Source: www.securityweek.com – Author: Kevin Townsend.
Category & Tags: Cyber Insurance,Government,Cyberinsurance,Featured – Cyber Insurance,Government,Cyberinsurance,Featured
The cyberinsurance industry is lobbying for a government backstop. The government is not averse in principle. But what is an insurance backstop, and is one necessary?
In conversation with SecurityWeek at the end of January 2023, Chris Storer, head of the cyber center of excellence at reinsurance giant Munich Re, confirmed that the cyberinsurance industry is talking to governments, seeking a cyberinsurance backstop.
On March 1, 2023, the US government published its National Cybersecurity Strategy. Section 3.6 of the Strategy (Explore a Federal Cyberinsurance Backstop) states, “The Administration will assess the need for and possible structures of a Federal insurance response to catastrophic cyber events that would support the existing cyberinsurance market.”
A federal cyberinsurance backstop has been requested by the industry and is being considered by government. Whether the industry needs one, whether it will get one, and whether it can survive without one, is what we will discuss here.
“A governmental backstop,” explained Storer, “is essentially a guarantee by governments that they would step in as the capacity of last resort in the case of a truly catastrophic unmanageable systemic risk.”
In simple terms, a government backstop would be a federal guarantee that it would step in if the industry is confronted by a widespread, devastating cyber event that could threaten the industry’s ability to meet the claims and remain in business.
Andrew Moss, insurance recovery litigation partner at Reed Smith, added, “The government becomes a last resort insurer of the policyholder – it is not intended to add funds to the insurance industry, but to protect the industry from systemic risk and to protect the policyholder in the event of systemic risk.”
Kiran Boosam, VP of global insurance at Capgemini, added, “It refers to a pool of resources offered by the government to help make certain insurance coverages more affordable in areas of concentrated risk.”
A UK version of a backstop, called Pool Re, was established in 1993 following the IRA bombing of the Baltic Exchange. Pool Re is a mutual reinsurer comprising most insurers and Lloyds Syndicates that offer commercial property insurance in the UK, and is underpinned by HM Treasury. Membership of the scheme guarantees coverage of any related losses, regardless of scale.
Cyberinsurance, by its nature, covers conflict – either between criminal attackers and their targets, or nation-state attackers, or terrorists and their targets. “Conflict in any form makes insurers nervous,” comments Matt Middleton-Leal, MD, EMEA North at Qualys. “During World War I, the insurance industry considered excluding war-related losses from maritime policies. The negative impact of this was people did not want to send their ships to sea, so vital maritime trade could have halted. To avoid this, the British government provided a backstop, effectively taking financial responsibility for merchant ships sunk by enemy action. Today’s cyber security sector is looking at the same approach for cybersecurity.”
The cyberinsurance industry’s concern is over unmanageable risk – what it calls systemic risk. “A systemic risk,” Storer told SecurityWeek, “is an issue that not only impacts a single risk, but can actually impact a significant proportion of a portfolio. The loss potential from an unmanageable systemic risk could be so huge that it would not merely impact the solvency of a company like Munich Re, but could put into question the entire insurance industry.”
It is reasonable to suggest that the cyberinsurance industry was put on red alert over potential systemic cyber risk by the NotPetya incident. In the event, claims were not unmanageable. Affected companies with cyberinsurance had their claims met by the insurance industry. But some companies did not have a separate cyberinsurance policy, and claimed against the ‘all risks’ aspect of their business insurance. The insurers refused to pay saying that the incident was excluded by the standard ‘war exclusion’ clause in business policies.
The result was confusion. In January 2022, a New Jersey court awarded Merck $1.4 billion against Ace American Insurance Company. The courts held that if the insurance industry wished to include war exclusion in policies, they would have to be more explicit. Lloyds issued a bulletin (PDF) in August 2022 requiring underwriters to include “a suitable clause excluding liability for losses arising from any state backed cyberattack.”
The definition of a ‘state-backed cyberattack’ may well become something for the courts to decide in the future – but in the meantime, the insurance industry has been made aware that a single cyberattack may have widespread and massive ramifications – and currently, their only recourse is through exclusions and/or increased premiums. Neither are good business practice.
