Learn From Insurance: Cyber Bore

By Professor Michael Mainelli
Published by Journal of Risk Finance, Volume 14, Number 1, Emerald Group Publishing Limited (January 2013), pages 100-102.

“The certainty and confidence that insurance provision brings to all our daily lives, whether business or personal, enables us to breathe more easily, to find the confidence to let innovation flourish and to engage with the present and the future, chastened by the past but not allowing the fear of the possible to paralyse us in the present.”
[Mary McAleese, President of Ireland, remarks to the European Insurance Forum, RDS Concert Hall, Dublin, 30 March 2010]

When problems are boring enough to be insured, perhaps they have arrived. At the moment, certain markets are far from boring. In January 2011 over €45 million was stolen from the EU Emission Trading Scheme carbon markets in several ‘cyber crime’ incidents. Carbon markets were closed on 19 January 2011 and have fitfully reopened since at much lower values. The January 2011 attacks were preceded by attacks in 2009 and 2010. A 2 February 2010 phishing theft of 250,000 carbon emission permits was reported to net €3 million and also closed the markets. Other financial markets, witnessing the slow responses of European authorities, have questioned the basic links between government bodies and their own markets’ protection.

In our 2011 book, “The Price of Fish: A New Approach to Wicked Economics and Better Decisions”, Ian Harris and I argue that wicked solutions need to blend four streams of thinking – choice, economics, systems and evolution. How might that apply to cyber-crime? Cyber crime needs to be viewed from a number of perspectives. No political, economic, technical or legal solution alone will work. Perhaps the best contrast would be to contrast cyber-crime with boring ‘normal’ crime, where we are able to purchase insurance. A realistic comparison would be burglary insurance. People contract with insurers in commercial terms they understand, with contracts they know and financial risks and rewards they can analyse. Cyber-crime would be ‘normal’ when ordinary businesses can readily buy it in the way they buy burglary or fire cover.

But current cyber-crime insurance is a weak market where it is hard to get significant risks written. Cyber-crime (e.g. “e-risk business protection”) insurance typically covers crisis management costs, customer notification expenses, data extortion, professional services, multimedia liability (e.g., defamation, copyright infringement), security & privacy liability, and privacy regulatory defence & penalties. In the USA, this market is driven by legal requirements to inform customers of personal data breaches, but does little for business interruption. Market cover is sporadic above small networks and fades completely well before the levels needed to cover a major exchange or online institution.

Cyber-crime at scale is indistinguishable from cyber-terrorism. State actors may be involved. In fact, it is likely that only failed or corrupt states would allow large-scale attacks to originate from their territory. So firms are sensitive about the commitment of their state to protect them from incursions of substance, whatever the source. Cyber-terrorism, e.g., state sponsored terrorism, insurance doesn’t exist. A realistic economic goal for governments is to create a framework where insurers want to write cyber-crime and cyber-terrorism business, because they know it pays. And this means blending choice, economics, systems and evolution.

The carbon market problems resemble terrorism property insurance problems. Following London’s 10 April 1992 bombing which devastated the Baltic Exchange for shipping, international insurers withdrew cover for acts of terrorism and the UK government formed a reinsurer, Pool Re, rapidly by 1993. As a reinsurer, Pool Re helps other insurers provide policies directly to property owners and backs up insurers’ capital with regulators. At the moment, insurers in the UK can reinsure liabilities from terrorism, in excess of the first £75m, with Pool Re. A Pool Re member’s retention is proportionate to their participation in the scheme. The only exclusions applying to the terrorism cover of Pool Re are in respect of: “war and related risks; and damage to computer systems caused by virus, hacking and similar actions.” The USA has a related programme in The Terrorism Risk Insurance Act (TRIA), as modified and extended through TRIEA (known as the TRIA Extension Act).

Could we have a Cyber Re (cyber reinsurer) where government helps the insurance industry fund extreme losses? As an example, government takes responsibility, via a reinsurance club, for risks at the highest levels. Below that level normal insurers write cyber policies which help spread information and best practice. Reinsurance helps form successful commercial insurance markets by providing assessable mutuality for random events. Cyber Re can increase supply by spreading large losses and (over time) playing a role in establishing a body of data to support more accurate pricing of the risk. It also helps demand by promoting an understanding of cyber risks and the financial value of defending against them, especially through technological defences.

It is likely that the business interruption model might be most appropriate. A good example of business interruption or “loss of earnings cover” is The Strike Club, originally for industrial dispute insurance but now providing a wide range of business interruption insurance to shippers, fleets, ports and facilities. In a business interruption model, the client states in advance how much a day’s outage will cost and this both sets the premium and the claims, e.g. a day’s outage costs £5M, the retention is the first 2 days, followed by payments for the next 10 days, for a premium of £500,000. When claims are made the estimated day’s outage costs must be reasonable, but otherwise the model is simple.

The following table, partially reproduced from Insurance Day, 7 June 2011 [their source: DatalossDB], of the biggest losses over the past ten years would seem to indicate some sense in the numbers above

Company Year Type
Heartland Payment Systems 2009 Malicious software/hack compromises unknown number of credit cards 130,000,000
TJX Companies Inc 2007 Hack exposes credit card numbers and transaction details 94,000,000
Sony Corporation 2011 Names, personal data, possibly credit card details, obtained from PSN/Qriocity users 77,000,000
Card systems: Visa, Mastercard, American Express 2009 Major card processor breached, credit card numbers lost 40,000,000
RockYou Inc 2009 Hackers access user-names and passwords 32,000,000
US Department of Veterans Affairs 2006 Social security and personal data of US military veterans stolen 26,500,000
Sony Online Entertainment 2011 Data, including birth dates, email and credit card details accessed by hacker 24,600,000

A business interruption insurance model might be most appropriate. A good example of business interruption or “loss of earnings cover” is industrial dispute insurance. In a business interruption model, the client states in advance how much a day’s outage will cost and this simplifies the claims, e.g., a day’s outage costs £5M, the retention is the first 2 days, followed by payments for the next 10 days. A Cyber Re would:

  • help members to assess their exposure and working with members to plan risk reduction programmes;
  • share best practice in assessment and risk reduction, including the development and use of appropriate standards (e.g. ISO 27000 series);
  • provide controlled risk transfer mechanisms for members who achieve stated levels of risk reduction or undertake risk reduction activities to stated levels of quality.

Cyber Re might confer competitive advantage on any country that adopted it. With a Cyber Re, that country would have definite attractions to firms that depend on computers, particularly financial exchanges and large internet firms, as it would be the only country that indemnifies when it fails to protect against cyber-crime at scale.So we’ve blended four streams – giving customers a financial choice they can understand, making the risk-sharing economics work, looking at the problem holistically, and providing a system that can evolve standards and prices in line with learning. How would we know when government and industry are working well together on cyber-crime? When one can buy boring ‘normal’ insurance.

About the author

Professor Michael Mainelli FCCA FCSI FBCS, Executive Chairman, Z/Yen Group - After a career as a research scientist and accountancy firm partner, Michael co-founded Z/Yen, the City of London’s leading commercial think-tank, to promote societal advance through better finance and technology. Michael’s third book, based on his Gresham College lecture series from 2005 to 2009 and co-authored with Ian Harris, “The Price of Fish: A New Approach to Wicked Economics and Better Decisions”, won the 2012 Independent Publisher Book Awards Finance, Investment & Economics Gold Prize.