Prospect of catastrophic cyber attack triggers interest in insurance backstopReprints
Opinions differ on whether the time has come to establish a federal backstop that would respond to losses caused by catastrophic cyber attacks similar to the U.S. facility that backstops terrorism losses.
Such a backstop was created by the Terrorism Risk Insurance Act of 2002 to help insurers cover losses from truly catastrophic future terrorist events.
But whether the current facility, which is commonly known as TRIA, could respond to cyber attack losses remains an open question. Also muddying the issue is that some cyber attacks appeared to be sponsored by nation states and might be construed as acts of war not usually covered by insurance.
In addition, backstop supporters stress that any facility should not replace the private cyber insurance market, which should be allowed to continue growing.
Not everyone agrees that the time for a TRIA-like approach to cyber attacks has arrived. What is clear is that a large cyber attack could have a systemic impact, as countless businesses would find their systems seriously damaged or destroyed, and a crippling attack on the power grid would cause property damage and widespread business interruption — perhaps for weeks and months.
“At some point we're going to have to develop some TRIA-like backstop where it comes to cyber security law,” said former Rep. Mike Rogers, R-Ohio, who chaired the House Intelligence Committee before retiring from Congress in 2015. Mr. Rogers, now an independent Washington-based consultant, pointed out that nation states already have attacked private companies, as North Korea allegedly did to Sony Corp., and countries such as China and Russia also have the capability.
Achieving a “really mature cyber security private insurance market” is difficult because nation states are using their military and intelligence capabilities to target U.S. companies, he said.
“My one caution is we need to not allow the availability of a TRIA-like backstopped insurance product to stop companies from developing wholesome cyber defenses,” Mr. Rogers said.
It is “increasingly clear that the risks of cyber terrorism are very large,” with extremely large potential losses, said Ben Beeson, cyber risk practice leader at Lockton Cos. L.L.C. in Washington. He said the insurance market does not have much capacity to address the risk.
“The losses could run into the billions,” Mr. Beeson said. “It does warrant support from the government.”
The insurance industry has never seen a risk so interconnected, and a single event could do great damage to the insurance industry, he said.
“Can the market solve this problem without a government backstop?” While the market is trying to do so, “if the power grid went down tomorrow, it's not going to be enough,” Mr. Beeson said. “The government can help accelerate the market's ability to deal with this by providing a backstop.”
“I think it's a conversation that's probably long overdue,” said John Farley, vice president of cyber risk at Hub International Ltd. in New York.
Three issues lead him to believe that “we probably need a TRIA- like program,” he said:
? The internet of things “has basically expanded an attack surface for the hacker,” he said.
? The cyber insurance market is growing but remains small compared with some other lines. “We can expect doubling and perhaps tripling the number of cyber policyholders by 2020,” he said.
? Hackers are backed by the “vast resources” of nation states, he said.
The three together could lead to a “cyber Armageddon” that could hit thousands of businesses around the world simultaneously, with “a real supply chain risk that goes along with it,” he said. “Cyber risk is systemic. As more policyholders enter the market, as the threat expands, and as hackers evolve and get more sophisticated and backed by nation states, there can be a real aggregation of risk in the not-too-distant future.”
“We'd be looking at the larger state-sponsored or terrorist attack on infrastructure,” said Martin J. Frappolli, senior director of knowledge resources at The Institutes, the operating name of the Malvern, Pennsylvania-based Insurance Institute of America and the American Institute for Chartered Property Casualty Underwriters. He also is the editor of the organization's new “Managing Cyber Risk” textbook.
“Those are akin to wartime exposures that are typically excluded by commercial insurers,” said Mr. Frappolli “Wartime exposures are typically considered to be uninsurable.”
“The biggest threat from widespread attack is going to be business interruption,” he said. “If the internet is disabled, a lot of businesses won't be able to operate for a period of time.”
No legislation to create such a facility has been proposed, and the insurance industry holds that TRIA could respond to a catastrophic cyber attack under some circumstances.
“The reinsurance community is certainly supportive of anything that will provide incentives for the creation of a vibrant market for cyber insurance,” said Frank Nutter, president of the Reinsurance Association of America in Washington.
“TRIA itself would appear to be applicable to cyber coverage as long as it's written in a commercial policy that covers cyber,” said Mr. Nutter. “In any kind of congressional initiative, the question is what is the quid pro quo? Is it mandatory offering, mandatory coverage, and is the industry willing to do that in return?”
But the American Insurance Association thinks it's too early to talk about a TRIA-like response to cyber attacks.
“From our perspective, we don't think a backstop is necessary at this stage,” said Angela Gleason, associate counsel at the Washington-based AIA. “We think those discussions are really premature. We need to let the market continue to evolve and innovate. We need to allow the market to continue to grow.”
According to Marsh L.L.C.'s March report “Benchmarking Trends: Operational Risks Drive Cyber Insurance Purchases,” purchases among Marsh clients increased 27% in 2015 from 2014, compared with a 32% increase in 2014 over 2013. There was also a 32% increase for the first half of 2015 vs. the comparable period in 2014.
Meanwhile, overall capacity remains abundant, at more than $500 million, with most large towers comprising between $200 million and $400 million in limits, according to the report.