Lockton Re calls for "open and honest debate" on need for government cyber backstops

By Michael Jones

Feb 10 - (The Insurer) - Lockton Re has called for an "open and honest debate" around the creation of government-backed cyber risk pools to bolster confidence within the private market and spur competition.

• Government-backed catastrophic cyber response needed for market expansion

• Pool + backstop-style scheme is best-supported option at present

• Questions remain over backstop triggers

The reinsurance intermediary said that government backstops would "enable the alignment of best practices on cyber security".

Such mechanisms would also bolster the market’s expansion, with a corresponding dynamic financial attachment threshold that would increase with market growth. Lockton Re said this would facilitate coverage expansion over time to address a wider set of perils, along with increased capital deployment.

Setting up a government response to catastrophic cyber risk in advance would raise standards and reduce the risk of a major incident, something Lockton Re said would be impossible if a catastrophic loss event had already occurred.

Lockton Re's North American cyber practice leader Brian Lewis said: “While the concept of a backstop is contentious in some quarters, and execution of the details complex, the merits of working through the thorny challenges from idea to fulfilment make it worthwhile.

“Proactive development of a risk pool allows orderly engagement with the process, rather than a chaotic and urgent response after a catastrophe.”

Lockton Re said a public-private pool that creates a financial buffer for the private market and is supported by a government guarantee was the most supported option at present.

This option is understood to be preferred to schemes with reinsurance above a large retention or two-part schemes with insurable and uninsurable towers.

Critics suggest the former may distort the private market through skewed incentives, while the second may unintentionally narrow the scope of private market coverage due to parallel government cover.

Lockton Re acknowledged that any scheme with a compulsory element would be more challenging to approve and set up, with a higher cost base to establish it.

“For this reason, there is a better probability of success if any scheme initially focuses on a voluntary approach to the backstop,” Lockton Re said.

As previously reported, UK (re)insurers began consulting last year on a proposal to create two state-backed cyber (re)insurance schemes which would support the growth of the private market while also bolstering the resilience of the economy in the event of a catastrophic attack, even one stemming from a hostile state.

The consultation – which was revealed by The Insurer – recommends the creation of a Cyber Re reinsurance pool comprised of two separate schemes administered by the UK (re)insurance sector and backstopped by the UK state.

The proposals put forward include the launch of a reinsurance pool to cover “sophisticated” corporates and a separate public-private compensation scheme for SMEs. Both schemes would feature multiple impact-based parametric triggers, to ensure prompt payout and coverage clarity.

The insurance market has traditionally struggled to reach sector-wide consensus on definitions for cause-focused insurance, and such an attribution-driven approach is seen as a potential roadblock for the creation of any future pool.

This is particularly problematic as large-scale cyber events are typically hard to attribute. While it is common for the perpetrators of ransomware and malware attacks to own up to incidents, such organisations are often ultimately backed by hostile states.

Legitimate concerns

Lockton Re noted that discussions about the creation of cyber backstop are based on the assumption that an event could occur that is outside the private market’s appetite.

However, because such an event has not yet occurred, there is an issue in galvanising policymakers. Nevertheless, the broker argued that fear of a catastrophic loss alone has been enough to stifle growth and thus preparedness for this kind of event would be advantageous.

Concerns were also raised around the inconsistency of coverage for those which join the backstop and those that do not, which could lead to uneven loss impacts.

“This can be alleviated with a common approach to minimum standards and creating the appropriate incentives for the industry to participate in a voluntary program, which can be adopted over time, and so avoid creating undue market distortion,” said Lockton Re.

Questions also remain over the threshold for when a cyber event should trigger a backstop.

Last month, Swiss Re’s Aidan Kerr said the London (re)insurance market must do better at explaining to government the boundaries of cyber cover and the private sector’s limitations in providing resilience to the UK economy in the event of a large-scale cyber attack.

Lockton Re said the rapid speed of cyber market evolution means the basis of what should be covered by a backstop is not settled.

This question, Lockton Re said, is perpetual given technology’s ever-evolving nature. As a result, it argued this is not a sufficient reason to postpone addressing the issue.