State-sponsored and war-related cyberattacks could be included in the UK’s terrorism reinsurance scheme to guarantee victims receive payments. Such incidents are often not covered by standard cyber insurance policies, leaving victims out out pocket.
The Treasury is being lobbied to provide support to insurance companies covering cyberattacks (pic: William Barton/Shutterstock)
Insurance industry leaders have reportedly kicked off talks with the Treasury to discuss whether government-backed terrorism emergency fund Pool Re might be tweaked to cover these two types of cyberattack. The Treasury has yet to take a position on the matter, according to the FT, which first reported the talks.
Pool Re, or Pool Reinsurance was founded in 1993 by the UK insurance industry in cooperation with the government, in the wake of the IRA bombing of the Baltic Exchange in 1992. Its members comprise most insurers in the UK. Membership provides a guarantee that the insurance policy for an act of terrorism can be covered regardless of how high the policy may be, thanks to the government’s backing.
Pool Re could cover state-sponsored cyber crime
The insurance industry is struggling to adapt to the growing threat posed to businesses by cybercrime. A rapid increase in the number of incidents has led to growing demand for cyber insurance, but many insurers are not keen to provide policies that could leave them facing a hefty bill.
As such, premiums are on the rise. Research from security company Panaseer shows that 82% of insurers believe that prices will continue to rise for the next two years. “Increasingly sophisticated threat actors and costly ransomware attacks are having the biggest impact on rising premiums,” the report says.
Industry body the Lloyd’s Market Association (LMA) sought to mitigate part of this risk through the drafting of four clauses designed to protect insurance companies from excessive liability. When implemented they exclude coverage of any damage caused by “war or a cyber operation that is carried out in the course of war,” including “retaliatory cyber operations between any specified states,” reads one of the clauses. It goes on to list the countries China, Japan, Russia, France, Germany, America and the UK.
As the cost of breaches mounts, companies are questioning why they aren’t entitled to compensation, but without some sort of government backing from Pool Re or another, the cyber insurance market will not have the means to cover the cost. “They don’t have enough money for everyone. The amount of money necessary to cover the potential clients is too great,” said Andrea Rebora, cybersecurity associate at PwC and a PhD candidate at Kings College London, told Tech Monitor last year. “It’s an absurd amount of money.”
If there is a large scale cyber event that effects numerous companies, it may therefore be up to the government to foot the bill, argued Lori Bailey, chief insurance officer at Corvus Insurance:“If there is some sort of large-scale cyber event, could the private sector and the insurance industry withstand that? Ultimately I think it would take something from the public sector in order to manage any kind of large-scale catastrophe,” she said.