management standards such as Cyber Essentials, ISO 27000, NIST, or CESG’s 10 Steps;
- Insurance regulators should strongly encourage membership by insurers providing cyber cover;
- Members should jointly seek reinsurance for a cyber-catastrophe, including consideration of cyber-catastrophe linked securities;
- Government should facilitate, but not underwrite, the scheme’s reinsurance government oversight could help the issuance of cyber-catastrophe linked bonds;
- Government and regulators should strongly encourage cyber insurance for essential services and critical national infrastructure including financial services, and incorporate cyber insurance in government procurement processes, e.g. requirement to purchase if unable to show appropriate management or retentions.
Again, in these points the potential use of ILS or cyber cat bonds within such a scheme is noted, stating that the government could again help with the issuance and development of this.
Initially, a scheme of this nature would likely be largely capitalised through insurance and reinsurance company capacity. But, with a risk of such scale and potential severity, diversifying the capital base and bolstering protection through the issuance of catastrophe bonds to tap the capital markets, would be a benefit to those seeking cover and the overall functioning of any public-private cyber reinsurance initiative.
While the government’s role “would be one of promotion and (possibly) a last resort insurer only in the event that industry retentions and the scheme’s reserves have been exhausted,” concludes the report.
It’s an interesting and viable notion, and one that could spark greater interest from public and private sector entities that are already considering the issue of cyber risks in the UK, and the rest of the world.
As the very real threat of cyber attacks intensifies, at the same time as interconnectedness and global values rise, the need for an effective solution against the threat becomes apparent.
It is a risk so large that a pooled approach, similar to the approach the UK is taking with Flood Re, may be the best solution for the catastrophe level cyber exposures. The government could arrange the pooling of risks, while then tapping both traditional and alternative reinsurance markets for retrocession.
By pooling the risks they can also, perhaps, be better analysed allowing triggers to be identified which make the transfer of these risks more transparent and understandable, perhaps even understandable enough for capital market investors and ILS funds to ultimately get involved.
And, as highlighted in the report, a solid, mutually beneficial relationship between the public and private sector to develop a cyber-catastrophe reinsurance scheme, and cyber-catastrophe bonds, would certainly be a step in the right direction if the industry is serious about managing and protecting against the peril.