A different example of a truly systemic risk is current today. It is not cyber related but is tangentially war related. Vladimir Putin seized 500 commercial aircraft owned by foreign leasing companies after his invasion of Ukraine. The owners are now suing Lloyds of London insurers because they refused to pay around $10 billion in claims. A court case is scheduled for next year.
David Howden, founder and CEO of Howden Group Holdings (an international insurance group) told the Telegraph newspaper, “The insurance market cannot be a systemic backstop for a war between the UK and Russia. And it’s not designed to be. No policies cover it. Otherwise, if we covered it all, it would end up with the Government anyway – we’d all go bankrupt.”
The cyberinsurance industry is concerned that a putative future cyber incident, not effectively covered by a war exclusion clause, could spread to cause a systemic risk that would threaten the entire insurance industry. This, it contends, is in no-one’s best interests.
There are several issues concerned with a government backstop that need to be discussed. The first is validity, the second is effect, and the third is funding.
Validity
“There is precedent for creating a cyber insurance backstop in the US,” notes Alex Iftimie, co-chair of Morrison & Foerster’s global risk and crisis management group, “with the Terrorism Risk Insurance Program, which helped stabilize the insurance market post-9/11 and ensure that organizations could continue to find affordable terrorism risk insurance.”
But does precedent provide current validity – does the cyberinsurance industry need or deserve a backstop? “As a cyber security purist,” Middleton-Leal told SecurityWeek, “my gut reaction tells me they don’t.” He doesn’t object to the insurance industry in general, nor its need to make a profit. “It’s more a frustration that organizations that are breached, nine times out of ten, are exposed via some well-documented vulnerability in their cyber defenses that was not fixed. It’s hard to stay ahead of the threats, but there’s no excuses for not doing the basics.”
This is not an uncommon view. Many cybersecurity professionals believe that neither increasing premiums nor government support is the solution – the solution is better cybersecurity practices in business. This can be driven by insurance becoming more closely aligned with security; and to be fair, this is in progress. If premiums are based on realistic security postures, then better security will lead to lesser risk and lower premiums.
Cowbell is one vendor firmly aligned with this viewpoint. It provides an AI-based continuous cyber risk awareness platform specifically designed to demonstrate insurability to underwriters. On April 12, 2023, SecurityScorecard published a joint study conducted with Marsh McLennan Global Cyber Risk Analytics Center that shows the seven risk factors that are most predictive of a breach. The implication is clear – better cybersecurity can reduce the likelihood of a breach and lead to lower insurance premiums, while poor cybersecurity could lead to higher premiums or a refusal by the insurance industry to accept the risk at any price.
“The one positive spin on this,” continued Middleton-Leal, “is that the lack of a backstop might make boardrooms get more involved in cyber security.” While all of this may be true, in the final analysis, it does nothing to solve the hypothetical – but eminently possible – threat of a severe cyber event causing widespread catastrophic damage beyond the capacity of insurance to cover. The potential knock-on effects of a catastrophic ransomware/wiper attack against a critical industry makes those industries difficult to insure, regardless of their security posture.
Effect
”The problem with a broad government backstop of unpredictable risk like cyber breaches is that it tends to lead to more moral hazard and risk taking. For instance, the government-backstopped flood insurance tends to increase the development of property in floodplains,” comments Taylor Wakefield, COO and co-founder of Teleport. “The government should be keeping up with the best-in-breed security practices, creating requirements and shifting liability to those that don’t follow those requirements.”
This last point, incidentally, is also broached in the National Cybersecurity Strategy, but with specific reference to security vendors. Section 3.3 (Shift Liability for Insecure Software Products and Services) states, “We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security program cannot prevent all vulnerabilities.”
The possible effect of introducing a cyberinsurance backstop isn’t yet understood and requires further study. “The key question is whether such a backstop would help reduce cyber insurance costs and promote cyber policies that offer more comprehensive coverage to consumers,” says Iftimie.
“We’ve seen some cyber insurers cut or limit coverage for state-sponsored attacks as well as for certain widespread cyber events, which could result in gaps in coverage in the event of a catastrophic national cyber incident, precisely when insurance is most needed.”
