High-profile cyber-crimes on financial markets have led to significant losses. Cyber-crime insurance is a weak market where it is hard to get significant risks written. Market cover is sporadic above a handful of computers and fades completely above £100 million. Cyber-terrorism, e.g. state sponsored terrorism, insurance doesn’t even exist. This market problem resembles terrorism for property insurance where the government created Pool Re to help in 1993. Why don’t we have a Cyber Re where government helps the insurance industry fund extreme losses? As an example, government takes responsibility, via a reinsurance club, for risks at the highest levels. Below that level normal insurers write cyber policies which help spread information and best practice. With a fully functioning market, the UK would be more attractive to ICT businesses such as financial exchanges and large internet firms.
“The certainty and confidence that insurance provision brings to all our daily lives, whether business or personal, enables us to breathe more easily, to find the confidence to let innovation flourish and to engage with the present and the future, chastened by the past but not allowing the fear of the possible to paralyse us in the present.”
This proposal originated with reactions and inactions to cyber-enabled thefts on the carbon trading markets associated with the European Trading System, though a version of it was proposed in 1997 during Y2K/Millennium Bug preparations. In January 2011 over €45 million was stolen from the carbon markets. Carbon markets were closed on 19 January and have fitfully reopened since. The January 2011 attacks were preceded by attacks in 2009 and 2010. A 2 February 2010 phishing theft of 250,000 carbon emission permits was reported to net €3 million and also closed the markets.
Cyber-crime (e.g. “e-risk business protection”) insurance typically covers crisis management costs, customer notification expenses, data extortion, professional services, multimedia liability (e.g. defamation, copyright infringement), security & privacy liability, and privacy regulatory defence & penalties. Cyber-crime insurance is a weak market where it is hard to get significant risks written. Market cover is sporadic above a handful of computers (cyber equivalent of appliance insurance) and fades completely above £100 million.
Cyber-crime at scale is indistinguishable from cyber-terrorism. State actors may be involved. In fact, it is likely that only failed or corrupt states would allow attacks to originate from their territory. So firms are sensitive about the commitment of the state to protect them from incursions of substance, whatever the source. Cyber-terrorism insurance doesn’t yet exist.
This market problem bears some resemblance to property insurance in the UK in 1992. Following the 10 April 1992 bombing which devastated the Baltic Exchange for shipping, international insurers withdrew cover for acts of terrorism and the UK government formed Pool Re rapidly.
At the moment, insurers in the UK can reinsure liabilities from terrorism, in excess of the first £75m, with Pool Re. A Pool Re member’s retention is proportionate to their participation in the scheme. The only exclusions applying to the terrorism cover of Pool Re are in respect of: “war and related risks; and damage to computer systems caused by virus, hacking and similar actions.”
Why don’t we have a Cyber Re (or extend Pool Re) where government helps the insurance industry fund the extreme losses of cyber-crime? As an example, government takes responsibility for risks above a point, say £100 million. Below that point normal insurers write cyber policies which help spread information and best practice and bear the risks up to £X million on any single incident or £Y million on combined incidents (X and Y might be numbers in the range of 50 to 100). Reinsurance helps form successful commercial insurance markets by providing assessable mutuality for random events. Cyber Re can increase supply by spreading large losses and (over time) playing a role in establishing a body of data to support more accurate pricing of the risk. It also helps demand by promoting an understanding of cyber risks and the value of defending against them.
To get things started – “The risks covered by Cyber Re are first [and third] party losses attributable to information and communications technology (ICT) problems caused by external persons unknown. Losses are determined by reference to historic turnover and profitability of business operations disrupted by significant ICT problems caused by external persons unknown. The calculation of the net income aspect of loss of business income shall be based on an analysis of the revenues and costs generated during each month of the twelve months prior to the loss occurring and will also take into account reasonable projections of future profitability had no loss occurred and will include all material changes in market conditions that would affect the future profits generated.”
ICT is defined as digital information processing machinery and networks. This definition includes embedded circuitry, such as lift/elevator controllers. ICT could include computers, personal computers, personal organisers, mobile telephones, fax machines, motor vehicles, global positioning systems, satellites and telephones. Defining ICT will be important.
The legal form could range from LLP arrangements to corporate structures to quangos, but operationally Cyber Re should have a ‘club’ feel, like the traditional shipping mutuals (P&I clubs) or industrial disputes insurances (strike clubs). The objectives of the Cyber Re club are to provide risk mitigation for members by:
It is likely that the business interruption model might be most appropriate. A good example of business interruption or “loss of earnings cover” is The Strike Club, originally for industrial dispute insurance but now providing a wide range of business interruption insurance to shippers, fleets, ports and facilities. In a business interruption model, the client states in advance how much a day’s outage will cost and this both sets the premium and the claims, e.g. a day’s outage costs £5M, the retention is the first 2 days, followed by payments for the next 10 days, for a premium of £500,000. When claims are made the estimated day’s outage costs must be reasonable, but otherwise the model is simple.
The following table, partially reproduced from Insurance Day, 7 June 2011 [their source: DatalossDB], of the biggest losses over the past ten years would seem to indicate some sense in the numbers above:
| Company | Year | Type | Impact ($) |
|---|---|---|---|
| TJX Companies Inc | 2007 | Hack exposes credit card numbers and transaction details | 94,000,000 |
| Sony Corporation | 2011 | Names, personal data, possibly credit card details, obtained from PSN/Qriocity users | 77,000,000 |
| Card systems: Visa, Mastercard, American Express | 2009 | Major card processor breached, credit card numbers lost | 40,000,000 |
| RockYou Inc | 2009 | Hackers access user-names and passwords | 32,000,000 |
| US Department of Veterans Affairs | 2006 | Social security and personal data of US military veterans stolen | 26,500,000 |
| Sony Online Entertainment | 2011 | Data, including birth dates, email and credit card details accessed by hacker | 24,600,000 |
| Heartland Payment Systems | 2009 | Malicious software/hack compromises unknown number of credit cards | 130,000,000 |
How would we know when government and industry are working together on cyber-crime? A realistic comparison would be burglary insurance. People contract with insurers in commercial terms they understand, with contracts they know and financial risks and rewards they can analyse. A realistic economic goal for government is to create a framework where insurers want to write cyber-crime business, because they know it pays.
With a fully functioning market, the UK would be more attractive to ICT businesses such as financial exchanges and large internet firms. A few points of note emerge from the above:
Cyber Re can confer competitive advantage on the UK. The 10 April 1992 St Mary Axe bombing was a significant catalyst for Pool Re. As insurers refused to provide cover against acts of terror, financial services firms, noting what had happened to the Baltic Exchange, stated that they had troubles locating or expanding in London and the UK generally. With Cyber Re, the UK would have definite attractions to firms that depend on computers, particularly financial and internet firms, as it would be the only country that indemnifies when it fails to protect against cyber-crime at scale.
So far, Z/Yen has held discussions, with support from CityForum, in formal or informal fora with, among others, government bodies, military institutions, insurance brokers, underwriters, insurers, reinsurers, Lloyd’s, financial markets firms, trade bodies, lawyers, ICT firms, think-tanks and academics. Discussions so far have been encouraging - financial and ICT services would like the cover; insurers would like the reinsurance; government entities see the gains. Z/Yen welcomes further discussion on next steps, such as: