The cyber insurance market has made substantial progress in recent years in developing products and insurance-backed services to help their clients manage their exposure to “cyber risks”, ranging from theft of client data or intellectual property to the paralysation of critical business systems.
The industry’s progress in this regard is the result of its having worked with insureds, in many sectors, to develop products to meet their needs. However, this has been a challenging process, not least because the threat evolves so quickly.
Whilst the products that the industry is now offering are, in some respects, quite sophisticated, serious doubts remain as to whether it can afford to offer cover for the most serious cyber risks, such as a massive accumulation or aggregation of losses arising out of disruption of critical infrastructure or coordinated attacks on or failures of cloud providers.
Furthermore, in some cyber insurance markets, there may be a tension between insurers’ desire to work with their insureds to engender strong risk management on the one hand, and the insured’s desire to lay off its cyber risk at a lower cost than it would incur to upgrade critical systems to harden them against cyber attacks.
In the light of these concerns, some market participants have renewed calls for the government to provide a backstop, similar to those in place for terrorism risks. They argue that the potential magnitude of some cyber risks and the potential for significant accumulations of losses present risks so great that they cannot be absorbed by the capital of insureds and insurers alone.
There is obvious force in these arguments. However, others in the market are more circumspect, arguing that the case has yet to be made as regards the necessity for a government backstop.
It is suggested that cyber does pose risk of a magnitude that is potentially greater than the capacity the existing cyber market can absorb. However, critics of the government backstop proposal are probably right that the nature and scope of such potential cyber catastrophes must be analysed and articulated more cogently before the case for a government backstop is made out. Further, that, if a government backstop is implemented, it must be implemented properly, so as to allow the industry to do what is does best whilst still ensuring that the security of the economy is adequately protected.