A new report from the EastWest Institute has argued that the creation of government backstops in the form of private reinsurance pools will be one of the key pillars in enabling the insurance industry to guard against systemic cyber risk and avoid catastrophic losses.
The non-profit thinktank suggested that such an approach would increase the overall capacity of the market to handle a major, multi-market loss.
It advocated for a model similar to those already created to handle terrorist events, such as the Terrorism Risk Insurance Act (TRIA) in the U.S and Pool Re in the UK.
“Due to the innovative and evolving nature of the insurance market, the insurance industry is not currently seeking to establish a backstop program,” the report stated.
“Nevertheless, with the increasing accumulation of cyber risk and cyberrelated dependencies, incidents may result in claims beyond the insurance market’s current capacity. Governments should consider creating a targeted backstop program for systemic cyber incidents.”
Such a program, EastWest claimed, would include an agreement between a government and a private reinsurance pool, in which the government would cover a proportion of the losses from a cyber incident above a certain threshold.
Prior to the coverage of losses by the government, a designated official would certify that the systemic cyber incidents resulted in catastrophic losses to the re/insurance industry and are eligible for coverage under the legislation.
The program may also include a requirement that all primary insurers offer cyber coverage to commercial clients, multi-line coverage, and incentives for consumers and service providers to invest in cybersecurity.
EastWest further recommended that the re/insurance industry should further explore insurance-linked securities (ILS) and catastrophe bonds as a means to strengthen the cyber market and provide additional capacity.
This capacity, however, will likely need to be leveraged in conjunction with a number of other approaches to fully engage with the challenge of systemic cyber risk, analysts said.
These include enhancements to cyber insurance underwriting ability through the use of existing cybersecurity frameworks, data, in-house cyber expertise, and the harmonisation of underwriting practices based on international security standards or sector-specific requirements.
Another approach would require insurers to develop new business models by partnering with cybersecurity and technology companies, EastWest said, as well as exploring advanced analytics, promoting loss control products, and tying financial incentives to cybersecurity practices.
Finally, re/insurers will need to increase the transparency and uniformity of their policy language to reduce uncertainty around the definitions of cyber incidents, coverage types, and triggers, particularly in regard to key terms such as ‘act of war,’ ‘state actors,’ and ‘state cyber attacks.’
“Cyber risk is a dynamic and growing threat to industry and infrastructure alike, with the potential to inflict catastrophic damage in the event of a systemic incident,” notes Bruce McConnell, EWI Executive Vice President and a co-author of the report. “The report offers a framework to understand the complexities of systemic cyber risk—underscoring the importance of both enhancing insurance underwriting ability and strengthening cyber resilience across interconnected systems.”
“Cyber insurance has grown into an important component of industry’s risk mitigation strategy, so it’s vital that we have a sustainable cyber insurance market,” added Matt McCabe, Senior Vice President, Cyber Practice at Marsh, and a contributor to the report.
Raj M. Shah, Co-CEO at Arceo.ai, also commented: “Companies are doing a better job of assessing cyber risk through automated tools and advanced analytics, but there remains a need to integrate these efforts with insurance underwriting for meaningful cyber risk management.”
“The recommendations in the report are geared towards an approach where insurance providers, brokers, and enterprises share specific risk data to enhance everyone’s ability to measure and manage cyber risk in real time,” he explained.