The Big Question: Are risk pools the answer to growing cyber risks?

February has seen the announcement by the Cyber Monitoring Centre (CMC) that it will begin to officially categorise cyber events impacting UK organisations.

With its origins in an idea from members of the insurance industry, the Cyber Monitoring Centre is an independent, non-profit organisation responsible for analysing and categorising cyber events that impact UK organisations.

In a statement the CMC said it will deliver a “consistent and objective framework to assess the severity of major cyber events as they occur, categorising incidents on an easy-to-understand scale from one (least severe) to five (most severe)”.

CMC chair Ciaran Martin said measuring the severity of incidents has proved “very challenging”.  The CMC will categorise cyber events that have a potential financial impact greater than £100 million, affect multiple organisations and where there is data or information available to enable assessment.

In launching the scheme CEO of the CMC, Will Mayes, said: “The risk of major cyber events is greater now than at any time in the past as UK organisations have become increasingly reliant on technology.”

However while incidents can now be categorised the rising threat of a systemic cyber event is still a major cover for the (re)insurance industry amid ongoing concerns about the scale of exposures and the ability of the industry to react to such an event.

It has led to the debate and to whether there needs to be a public-private solution to intensify.

Ian Summers, Global Business Leader, AdvantageGo.

Oliver Brew, cyber practice leader, International, Lockton Re, says: “Clearly the reliance on technology is only growing greater. The internal debate over the market’s response to war risks and a systemic event which has the potential to be existential to the market highlight the concerns for many over exposures.”

Lockton Re has published a new report on the threat of systemic cyber incidents which it says highlights the need for government-backed risk pools to be created.

The report, Cyber Risk Pools and Public Private Partnerships – Time to dive in?  asks whether if a very unlikely, but potentially very significant, cyber event occurs, how should the insurance industry and governments address the challenge it would create.

Brew adds: “There is an emerging consensus of what the challenge to be addressed is, and the need for partnership between industry and government. Understandably, major questions exist about the nature and mechanics of how it could operate.

“Given the still limited adoption of cyber insurance by small and medium-sized businesses, a government supported cyber risk pool would encourage increased adoption and build resilience. In the context of cyber insurance, a catastrophe is conceivable in the coming years which could far exceed the private insurance market.”

He adds public private partnerships had been successful in other risk areas such as the UK’s Flood Re, the Australian Reinsurance Pool Corporation and the US Terrorism Risk Insurance Program.

“Governments have stepped in to support communities in times of extreme need and, in many cases, have contributed more to the financial recovery following a shock event than the private insurance market.” Brews continues. “There are legitimate concerns which have been expressed about the principle of a backstop, as well as the many complexities and practicalities of enacting one.

“A government-backed cyber risk pool arrangement in isolation is not a panacea. However, in conjunction with other measures including ongoing improvements to security standards, it can form a major support in building societal resilience and closing the cyber protection gap.”

Brew says that the engagement with government has to be strengthened to ensure that the market and with it the policyholders are prepared for a major event.

“There is a conversation which needs to be underway,” he adds. “There have been some success stories where risk pools  have built resilience and leveraged government balance sheets for the benefit of both governments and the private sector.

“We have a history of reacting after a major event has occurred and when the event has already created a degree of havoc. Take 9/11 and the establishment of Pool Re in the UK as examples of where the market has been required to respond post event when it has become clear that the risks are at a point where they will test the market’s ability to react.

“What we need to do is have these discussions with governments to create the foresight to have the ability to better address the risks.”

“There needs to be a wider effort with different governments to explore the risks and the effects,” Brews continues. “The conversations have increased both in volume and in quality as the cyber market has gone from curiosity to a relevant class and this has come with a recognition of the need for greater cyber hygiene, resilience and informing the clients as to how companies need to engage with cyber security.”

Brews adds: “There are always other priorities for government but this is not another budget item on the agenda. This will benefit government both financial and in terms of greater resilience.”

He explains: “There are a lot of legitimate questions and there are challenges around how these can be structured, the jurisdictions and potential minimum standards. But people have shied away from the conversations.

“The issue has created two camps. There are those that even beginning the conversation around the involvement of government in the private market will see them refuse to engage and there are those who are already of the view that we need greater regulations around the risks.”

Brew adds: “We should be welcoming the ability to have the dialogue and the questions that will raise. As a broker we are well placed to inform the conversation without having a pre-determined outcome in mind.

“We need to have the conversations and discuss the lexicon of what a major cyber event actually means.”

He says that the potential risks are such that the conversation has to be had and if there is a decision not to engage with governments then at least there is an understanding as to the reason not to.

“Inaction is a decision in itself,” Brew explains. “If we do nothing, we will only have ourselves to blame if the worst were to happen. We have the tools to start a meaningful discussion.

“It is a conversation for all governments to be having.”