You can more - Fotolia

UK cyber insurance report recommends reinsurance scheme

A scheme along the same lines as the UK’s state-backed Pool Re scheme for terrorism cover will help improve UK competitiveness as an attractive economy for cyber business, according to a report

A public-private cyber catastrophe reinsurance scheme would improve UK cyber resilience, according to a Long Finance report by Z/Yen Group, co-sponsored by APM Group.

A scheme along the same lines as the UK’s state-backed Pool Re scheme for terrorism cover would also improve UK competitiveness as an attractive economy for cyber business, the report said.

“The report highlights the need to be prepared, and reinsurance is a key part of that preparedness,” said Michael Mainelli, Z/Yen Group executive chairman, at the report’s launch in London.

“The insurance industry works very well at pooling small risks and avoidance of fairly significant risk with government support, but the whole area of very high-severity and very high-frequency risk is an area that government reinsurance is required for,” he said.

Reinsurance occurs when multiple insurance companies share risk by purchasing insurance policies from other insurers to limit the total loss the original insurer would experience in case of disaster, according to Investopedia.

By spreading risk, an individual insurance company can take on clients whose coverage would be too great of a burden for the single insurance company to handle alone. When reinsurance occurs, the premium paid by the insured is typically shared by all of the insurance companies involved.

“This would work by creating a pool that is funded as a mutual by the larger insurers that wish to write this type of cover, but we think this would be facilitated if there was a public-private push for it,” said Mainelli.

Government’s role is to encourage this, he added, in the form of government procurement requiring suppliers to have cyber cover and encouraging some of the strategically important sites around the UK, particularly national infrastructure to purchase cover or prove adequate resilience.

“Although it would be nice to have the government as the insurer of last resort, there is a lot the industry can do with government support that falls short of requiring the government to put up any money,” said Mainelli.

Insurance has helped the UK in the past transfer risks such as fires, workplace injuries or automotive thefts, but the current cyber insurance market is limited, according to the Promoting UK cyber prosperity: Public-private cyber catastrophe reinsurance report.

The report stated that cyber insurance is a broad term used to cover a variety of policies ranging from those that cover legal and administrative costs in the case of data breaches to those that provide protection advice and consultancy in the event of a claim.

“Some cyber risks are covered in some exiting policies, though the wordings vary and the coverage is, at best, patchy,” it said.

Read more about cyber insurance

The report also highlighted the fact that the commonly-used Lloyd’s Market Association Cyber Attack Exclusion (CL380) and Non-Marine Association’s Electronic data Exclusion (NMA2914) in insurance policies open “gaping holes” in cyber insurance coverage.

It noted that insurance for core risks such as business interruption and third-party liability is difficult to obtain at a “reasonable scale”, such as that required by a financial institution or online retailer, and that it is practically impossible to insure against the risk of intellectual property theft.

“If society wishes to bring insurance to bear on helping to manage cyber risk, then cyber catastrophe reinsurance needs to be available for property damage, business interruption, and third-party liabilities in order to remove blockages to rapid take-up of cyber insurance by business,” the report said.

It also outlined a public-private reinsurance scheme that would help insurers to insure themselves to insure others. In other words, the scheme would provide cover to a group of insurers above a catastrophic loss threshold to be defined by government and industry.

“The benefits of such a scheme are that it provides a way to help industry, insurers and government to pull together to manage this huge risk on UK PLC’s balance sheet by supporting more objective pricing of risk through premiums,” the report said.

“The scheme does so by encouraging appropriate information sharing, standards, and best practice alongside insurance-based incentives for investment in protection."

Extension to the Pool Re scheme

A public-private cyber catastrophe reinsurance scheme could be a new scheme, the report said, or an extension to the existing Pool Re scheme.

“Extending Pool Re would perhaps be the easiest as there is already a mutual structure; potentially some seed funds for development; a risk assessment capability; and a track record of successful funding and operations,” the report said.

Stephen Catlin, the founder the Catlin Group, which is the largest Lloyd’s of London insurer, told an insurance industry conference in February 2015 that cyber attacks are so dangerous to global businesses that governments should step in to cover the risks.

Cyber security, he said, presented the biggest, most systemic risk he has come across in all of the 42 years he has worked in insurance.

Catlin said governments have already had to establish state-backed schemes to provide terrorism cover, such as Pool Re in the UK, but he said cyber security presented an even bigger threat than terrorism.

“Insurance has had a major role to play in managing many of society’s previous ‘big’ risks... However, the global, and systemic nature of cyber risk means that insurers are restricted in their ability to work with society to manage this risk,” he wrote in foreword to the Long Finance report.

“Our regulators expect us, quite rightly, to manage our balance sheets. However, our balance sheets are not large enough to pay for a true cyber catastrophe. This is where a fresh approach to reinsurance will help insurers enter the market more rapidly and usefully,” said Catlin.

Read more on IT risk management