Published by Secure Thinking, BT (16 July 2012).
In January 2011 over €45 million was stolen from the carbon markets in several ‘cyber crime’ incidents. Carbon markets were closed on 19 January 2011 and have fitfully reopened since at much lower values. The January 2011 attacks were preceded by attacks in 2009 and 2010. A 2 February 2010 phishing theft of 250,000 carbon emission permits was reported to net €3 million and also closed the markets. Further, other financial markets, witnessing the slow responses of the authorities, have questioned the basic links between government bodies and their own markets’ protection.
In our book, “The Price of Fish: A New Approach to Wicked Economics and Better Decisions”, Ian Harris and I argue that wicked solutions need to blend four streams of thinking – choice, economics, systems and evolution. How might that apply to cyber-crime? Cyber crime needs to be viewed from a number of perspectives. No political, economic, technical or legal solution alone will work. In this blog I’d particularly like to contrast cyber-crime with ‘normal’ crime, where we are able to purchase insurance. A realistic comparison would be burglary insurance. People contract with insurers in commercial terms they understand, with contracts they know and financial risks and rewards they can analyse.
Cyber-crime insurance is a weak market where it is hard to get significant risks written. Cyber-crime (e.g. “e-risk business protection”) insurance typically covers crisis management costs, customer notification expenses, data extortion, professional services, multimedia liability (e.g. defamation, copyright infringement), security & privacy liability, and privacy regulatory defence & penalties. In the USA, this market is driven by legal requirements to inform customers of personal data breaches, but does little for business interruption. Cyber-crime insurance is a weak market where it is hard to get significant risks written. Market cover is sporadic above small networks and fades completely above £100 million.
Cyber-crime at scale is indistinguishable from cyber-terrorism. State actors may be involved. In fact, it is likely that only failed or corrupt states would allow attacks to originate from their territory. So firms are sensitive about the commitment of the state to protect them from incursions of substance, whatever the source. Cyber-terrorism, e.g. state sponsored terrorism, insurance doesn’t exist. A realistic economic goal for government is to create a framework where insurers want to write cyber-crime and cyber-terrorism business, because they know it pays. And this means blending choice, economics, systems and evolution.
The carbon market problems resemble terrorism property insurance problems. Following the 10 April 1992 bombing which devastated the Baltic Exchange for shipping, international insurers withdrew cover for acts of terrorism and the UK government formed a reinsurer, Pool Re, rapidly by 1993. As a reinsurer, Pool Re helps other insurers provide policies directly to property owners and backs up insurers capital with regulators. At the moment, insurers in the UK can reinsure liabilities from terrorism, in excess of the first £75m, with Pool Re. A Pool Re member’s retention is proportionate to their participation in the scheme. The only exclusions applying to the terrorism cover of Pool Re are in respect of: “war and related risks; and damage to computer systems caused by virus, hacking and similar actions.”
Could we have a Cyber Re where government helps the insurance industry fund extreme losses? As an example, government takes responsibility, via a reinsurance club, for risks at the highest levels. Below that level normal insurers write cyber policies which help spread information and best practice. Reinsurance helps form successful commercial insurance markets by providing assessable mutuality for random events. Cyber Re can increase supply by spreading large losses and (over time) playing a role in establishing a body of data to support more accurate pricing of the risk. It also helps demand by promoting an understanding of cyber risks and the value of defending against them, especially through technological defences.
A business interruption insurance model might be most appropriate. A good example of business interruption or “loss of earnings cover” is industrial dispute insurance. In a business interruption model, the client states in advance how much a day’s outage will cost and this simplifies the claims, e.g. a day’s outage costs £5M, the retention is the first 2 days, followed by payments for the next 10 days. A Cyber Re would:
Cyber Re might confer competitive advantage on the UK. With Cyber Re, the UK would have definite attractions to firms that depend on computers, particularly financial exchanges and large internet firms, as it would be the only country that indemnifies when it fails to protect against cyber-crime at scale.
So we’ve blended four streams – giving customers a financial choice they can understand, making the risk-sharing economics work, looking at the problem holistically, and providing a system that can evolve standards and prices in line with learning. How would we know when government and industry are working well together on cyber-crime? When one can buy ‘normal’ insurance.
About the author
Professor Michael Mainelli FCCA FCSI FBCS, Executive Chairman, Z/Yen Group
After a career as a research scientist and accountancy firm partner, Michael co-founded Z/Yen, the City of London’s leading commercial think-tank, to promote societal advance through better finance and technology. Michael’s third book, based on his Gresham College lecture series from 2005 to 2009 and co-authored with Ian Harris, “The Price of Fish: A New Approach to Wicked Economics and Better Decisions”, won the 2012 Independent Publisher Book Awards Finance, Investment & Economics Gold Prize.
[An edited version of this article appeared as "Cyber Solutions: Technology or Finance" , Secure Thinking (16 July 2012) - http://letstalk.globalservices.bt.com/en/2012/09/cyber-solutions-technology-or-finance/]