Covid-exhausted governments have no ‘appetite’ for cyber pools: IFTRIP

Government-backed terrorism pools are unlikely to extend cover to include catastrophic cyber events anytime soon, according to the president of the International Forum for Terrorism Risk (Re)Insurance Pools (IFTRIP).

Speaking at an online panel debate on cyber war and terrorism hosted by The Geneva Association, IFTRIP president Christopher Wallace said it would be challenging to get governments, many of which are struggling with the cost of the pandemic, to extend existing pools to cover catastrophic and systemic cyber risks.

Asked if it is feasible to wrap peak cyber risks into existing pooling arrangements, Wallace said: “I think it is difficult to do… governments look at this issue very differently to the insurance industry… [the various government departments] all have different accountabilities and objectives, and that is part of the challenge in terms of getting consensus to solve the problem.

“Governments are also pretty exhausted financially from responding to the pandemic and just don’t have the appetite to put more financial exposure out. The backstops that are required will need to be priced – they are not free – and it is very hard to calculate what a reasonable rate of return is for these losses,” he added.

Wallace, who is also chief executive of the Australian Reinsurance Pool Corporation, suggested smaller local cyber pools might be a way forward. “The most likely way to solve this problem is to have a small pool that does not have attribution – that is trigger-agnostic – and that actually does have some cover. From my perspective, I’m only interested in trying to make cover available to society. But it’s hard to do in the current context,” he said during the webinar.

Recent research from The Geneva Association concluded that public-private partnerships, such as government-backed cyber reinsurance pools, are needed to cover large and systemic cyber losses.

A global infrastructure failure, for example, could generate economic losses in excess of $1trn and insured losses of $71bn, but the numbers  have a high degree of uncertainty. A contagious malware attack would result in smaller losses, more comparable to a natural catastrophe, with economic losses of $192bn and insured losses of $27bn.

“Some of the cyber losses are too big and uncertain for private insurers to absorb alone,” said Darren Pain, director of cyber at The Geneva Association. “This accumulation issue is the key reason why the latest Geneva Association report on HCA [hostile cyber activity) makes the case for some form of government backstop, or public-private partnership, where the private market absorbs losses up to a defined limit, beyond which public funds have to pay,” he said.

According to Wallace, pools do not have a role in insuring cyber war. “I do not see war as being a risk covered by pools and it is generally excluded by pools and the Australian scheme. The challenge for us is that cyber terrorism is excluded from the Australian scheme, and is not universally covered by pools either,” he said.

The IFTRIP president also believes it would be difficult for existing pools to extend coverage to cyber risk, such as cyber terrorism or state-sponsored cybercrime. “It’s hard to change the pools. Pools generally came into place because of a crisis and they have an inertia and are hard to change, in that it would usually require a review or major policy change to bring about those sorts of updates,” he said.

“The problem we face on cyber – the insurance industry needing to define what cover it is providing and society needing to provide cover to protect the assets – has arisen because this is such a modern risk and [due to] the nature of legacy products, [where] there are gaps in cover and definitions,” he said.

According to Rachel Anne Carter, a director of Carter Insurance Innovations and one of the authors of The Geneva Association report, the optimum solution would be an international pool. But she believes it will only be possible to create a local solution in the short term because of political and financial challenges.

However, governments could work towards a consensus on language, definitions and attribution of cyber events, Carter said.

“In terms of maturity, we are at the beginning of that path. The work of The Geneva Association and others is a good start as a stepping stone, but should be seen in that regard as a constantly moving, optimising process,” she continued.

The insurance industry first needs to reach its own consensus on how to address catastrophic and systemic cyber risks, according to Jon Bateman, a fellow in the Cyber Policy Initiative at the Carnegie Endowment for International Peace.

“I would start in terms of getting the insurance industry to speak with one voice and even clearly calling for the creation of public-private partnerships. The momentum has been building for that but it is still a defuse conversation,” he said.

One option, in the absence of a government-backed pool on the scale needed to solve cyber risk problems, would be to experiment with a pilot scheme in a smaller forward-looking country that other countries could learn from, said Bateman. Alternatively, a major event, as happened with the 11 September 2001, terrorism attacks, would create the “necessary and sufficient conditions for the creation of a public-private partnership”, he said.

“It’s in the insurance industry’s interest to continue devising specifics so that if such an event happens, there is a proposal ready to go,” he added.