Last month, the Actuaries’ Institute announced Marcus Stavrakis (pictured above) as the winner of its annual Young Actuaries’ Public Policy Essay Competition. The 23-year old’s work tackled the challenges facing the cyber insurance market and proposed that a reinsurance pool would provide better access to insurance and improve cyber risk management, especially for SMEs.
Stavrakis won $4,000 for his essay, “How the Australian Reinsurance Pool Corporation (ARPC) and Insurers can protect our data.” However, of greater interest to the insurance industry is another part of the award: he’s now on the Institute’s Cyber Risk Management Working Group and converting his essay into a public policy proposal.
Stavrakis is a Melbourne-based actuarial analyst for Finity, a strategic analytics firm. His core idea is the creation of a reinsurance pool modelled on the versions already deployed by the Australian Reinsurance Pool Corporation (ARPC) to help deal with terrorism and cyclones.
“I wanted to think of a genuine solution,” he told Insurance Business. “We always talk about cyber, it's a lovely topic and execs always want to talk about it but when you ask them for a solution, the smoke clouds kind of come up,” he said.
So he set about writing an award-winning essay.
Stavrakis said his aim was to protect the most vulnerable and provide a solution with the most benefits. SMEs, unlike big corporate firms, he said, are “generally priced out” of the cyber insurance market. Stavrakis said this is because of capital restrictions in the cyber market due to its lack of maturity.
“The solution that I'm proposing is that in order to help SMEs, we need to help insurers and to help insurers, we need to set up a capital support system and I believe the ARPC can do that by setting up a cyber pool,” he said.
The main arguments in favour of the idea include how its implementation, he said, will reduce cyber attacks, defences will improve and, more generally, intellectual property will be better protected. Stavrakis also said a reinsurance pool would encourage a collective knowledge base around the best ways to risk manage the cyber threat.
Like the cyclone and terrorist pools before it, Stavrakis expects the government to contribute funds to the pool but said it will be “somewhat of a private solution.”
“Even though the government will be putting up money to set up a pool, for the most part, the insurers will be the ones that will be insuring and paying out claims and be providing the support,” he said.
One big incentive to get the Stavrakis plan in motion could be the government’s tightening of cyber regulations. There are now big penalties for companies found to be negligent concerning serious breaches of personal data.
The Privacy Legislation Amendment Bill, which went into law late last year, increased the maximum penalties for serious privacy breaches attacks from $2 million up to a hefty $50 million.
For comparison, news reports say the biggest fine under the European Union’s data privacy rules is 20 million euros or A$33 million.
“Whilst I think punitive measures are one way to go about it, I don’t think this serves SMEs in terms of being able to improve their cyber risk management or spread knowledge that would help prevent cyber attacks,” Stavrakis said.
A focus of his essay concerned the cyber issues facing small business.
“SMEs are increasingly reliant on digital infrastructure for their operations, including communications, cloud processing, physical security systems, data storage, and billing,” Stavrakis wrote. “We know that around 50% of SMEs have poor cyber security practices and that nearly half of the cyber-attacks target SMEs, posing a significant threat to Australian businesses and consumers.”
The reinsurance pool, he said, would facilitate affordable, broad, accessible cyber products for SMEs.
“The nature of insurance is to protect assets and minimize risk within society,” Stavrakis said. “The creation of a separate cyber risk pool within the ARPC will bring much needed stability to the reinsurance market.”
On its website, the Institute said Stavrakis is working closely with its Cyber Risk Working Group “to expand on his ideas.” It said it hopes to release a publication on cyber risk later this year.
What do you think of the Stavrakis plan? Please write your thoughts below