There is increasing evidence that a broadly based and appropriately designed public-private cyber reinsurance partnership could significantly improve the resilience of the US economy. That need exists today, but it will get more acute in the coming years and has potentially positive implications for national economic resiliency far beyond financial risk sharing.
After months of consultation between the public and private sectors, the emerging consensus of major stakeholders in the cyber insurance space is that there could be value in a public-private partnership. Assistant Secretary of the Federal Insurance Office, Graham Steele, has rightly pointed out the need to design an appropriate structure but described a widespread industry view that “a well-designed federal insurance response could address the risks of tail events while incentivizing healthy private sector practices”.
The gap between what is needed to support the US economy in a catastrophic cyber event and the coverage that is provided by the private sector exists today. Insurers have introduced war and infrastructure exclusions in cyber insurance, given the scale of losses could exceed the insurance industry’s ability to pay. Such attacks are precisely those where the US economy will most need support. Yet, such widespread coverage does not exist, nor is there an expectation the private sector will provide meaningful coverage in the future. The need is here today.
Looking forward, that need may become even greater, given insufficient premium to support what is covered by policies today. CyberCube estimates insured losses from future catastrophic events could exceed $121bn, which would exceed the largest natural catastrophe in the history of the property market. Defining the trigger where the government would kick in is indeed fraught, and that is where industry consultation is focused on defining the limits of private sector capital appetite.
Insurance-linked securities provide part of the answer, however, CyberCube estimates that even if that market grew to the size of the entire natural catastrophe market there would still be insufficient capital for catastrophic cyber reinsurance. Creating a public backstop puts a line in the sand for cyber catastrophe bonds to provide coverage up to that amount and can be raised over time as that market develops.
As important as financial transfer, supporting the cyber insurance market would increase the resilience of the US economy. Firstly, far from creating moral hazard, the insurance industry has proven adept at increasing the resilience of those that it insures. Marsh reports 41% of enterprises improve their cyber posture during the insurance purchasing process, as insurers push to cover more resilient organizations. Insurers have proven decisive in addressing the spate of ransomware by driving better security practices, greater use of multi-factor authentication, and action on critical externally viewable vulnerabilities.
A public-private option supporting catastrophic cyber risk may even reduce the likelihood of an attack in the first place. If a state-sponsored actor’s intention is to cause economic turmoil by launching a catastrophic cyber attack, the knowledge that the economy is protected by a national cyber reinsurance program may undermine that goal, reducing the incentive to launch such an attack.
Even with this action, the risk of catastrophic cyber events cannot be reduced to zero. The insurance industry excels at crisis management at scale and, in the event of catastrophic cyber events, would serve as a valuable partner in dispersing funds, rallying resources, disseminating critical information, and reducing fraud.
The question is not whether the federal government has a role to play in catastrophic cyber events or not. The very worst cyber catastrophes that cripple national technology infrastructure will require a government response. The question is whether the problem is addressed before the crisis occurs and whether the insurance industry (and its resources, capital, and expertise) is engaged beforehand to prepare for such an event.
A recent FT opinion piece is entitled “Governments should not be the cyber insurers of last resort”. Ultimately, no public-private partnership with the insurance industry is a response that leaves the government on the hook for extreme catastrophic events, without the support of the insurance industry.
Critics of a public-private partnership of cyber insurance, including public submission in the FIO request for comment and the recent FT opinion piece, focus on unintended consequence of a poorly designed program. This is a paramount concern to everyone. Cyber insurance is one of the most strategically important, dynamic and innovative corners of the global P&C insurance industry. Any actions that harm that private sector market ultimately harm the resilience of the US economy - that is why the current US Treasury lead engagement on the design of a government cyber (re)insurance program is critical.
No government policy response in advance of a catastrophic cyber crisis is actually a policy response and one that also leads to unintended harm to the US economy. The right, well-designed public-private partnership would encourage more private sector capital into the cyber insurance market and create a more financially and technologically resilient economy to one of the biggest threats facing enterprises in the 21st century.