Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Hackers sneak malicious code into global payments software that spreads rapidly to tens of thousands of partner networks at banks and throughout the financial sector. This opens a back door for the attackers to siphon off customer funds, disrupting clearing and even interbank lending. It takes months to repair all the breaches, and shakes confidence in the system, driving up business costs as regulations stiffen.
Such an attack could cause $3.5tn in global economic damage, according to modelling by the Cambridge Centre for Risk Studies for the Lloyd’s of London insurance market, released in October. That is “too substantial a risk for one sector to face alone”, the market’s chair, Bruce Carnegie-Brown, argued at the time.
The view reflected a consensus in the insurance sector on one of today’s key threats: a systemic cyber attack would be too big, and too widespread, a risk to be insured. In other words, help is needed to manage it.
Some in the sector see the worst-case scenarios as apocalyptic, given the protection systems in each network. Joshua Motta, chief executive at San Francisco-based cyber insurer Coalition, and a former CIA analyst, said the Lloyd’s scenario “doesn’t fully consider the intricacies of computer network operations and exploitation, nor the robust safeguards and recovery mechanisms inherent in modern financial systems to prevent large-scale economic fallout”.
But the insurance industry is certainly pulling in its horns when it comes to cyber risks. Underwriters have put in tougher exclusions on standard cyber policies for major state-backed cyber attacks, meaning such events will not typically be covered, unnerving some big commercial clients. Meanwhile, property insurers have sought to explicitly exclude cyber coverage from their policies covering businesses.
Most agree that an insurance sector that took in about $12bn in premiums last year, according to figures from S&P Global Ratings, is by no means large enough to cover a systemic cyber attack. Hence discussions in the UK, the US and elsewhere over the possibility of governments stepping in to provide a backstop to a nervous market.
Thirty years ago, the UK insurance industry was struggling to absorb another major risk, one that threatened life and limb as well as business. The IRA’s bombing campaign, combined with a general pullback from reinsurers after US hurricane losses, had created a market failure in terrorism insurance as underwriters held back from offering cover.
In response, the industry and government came together to create Pool Re, a terrorism reinsurance scheme underpinned by a state guarantee. With this in place, insurers returned to the terrorism insurance market, and the scheme has paid in excess of £1.25bn in claims, adjusted for inflation, over its lifespan, without having to call on its guarantee.
Last week, Pool Re celebrated its first 30 years with senior industry figures in the reinforced bunker of the Churchill War Rooms. The current debate is whether incumbents at the Treasury, just above ground at the same site, should give Pool Re a new job for its fourth decade, widening its scope to share insurer losses in the event of a systemic cyber attack.
The problem for executives and risk experts on both sides of the Atlantic arguing for a state backstop on cyber is, partly, the other backstops they have argued for in recent years — on pandemic reinsurance and property catastrophe reinsurance. There is an argument to make about whether it is fair to put any new major contingent risks on public balance sheets, and if so, which ones.
Axa’s deputy chief executive, Frédéric de Courtois, said a public-private partnership on cyber is a “must-have”, given it is generally only the biggest companies, which have also invested in prevention, that he thinks could be seen as adequately insured.
“We are convinced that we could have a big worldwide systemic risk claim on cyber,” de Courtois said. He suggested the fact that such an attack has not happened yet “maybe prevents” policymakers from creating a public-private structure. “The issue is, as insurers we believe [a systemic attack] could happen, so, we are afraid to insure.”
At the Pool Re dinner, today’s leaders remembered the market failure that was the necessary condition for its birth. For a cyber market that has regained some stability after the ransomware shock, there is a lingering concern that minds will only be focused on systemic cyber risk after the fact.