David Cameron presented the National Security Strategy and Strategic Defence and Security Review (SDSR) to Parliament last month. He reported that the world is more dangerous and uncertain than five years ago and that a “full-spectrum approach” is required to counter threats that do not recognise national borders. The approach includes “offensive cyber” actions and it would seem that the cyber war, which is often mentioned but rarely seen, is now firmly established and underway.
The prospect of cyber-based terrorist attack is a modern reality. Speaking recently at GCHQ, Chancellor George Osborne said that while ISIL have not yet been able to use cyber attacks to kill, “we know they want [that capability], and are doing their best to build it…If our electricity supplier, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost".
Whilst it is instinctively uncomfortable to turn to commercial considerations following such announcements and recent tragic terrorist acts, it is the stark reality that the insurance industry must constantly assess how it will respond to such events.
Insurance policies routinely exclude coverage for losses resulting from acts of war or terrorism. Cyber-attacks, particularly those involving non-state actors, raise questions of whether such incidents would fall within the scope of such exclusions.
Chancellor Osborne’s comments also raise the prospect of cyber-attacks causing damage outside the digital dimension. There a number of market wide exclusions (including those recently released by the LMA in November) which might be used to exclude losses from bodily injury, physical damage, pollution, or similar matters arising from a cyber-related incident. Notwithstanding the effectiveness of such exclusions, insurers must first overcome the commercial pressures against applying such exclusions.
If such exclusions are successfully applied in non-cyber insurance lines, this raises the question of whether the cyber insurance market is prepared to step in, and if so, whether it can do so with financial security. The issue is being debated and scrutinised. Lloyd’s commissioned the papers “Business Blackout” and “Sybil Logic Bomb” which hypothesise the potentially catastrophic financial implications of a cyber-attack or incident. Having set out the hypotheticals, Lloyd’s is now assessing Managing Agents’ oversight of accumulation risk to cyber risks.
The implications are so great that certain insurance and political leaders have argued for the creation of a Government backed cyber reinsurance scheme. Such a scheme would be similar to Pool Re which was created in 1993 to provide property insurance following terrorist attacks. Stephen Catlin, the deputy executive chairman at XL Catlin has raised his concern cyber is “the most systemic risk that I’ve ever encountered in my insurance career” (Post, 4 December 2015).
Cyber terrorism is a genuine threat that to businesses and governments globally. Whilst it represents a threat to the insurance market in that it will test the boundaries of existing coverage, it is also a huge opportunity for insurers to innovate in product design, pricing and underwriting. Whether the UK Government’s commitment to combating cyber terrorism should extend to providing a reinsurance backstop in the form of Cyber Re, looks set for further debate.