The terrorism threat is changing, Enoizi said. It has evolved from the traditional methods employed by the Provisional IRA, and terrorists’ access to technology is increasing daily. This evolution presses new responsibilities onto governments to provide safe environments for their citizens and has widened the gap between what the market will cover and the taxpayer’s potential liability. Citing recent UK Government data, Enoizi reported that 90 percent of large UK companies have suffered a security breach within the last year, and that the average cost of a cyber attack has doubled since 2014.
Cyber is unlike any other peril, because of its theoretical ability to affect almost any insurance class. This significantly impairs (re)insurers’ ability to allocate capital, to model losses with confidence, and, as a result, to price insurance products accurately. The gap between the available global insurance capacity and market exposure has become increasingly stark: market capacity stands at approximately USD 500 million, but the exposure is estimated to be more than USD 130 billion.
The challenges of understanding the threat may be one reason that market capacity falls so far short. However, something can be learned from experience. Cyber attacks, whether by terrorists or otherwise, and physical terrorism share clear parallels:
•Both can correlate across multiple lines of insurance, making aggregation a key issue.
•Neither is a naturally occurring peril, therefore difficult to model from the perspectives of severity and frequency. Little relevant historical data exists to support modelling or pricing.
•They are fast moving, evolving, and dynamic threats.
•Nation-state involvement is highly influential, but may be impossible to identify.
However the differences are important:
•Unlike terrorism, where weapons of mass destruction are heavily guarded by nation-states, cyber weapons developed by nation-states find their way onto the dark web very quickly. This is of enormous concern.
•It seems less complex for nation-states to prevent conventional crime and terrorism than to prevent malicious cyber attacks. Accessibility enabled by the internet is a key weakness, and crimes can be perpetrated from beyond the reach of normal prevention agencies.
•IT security techniques and awareness need improvement. Hackers seem able to break into even the theoretically most secure of websites.
•The internet of things means that everything is connected – so how can this risk be understood or contained? If it cannot, how can it be insured? It could pose a systemic risk.
Within the broad spectrum of cyber perils lurks the potential future threat posed by cyber terrorism, perpetrated by organisations such as the Cyber Caliphate Army, the self-declared ‘cyber army’ of Daesh. The Pool Re scheme excludes cyber, but this limitation is being reviewed. The Judge Business School at Cambridge University has been engaged to undertake a study of cyber terrorism, and once complete, Pool Re will evaluate the elements of the threat which the scheme might offer to insure. The ultimate aim is to provide economic resilience to the catastrophic, systemic exposures which are normally the responsibility of government, and thereby enabling the market to operate effectively within the cyber sphere.
Enoizi concluded his speech by stating that cyber remains an ‘unknown known’. The risk is evident, but accurate modelling is problematic. The risk appears unacceptable to the commercial market, and the state has a responsibility to take on systemic risk that the market cannot assume. Reinsurance pools, such as Pool Re, have a long history of providing an effective ‘buffer’ to the ultimate liability faced by the taxpayer. Such schemes also have an enabling effect on the market, by removing the systemic risk and allowing the market to innovate new risk management products. A market-oriented, as opposed to a levy-based means of creating disaster pools, has been very successful in the case of Pool Re’s ability to manage the exposure to the taxpayer. The scheme has paid out more than GBP 600 million without any direct cost to the Government, or by increasing regulation and taxation to the market.
The development of wider disaster pools, structurally akin to Pool Re, provides a model to mitigate against systemic risk in many of the great challenges of our age, such as climate change and pandemics, and may provide a solution for the cyber threat. Finally, effective collaboration between the private and public sectors in forming disaster pools should be aimed at finding solutions that ensure the optimum balance between the state and the market’s responsibilities, with the ultimate aim of enabling the market to operate and enhancing the resilience of the British economy against the future effects of terrorism.