Research by the Australian Reinsurance Pool Corporation will inform the Treasury’s 2021 review of the Terrorism Insurance Act

Australian Reinsurance Pool Corporation has launched the findings of its cyber terrorism research project. The scope of the research included identifying and exploring current and prospective threats, plausible scenarios and the practicalities of extending insurance coverage to include cyber terrorism in Australia.

ARPC commissioned the Organisation for Economic Co-operation and Development (OECD) and Cambridge Centre for Risk Studies at the University of Cambridge’s Judge Business School (Cambridge), to undertake the research.

“Commercial property insurance in Australia does not cover physical property damage caused by cyber terrorism or cyber war,” said Dr Christopher Wallace, ARPC CEO. “The ARPC Scheme, Australia’s national terrorism insurance scheme also excludes coverage for physical damage caused by cyber terrorism.”

“ARPC anticipates that our research will contribute to informing the Australian Government about the risks faced by the economy due to this protection gap. It will be an input into the Treasury’s 2021 Triennial Review of the Terrorism Insurance Act,” Dr Wallace said.

Key findings:         

  • Cyber terrorism is not covered by commercial property insurance in Australia, and the terrorism reinsurance scheme administered by ARPC excludes cover for cyber terrorism.
  • The scenario analysis conducted by Cambridge CCRS demonstrates that the average expected losses from two modelled scenarios are consistent with the expected losses from a traditional explosive blast attack in the CBD and are within the capacity of the ARPC scheme.
  • The maximum losses from the two modelled cyber terrorism attacks are substantial and exceed the capacity of the ARPC scheme.
  • According to OECD, the German, Spanish and South African pools provide direct insurance coverage without cyber exclusions.
  • For the reinsurance or co-insurance schemes in Austria, Belgium, France, Netherlands, United Kingdom and the United States, cover for cyber-terrorism is included to the extent it is covered in the underlying policy.
  • In the reinsurance schemes in France and the UK, cyber-terrorism cover is explicitly included.
  • In India and Russia cyber-terrorism is explicitly excluded, as is the case in Australia.