Insurers must better communicate private market limits to government in Cyber Re debate

By Ryan Hewlett

Jan 30 - (The Insurer) - The London (re)insurance market must do better at explaining to government the boundaries of cyber cover and the private sector’s limitations in providing resilience to the UK economy in the event of a large-scale cyber attack, according to Swiss Re’s Aidan Kerr.

At a time when both the cyber insurance market and the underlying risk is growing, Kerr, UK and Ireland lead and director of public sector solutions at Swiss Re, warned that the sector’s inability to communicate successfully with potential customers and policymakers is hampering efforts to bolster wider economic resilience in the UK.

Speaking on a panel discussion at the inaugural cyber conference hosted by the Association of British Insurers (ABI) on Wednesday, Kerr pointed to a number of “highly successful” public-private partnerships formed between UK (re)insurers and government, notably state-backed flood scheme Flood Re and terrorism mutual Pool Re. A similar mechanism could be structured for systemic cyber risk in the UK, he added.

Kerr acknowledged that past schemes had been born out the need for state intervention to deal with a “highly specific”, acute and urgent market issues or failure, with well-defined and widely understood boundaries of what was covered by the private market and what was not.

And now a similar focus on coverage clarity and boundaries is needed in tackling cyber risk, he said.

“The key points for success will be in understanding the objectives, understanding where the market should be doing more, and then understanding what that boundary is between what the market can provide and where the government needs to come in and provide support,” Kerr added.

The ABI published a report on Wednesday which found that take-up of cyber insurance among SMEs in the UK remains worryingly low, with consumers’ lack of understanding of both product and risk cited as primary reason for the lack of penetration.

“If we're not that good at explaining to SMEs about the cyber cover they need, then it isn't that surprising that we also need to do more work to explain to government what the boundary is of the cyber insurance market,” Kerr added.

“We need to break it down, make it less abstract, make it more tangible for government so they understand exactly what the boundary is; what does the cyber insurance market cover and what does it not. What government then does with that is then clearly a matter of government accountability, but as long as they know what the boundaries of the market are in clear, tangible, easy to understand ways, then it gives them the ability to do something should they choose to.”

UK (re)insurers began consulting last year on a proposal to create two state-backed cyber (re)insurance schemes which would support the growth of the private market while also bolstering the resilience of the economy in the event of a catastrophic attack, even one stemming from a hostile state.

The consultation – which was revealed by The Insurer – recommends the creation of a Cyber Re reinsurance pool comprised of two separate schemes administered by the UK (re)insurance sector and backstopped by the UK state.

The proposals put forward include the launch of a reinsurance pool to cover “sophisticated” corporates and a separate public-private compensation scheme for SMEs. Both schemes would feature multiple impact-based parametric triggers, to ensure prompt payout and coverage clarity.

The insurance market has traditionally struggled to reach sector-wide consensus on definitions for cause-focused insurance, and such an attribution-driven approach is seen as a potential roadblock for the creation of any future pool.

This is particularly problematic as large-scale cyber events are typically hard to attribute. While it is common for the perpetrators of ransomware and malware attacks to own up to incidents, such organisations are often ultimately backed by hostile states.

Chairing the panel at the ABI cyber conference, Rebecca Bole, head of strategic engagement at CyberCube, flagged the rising threat of cyber attacks on critical national infrastructure by hostile states, such as Russia.

Bole also raised concern about the low penetration rate of cyber cover among UK SMEs, currently estimated at around 10 percent, despite the cohort contributing more than £2.6trn ($3.23trn) in turnover and accounting for 99 percent of all businesses.

“Combine the sort of low penetration rates with that sort of exclusionary language for some of those geopolitically motivated attacks, or those that have a moral or critical infrastructure impact, and you've got a significant gap between what the economic losses could be from some of these events and the assured loss insured losses,” Bole said.

This was echoed by former MP and security minister Stephen McPartland, who said the UK’s leadership position in areas financial services, data and technology have left the country “uniquely vulnerable”.

Citing figures from Office for Budget Responsibility, he emphasised that the economic impact of a successful cyber attack on the economy could be equivalent to 1.6 percent of GDP.