The case for cyber TRIA
Emily Selck, director of strategy at Baldwin Risk Partners’ cyber centre of excellence, says it is time for the government to provide the insurance industry the cyber cat backstop it needs.
Zurich CEO Mario Greco made headlines in December when he told the Financial Times that cyber will soon become uninsurable. “What will become uninsurable is going to be cyber. What if someone takes control of vital parts of our infrastructure, the consequences of that?” he opined.
To his point, if truly a nation-state actor shuts down critical technology or utility infrastructure in the United States – is that insurable? If a technology provider has an endemic vulnerability that impacts thousands of companies globally – is that effectively insurable? Greco continues in the article to say “there must be a perception that this is not just data … this is about civilisation. These people can severely disrupt our lives”.
The idea of infrastructure-wide losses is not news to those cyber insurance carriers that are taking a more thoughtful, yet somewhat panicked, approach to underwriting after two years of staggering cyber insurance losses. The Russia-Ukraine conflict restarted the conversation around war and war-like acts, and how war as a peril has morphed with new technologies. The Biden administration’s National Cybersecurity Strategy attempts to shift liability onto technology providers rather than their customers and consumers. Both relate to the infrastructure exposures cyber risks pose that keep insurers in a tenuous position.
The past is often prologue. Indeed, Greco’s opinions may sound familiar as his sentiments are similar to those that led to the establishment of the Terrorism Risk Insurance Act of 2002 (TRIA). This paralleled traditional uninsurable risks. War had historically been excluded under commercial policies, but terrorism had changed the scope of that consideration. In the wake of 9/11, insurers paid out around $40bn in losses. But it became clear that the exposure was far broader for an industry with over $6bn in terrorism capacity globally. Not surprisingly, the insurance industry was in a state of emergency. As a result, Congress acted and TRIA was established.
The Insurance Information Institute outlines the industry’s concerns regarding terrorism risk: historical data is scarce, acts of terrorism are not random, and they are often geographically concentrated. This logic is analogous to Greco’s (and likely other insurance executives’) thinking as it relates to cyber perils. The rapid shift in the marketplace in late 2020 is attributed to the increase in frequency and severity of losses from ransomware. These losses were highly unpredictable and created a shift in actuarial models that was difficult, if not impossible, to predict. Many cyber claims are caused intentionally and cyber attacks by their nature are intentional; there could be political, social or economic motivations similar to terrorism, hence the often-utilised moniker “cyberterrorism”. Lastly, the geographic nature of the attacks are specific to property, but the frequency of attacks creates a similar aggregation risk.
TRIA was not the only time that the government took action to assist the insurance industry in a time of distress – the National Flood Insurance Program (NFIP) was established in 1968. This was a reaction to the lack of commercially reasonable insurance for consumers and businesses located in flood plains. The interesting aspect of this program is that it was integrated into the Federal Emergency Management Agency, allowing for expertise to be applied to the claims handling and mitigation of floods. This integration has been largely successful and efficient.
With the recent announcement from the Biden administration on the Cybersecurity Strategy, it is clear that the federal government is becoming increasingly aware of the impact of cyber attacks and breaches on businesses. The White House states:
- We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organisations that are most capable and best-positioned to reduce risks for all of us.
- We must realign incentives to favour long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future.
Part of that resilient future will present an obvious solution in the formation of a federal cyber insurance program similar to TRIA and NFIP. The blueprint of NFIP’s cooperation with federal agencies and the insurance marketplace could impact these goals in a meaningful way. A comprehensive solution should include the following:
- Creating a financial backstop in the event of an endemic cyber event perpetrated by a threat actor causing harm to our supply chain, infrastructure, or other targeted attacks on business
- A coordinated approach to response to threat actors, putting the full weight of private sector experts and government agencies tasked with keeping the US secure
- Mandatory reporting repositories to provide better data to create better resiliency solutions, fulsome actuarial data, and track down perpetrators
- Allowing insurance carriers to provide their proprietary and competitive solutions for the non-endemic and breaches of privacy that are not coordinated by state actors
Just like property insurance in the past, the industry will need the cyber insurance marketplace to function as it has. It is important to remember that routine, non-systemic claims are often being paid efficiently and effectively via existing cyber insurance policies. Cyber insurance is alive and well and provides a critical service to those who are victims of cyber attacks, social engineering and human error. It is now time for the government to provide the catastrophic support the insurance industry needs. Precedent shows that our industry supports our financial ecosystem and provides resources and solutions to policyholders in their gravest times of need.