‘Protecting society from an unprecedented cyberattack will require more than insurance’ – there’s a stark warning to be found in the Geneva Association’s (GA) new report into the global cyber protection gap. Speaking with Insurance Business, Darren Pain (pictured), GA cyber director and author of the report - ‘Cyber Risk Accumulation: Fully tackling the insurability challenge’ – highlighted the core issue at the heart of this insurability challenge.
“A longstanding problem in the cyber world is that the economic losses associated with a major cyber incident are potentially catastrophic,” he said. “The worry for insurers and reinsurers is that, because they underwrite the cyber risks of households and firms, they may well be on the end of a concentration of those risks within their balance sheets.
“They worry quite a lot about what their capacity is to provide that level of protection to households and firms, given that their balance sheets are ultimately constrained in terms of how much capital can allocate to cyber risks.”
Over time, he said, the sector has become better at analysing cyber risks as more incidents generate more data, and advancements are made in combining forensic detail with more advanced risk models. However, he noted that a key takeaway from the GA’s report is that cyber models do remain fundamentally immature – with results still quite volatile and inconsistent.
Pain’s thesis is that simply having more data and information is not the silver bullet to protecting against cyber risk. It’s certainly part of the solution, he said, and it’s clear that better risk quantification is needed in cyber. However, there are certain elements of cyber that are beyond the reach of probabilistic reasoning. It’s not fatalistic to acknowledge that there are limits to what cyber risk models can do and that it’s a “fool’s errand” to search for the perfect model.
“[Our message] is that models are definitely needed but advances in modelling alone won’t guarantee an increase in risk-absorbing capacity,” he said. “So, we look to other ways and recognise the need to think about a multi-stakeholder approach in order to get our arms around this insurability challenge.”
To do this means looking beyond just the insurance and reinsurance sectors, he said, and the GA’s report has highlighted three additional key considerations. The first is the need to promote greater capital market involvement in cyber risk transfer. Cyber needs to attract a broader class of investors who are interested in taking on peak cyber risks, particularly given that capital markets are much deeper and are more liquid than reinsurance or insurance.
“Secondly, there are some elements of cyber exposure that extend well beyond the reach and knowledge of re/insurance,” he said. “ So I think we really need to tap into mechanisms that allow us to cooperate more with either government agencies or technology companies themselves, who ultimately have the most insight on the threats and vulnerabilities out there.”
The third consideration pinpointed by the GA is the need to incentivise IT security providers to take more responsibility for some of the hidden costs incurred by their users. Pain believes there is scope for enhanced liability for some hardware and software providers, encouraging these companies to build more cyber safeguards into their products and services – and so enhance cybersecurity, both among themselves but also across their customer base.
“Those are our three main concrete [takeaways] but I think, ultimately, the elephant in the room is that if you did all that… to my mind at least, you still have to fundamentally address the role that government has to play as a potential financial backstop against catastrophic cyber losses. We have plenty of examples of such arrangements for other types of perils and I think cyber is another candidate area. Even if it’s just to take away the extreme peak risks, in doing so we may well encourage more of the private sector to take on additional cyber exposure. So I think we do really need to engage in that debate with policymakers.”
Though estimates of the global aggregate cyber protection gap may differ from source to source, the multi-trillion-dollar figures being suggested reveal the scope of the challenge at hand. Pain noted that he does not believe the insurance and reinsurance sectors alone can close the protection gap and that a more collective approach is required.
The conceptual case for a form of a public-private partnership is pretty compelling, Pain said, as he believes that cutting the size of catastrophic losses faced by private insurers and reinsurers could ultimately attract more risk-absorbing capacity into the sector. In addition, increased cyber insurance has the potential to encourage improved cyber hygiene among the populace. But in order for reinsurance and insurance to fulfil its potential cyber governance role, the tail risk of extreme cyber losses somehow needs to be curtailed and a government backstop may be a means to support that.
“I don’t think there’s a consensus yet in the market,” he said. “Some risk carriers are still a bit nervous about government intervention within cyber insurance … In large part perhaps, thinking about what unintended consequences might arise.
“Most notably, people wonder whether a backstop might encourage lax cybersecurity postures where people don’t invest in cyber hygiene because they assume the government will pick up the tab. Likewise, I think some insurance market participants worry that a government facility might come with a mandate to take on some cyber exposures which remain well outside their risk appetite.”
While acknowledging those concerns, however, Pain emphasised that all of these issues apply to public-private partnerships already established to deal with other perils. There are clear lessons from both the successes and the challenges faced by these other schemes, he said, and how they operate. For him, the heart of the matter is more about design and implementation, rather than any conceptual misgivings.
“Unless we do something to cut the tail of the aggregate probability distribution for cyber losses, I think we won’t get a significant increase in capacity from the private sector,” he said. “And so, I think that’s where we have to go… Because in the end, taxpayers may well find themselves absorbing the losses that could accompany a major cyber catastrophe.
“To my mind, it’s better to get something in place that leads you to a more optimal risk-sharing arrangement ex-ante, rather than scrambling around in the midst of a massive cyber event trying to pick up the pieces. I think we should be ahead of the game as a sector and try to engage with policyholders. But it’s also about taking a multi-stakeholder approach and reaching out to the other players [in the ecosystem] that can help us build a more sustainable cyber insurance market.”
What are your thoughts on this story? Feel free to share them in the comment box below.
