Cyber's Empty Space (Cyber Reinsurance)

By Professor Michael Mainelli
Published by Financial World, IFS School of Finance (December 2012), page 39.

You’ll already have heard a lot stories, many real, about the effects of cyber-crime. Cyber crime exists and hurts financially, partly because it is difficult to insure. One Long Finance proposal is Cyber Reinsurance (Cyber Re). The proposal originated last year in frustration at widespread inaction by authorities to cyber-enabled thefts on the carbon markets, though an earlier version was proposed during Y2K/Millennium Bug preparations.

In January 2011 over €45m million was stolen from the carbon markets linked to the European Trading System. They were closed on 19 January and fitfully reopened since. Those January 2011 attacks were preceded by attacks in 2009 and 2010. One 2010 phishing theft of 250,000 carbon emission permits netted €3 million and also closed the markets. The authorities did virtually nothing till pushed very hard by the City of London Corporation last year, and even then not much. The insurance response was to launch some products that claimed to guarantee future permit purchases were valid.

Cyber-crime insurance is a market where it is hard to get significant risks underwritten. Market cover is sporadic once demand moves beyond covering a handful of computers (the cyber equivalent of white goods appliance insurance) and fades completely above £100m. Cyber-terrorism, e.g. state sponsored terrorism, insurance does not exist. This market problem resembles property insurance in the UK. Following the 10 April 1992 bombing which devastated the Baltic Exchange for shipping, insurers withdrew cover for acts of terrorism. In response, the UK government rapidly formed Pool Re. At the moment, insurers in the UK can reinsure liabilities from terrorism with Pool Re, typically in excess of the first £75m. A Pool Re member’s retention is proportionate to their participation in the scheme. Interestingly, the exclusions applying to the terrorism cover of Pool Re are in respect of: “war and related risks; and damage to computer systems caused by virus, hacking and similar actions.” Pool Re was emulated by the US after 9/11.

Why don’t we have a Cyber Re (or extend Pool Re) where government helps the insurance industry fund the extreme losses of cyber-crime? As an example, government takes responsibility for business interruption risks above a point, say £100m. Below that point normal insurers write cyber policies which help spread information and best practice and bear the risks up to £X million on any single incident, or £Y million on combined incidents.

It is likely that the business interruption model might be most appropriate. A good example of business interruption or “loss of earnings cover” is The Strike Club, originally for industrial dispute insurance but now providing a wide range of business interruption insurance to shippers, fleets, ports and facilities. In a simple business interruption model, the client states in advance how much a day’s outage will cost and this both sets the premium and the claims, e.g. a day’s outage costs £5m, the retention is the first 2 days, followed by payments for the next 10 days, for a premium of £500,000. When claims are made the estimated day’s outage costs must be reasonable, but otherwise the model is simple.

There are issues, not least clearer definitions of ‘business interruption’, ‘cyber’, and ‘UK business’, to name a few, but with a functioning market, the UK would be more attractive to ICT businesses such as financial exchanges and large internet firms. Cyber Re could confer competitive advantage on the UK. After 1992 bombing, when insurers refused to provide cover against acts of terror, financial services firms said they had trouble locating or expanding in the UK. Cyber Re would give the UK definite attraction to firms that depend on computers, particularly financial and internet firms, as it would be the only country that indemnifies when it fails to protect against cyber-crime at scale. Three points of note:

  • Cyber Re would exist not to insure, but to provide re-insurance, which gives regulators confidence that cyber insurance can be safely underwritten;
  • Cyber Re would focus on creating a club atmosphere, thus encouraging information sharing among members and government, and risk reduction as well as market growth.
  • Cyber Re should be quite small operationally and operate at close to no-cost.

How would we know when government and industry are working together on cyber-crime? A realistic comparison would be burglary insurance. Cyber-crime would be under control when people contract with insurers in commercial terms they understand, with contracts they know and financial risks and rewards for good behaviour they can assess.

Discussions with government bodies, military institutions, insurance brokers, underwriters, insurers, reinsurers, financial markets firms, trade bodies, lawyers, ICT firms, think-tanks and academics, have been encouraging – financial and ICT services would like the cover; insurers would like the reinsurance; government entities see the gains. Perhaps the real goal for government is to create a framework where insurers want to write cyber-crime business, because they know it pays.

[An edited version of this article appeared as "Cyber's Empty Space" Financial World, IFS School of Finance (December 2012), page 39.]