The protection gap between cyber liability coverage and the potential for losses means a taxpayer backstop for major cyber events may be necessary, according to a report from the Geneva Association.
The report, “Cyber Risk Accumulation: Fully Tackling the Insurability Challenge,” said the risks in not preparing for a cyber event affecting a large part of the United States outweigh the threat of unintended consequences, such as increased ransom demands.
A federal backstop might raise “the potential for it to encourage lax cybersecurity among policyholders as well as weaken the incentives of insurers to promote good cyber hygiene and develop innovative insurance solutions,” it said. Some market participants also worry that a government backstop would go hand in hand with a mandate for insurers to offer protection for all cyber perils, even those that are currently uninsurable.”
Yet with taxpayers in the end likely to be called upon to cover large uninsured losses from a cyber catastrophe, it seems “sensible” to look at measures that could promote the functioning of the insurance and reinsurance markets rather than deal with the fallout of a major incident, it said.
A suitably designed cyber backstop, it said, could ensure governments assume responsibility only for extreme losses beyond a preset threshold while also aligning incentives to promote development and take-up of cyber insurance. Included in such a program will be premiums to cover the cost of any government guarantee and procedures to claw back taxpayer-funded losses after a major cyber event, it said.
The report said that along with a government backstop, insurers need better models to help determine risk.
“Cyber models remain immature and their results can be volatile and inconsistent,” it said.
Insurers also should capture standardized claims data and coordinate information sharing to foster relations between government security agencies and major technology companies; develop mechanisms to transfer risk to the private market; and incentivize information technology firms to develop more robust security features in hardware and software, it said.
The need is great, as the report estimated the cost of cyberattacks worldwide ranged from $1 trillion to $8 trillion, while cyber premiums totaled only $12 billion to $14 billion.
“If the COVID-19 pandemic taught risk managers anything, it is that we must prepare for catastrophic events; we cannot rely solely on response mechanisms after the fact,” said Jad Ariss, managing director at the association, in a statement. “That is why re/insurers, governments and others need to establish the right cyber partnerships now — not only so insurers are positioned to offer more cyberrisk protection, but so there are viable financial and operational solutions in place should a widespread, devastating cyberattack actually occur.”
Industry-sponsored proposals for creating government pandemic backstops to fix the business-interruption protection gap have been received coolly by policymakers and lawmakers, whose attention is concentrated on managing the current pandemic rather than preparing for the next one, according to observers.