Earlier this week, Lockton Re released a new report exploring how insurers and governments could collaborate to manage large-scale cyber risks. Examining the potential role of a government-backed reinsurance pool in preparing for a catastrophic cyber event that could exceed the capacity of the private insurance market, the research was especially timely given the recent launch of the Cyber Monitoring Centre.
Offering further insight, Oliver Brew (pictured) cyber practice leader, international, at Lockton Re, highlighted the “material and growing” potential for major disruptive events. And if that starting point is acknowledged, then what happens next? It’s critical to bear in mind that the public-private partnership trail is not unblazed, with multiple examples existing of where governments have stepped in to support communities in times of extreme need.
Whether it’s the Australian Reinsurance Pool Corporation, or Pool Re and Flood Re in the UK, these have been demonstrably successful in leveraging government balance sheets, enabling the monetizing of a risk that these governments are already accepting. “The governments, by default, are the insurer of last resort,” he said. “Without a risk pool mechanism, the governments become the insurer of first resort.
“The way the industry can come together is around the emerging consensus that very rare but very extreme events could occur. That, in itself, is an incentive to create alignment around engaging in a more constructive dialogue with governments to benefit the creation of some kind of risk pool.”
What has been holding dialogue back somewhat in the past, he said, is that there’s a complexity around execution and definitions, and what these mean to industry, to government, to thresholds, etc. But it’s better to start small and build on a case that can be agreed by a consensus, and go from there. “The alternative is that we do nothing and hold our breath,” he said. “Then if there was some kind of catastrophic event then we, as an industry, and, by extension, the government, would be scrabbling. That’s our call to action in this report – to take the first baby steps to engage in this conversation.”
It's very easy for the discussion around catastrophic cyber events to focus only on war but, while a challenging subject, it’s not the only one that should be on the industry and the government’s risk radars.
For example, broader concerns around critical infrastructure are really key, Brew said. Understandably, the insurance industry might start that conversation by saying the potential for critical infrastructure to be impacted is outside of the scope of the market. As yet, the market doesn’t have the tools required to accurately understand these systemic exposures – let alone to appropriately price the risk associated.
However, he noted that given the potential for those types of events to have a crippling impact on economic, as well as social well-being, the insurance industry needs to expand that conversation in order to maintain its own relevance. With government engagement in the form of some kind of backstop, there’s more room for the industry to better understand and manage those types of exposures. This will support greater take-up of cyber insurance beyond its current policyholder base which, in turn, will generate an increased premium pool and wider adoption.
“This reinforces that the policyholder gains benefit from the takeup of cyber insurance,” he said. “And that’s why the conversation around minimum underwriting standards or the basis for improved cyber hygiene are such important topics – and a really important basis for engaging with the market.”
Looking at the examples set by the likes of Pool Re and Flood Re, Brew highlighted how these underline the need for insurance to act as a resiliency measure as well as a risk transfer function. Flood Re is a good example of an initiative that took an existing risk, that was evolving over time, and provided an opportunity to distribute that exposure across the industry. It has been very successful in building resilience and engaging in reducing the overall risk, as well as sharing the risk across a broader pool.
“I think the resiliency aspect is a really critical point,” he said. “We need to build improved digital security, digital resilience and digital capabilities to both lower the risk of a catastrophic event but also to improve our ability to recover from such an event. That’s an important lesson from some of these risk pools. Another point, which is a common misunderstanding, especially among policymakers, is that a risk pool is just another item to add to a government ledger.
“The experience with Pool Re is actually the opposite. It has created a buffer between the private market and the government as a backstop. The government is earning material funds, both from the premiums and also the fact that it is further away from the true exposure, due to the commercial retrocession that exists, and that ultimately, it has never been called on. So even in the absence of an event that requires the backstop, the very existence of the backstop itself has been a really successful way to leverage the government balance sheet.”
Looking to the future, Brew said he is feeling optimistic that the market and policymakers can move the dial towards a more proactive and resilience-based approach to cyber. Initiatives, including the development of CyberAcuView in the US and the launch of the CMC in the UK, point to a developing understanding of the need for a common framework around cyber data and the need for greater cyber hygiene.
These are key steps to building an understanding, both of the mechanisms to improve resiliency and also the pathways to better engagement with government. He added that it had been encouraging to see the maturation of these conversations as they’re no longer as much about debating the merits of such a partnership but more about what such a partnership might actually entail.
“I think we're beginning to move to that point where we can talk about details and we can talk through areas of disagreement about the way these mechanisms can be leveraged,” he said. “There’s a lot of grey areas in cyber and a lot of nuance. But I think our conversations are moving beyond the black-and-white oversimplification to acknowledge that.”