The purpose of a backstop would be to make cyberinsurance more widely available and affordable to the whole market – but it isn’t yet clear whether this can be achieved. Moss warns that a backstop on its own could have a detrimental effect. If a backstop is provided without a required linkage between insured’s security posture and premiums, “insurer’s capacity is substantially released from constraints. Suddenly, there’s too much insurance available – and the result is effectively a race to the bottom from an underwriting perspective.”
Funding
In its description of ‘shifting liability’, the government makes no connection of vendors’ liability with insurance liability. Nevertheless, funding for any backstop would be required from somewhere. The two primary options are from Federal funds (which is effectively a tax on all taxpayers), or a specific tax levied against stakeholders concerned.
The first solution is politically problematic. The second solution has been used in the Terrorism Risk Insurance Act of 2002 – passed in response to the terrorist attacks of September 11, 2001. This is essentially a terrorism insurance backstop funded by a levy on private policyholders, covering a wide range of different policies.
The problem for cyberinsurance is that a levy against cyberinsurance policyholders would increase already steep premiums, and could hinder rather than aid the cyberinsurance industry. Consequently, “It could end up being taxpayer funded with the federal bank being on the hook,” Moss told SecurityWeek.
That said, the Administration’s desire to shift liability for poor security onto the vendors of poor security products opens the possibility of a tax against security vendors, or the collection of non-compliance fines, to offset the cost of a cyberinsurance backstop.
The Administration is clearly not against the principle of providing a federal cyberinsurance backstop, but the details of how it would be administered, what it would cover, and how it would be funded are all pertinent to the decision on whether it can be provided.
The difficulties in designing, providing, and funding a cyberinsurance backstop in the face of a genuine fear that insurers could be faced with a systemic and catastrophic risk leads to an unavoidable question: can the industry survive without a backstop?
The answer is ‘yes’ if it can still make a profit. But achieving a consistent profit will require the industry to redefine a limited cyberinsurance playing field using increased refusals to accept some customers, exclusions from specific risks, and tougher restrictions on meeting claims.
Boosam describes the current landscape, noting that global cybercrime costs are expected to grow by 15% per year over the next three years, reaching $10.5 trillion annually by 2025 – up from $3 trillion in 2015.
“While cyber insurance premiums are rising in response to this increased risk,” he told SecurityWeek, “it is not proportionate to the rise in losses seen by the carriers. Direct written premiums for cyber insurance in US grew by 92% year on year according to the National Association of Insurance Commissioners (NAIC); but the reported claims rose by 100% annually in the past three years (dated 2021). Claims closed with payment grew by 200% annually over the same period, with 8,100 claims paid in 2021 putting significant loss reserves and profitability at risk. Insurers do need a separate pool of capital to address these large-scale cyber catastrophes to manage their risk better in the current cyber risk environment.”
So, on this current playing field, it will not be viable for insurers to continue to offer coverages for large cyber risk events at current premiums. “The way cyber insurance companies have seen growth so far is through the availability of reinsurance capital,” he continued. “As reinsurers also look to diversify their books, this capital influx will slow down, and potentially, insurance-linked securities might be a way forward. Recently [January 2023], Hannover Re, one of the largest providers in the ILS market, completed a transfer of risk worth $100 million,” – forming a bridge between the capital markets and the insurance industry.
The problem is this new influx of capital does not address the underlying problems of cyberinsurance. Nor is it certain that a government backstop would provide a level playing field for cyberinsurance. Nor yet does the growing insertion of insurance into insureds’ cybersecurity posture eliminate the ultimate threat of systemic risk.
The only certainty is that all sides, insurers, business, and government, are seeking a solution. Whether a workable backstop can be achieved is the issue. Without one, cyberinsurance may well remain available – but only to the select few that can demonstrate they don’t really need it.
Related: Cyber Insights 2023 | Cyberinsurance
Related: Cyber Insurance Firm Cowbell Raises $100 Million
Related: The Wild West of the Nascent Cyber Insurance Industry
Related: HardBit Ransomware Offers to Set Ransom Based on Victim’s Cyberinsurance
Original Post: https://www.securityweek.com/cyberinsurance-backstop-can-the-industry-survive-without-one/
Views: 0