A cyber insurance ‘pool’ might be the only way to insure cyber exposures

Cyber code

A public-private partnership may be the only way to cover the huge risk posed by cyber, delegates at a StrategicRISK event in Singapore heard.

Speaking at a gathering of risk and insurance professionals at the Westin Hotel, Zurich Singapore chief executive Jonathan Rake said the biggest challenge from an insurance perspective is not knowing the potential systemic risk that’s attached to cyber.

Insurers globally have been worried about their exposure because cyber risks are hard to model and, as Rake pointed out, often systemic. A breach in widely-used system can bring down systems globally, leaving insurers on the hook for simultaneous, multibillion-dollar payouts.

As a result, the insurance industry has been criticised for the restrictions it places on the cover offered and accompanying high premiums.

Rake said: “By bringing the public and private sectors together, enforcing regulation and bringing in companies like ourselves to advise and provide some capacity, you’re creating a new industry effectively and I think it’s a very interesting and positive way of not only building awareness but also expertise through this learning period.

“The cyber insurance market in Singapore will be fuelled by regulation, but really that’s just a framework; it’s actually the public-private enterprise combination that I think is going to develop the market here,” he said.  

A risk director from a transport firm agreed.

He cited state-backed schemes that provide cover for other macro risks such as terrorism and flood when the insurance market was unwilling to do so independently, including Pool Re and Flood Re in the UK and the Australian Reinsurance Pool Corporation.

“Terrorism pools are fine examples of governments and businesses coming together to create an insurance product – albeit a compulsory one – where everybody shares the risk,” he said.

“And a cyber pool might be the only way to insure cyber exposures because the risks are just so huge that perhaps no amount of premium is going to be enough to bear the cost of the mountain.”

Self insurance was also suggested as a way for firms to mitigate their cyber risks if they found the cost of cyber insurance too expensive.

“We are exposed anyway – the question is what is your risk tolerance? Once you define that, then you can set aside a self-funding pool in your own company, within your own balance sheet, for contingency losses if you’re hit by a cyber attack,” one delegate said.

But FireEye Asia-Pacific chief technology officer Bryce Boland offered a word of warning about a public-private cyber solution.

“I’d caution that we must be wary of using public funds to pay for the failings of duty of care and diligence in operating private institutions,” he said. 

”As with bailing out the banks, we risk privatising the benefits (less investment in data protection and security) and socialising the losses (the public providing cover for security failures).”

Many experts also predict the uptake of cyber insurance will follow stricter regulation.

Currently the US is the only country to have a breach notification law, whereby companies that are victim of a cyber attack are required to let their customers know.

Insurance uptake has increased as a result of this legislation, with insurance policies typically covering the costs of the notification process, forensic investigations and legal costs.

Delegates at the event heard it was only a matter of time for the rest of the world to follow suit.