More than re/insurance – protecting society from an unprecedented cyber incident

Moving beyond the realms of insurance and reinsurance, the imperative to shield society from an unprecedented cyber incident is underscored in the Geneva Association’s (GA) recent exploration of the global cyber protection gap. In an interview with Insurance Business, Darren Pain, GA’s cyber director and the author of the report titled “Cyber Risk Accumulation: Fully tackling the insurability challenge,” emphasized the central issue intrinsic to this challenge.

Pain pointed out that a longstanding issue in the cyber domain is the potential catastrophic economic losses associated with a major cyber incident. Insurers and reinsurers are concerned about the concentration of these risks on their balance sheets since they underwrite the cyber risks of both households and firms. The primary apprehension revolves around their capacity to provide adequate protection, given the constraints on their balance sheets in allocating capital to cyber risks.

Although the sector has made strides in analyzing cyber risks through increased data and advanced risk models, the GA’s report underscores the fundamental immaturity of cyber models, with results still exhibiting volatility and inconsistency.

The GA highlights three crucial considerations. Firstly, there is a need to incentivize IT security providers to assume more responsibility for the hidden costs incurred by their users, possibly through enhanced liability for hardware and software providers. This, in turn, could encourage the incorporation of more robust cybersecurity measures into their products and services.

Despite these measures, Pain asserts that addressing the role of the government as a potential financial backstop against catastrophic cyber losses is fundamental. Drawing parallels with existing arrangements for other perils, Pain suggests engaging in a debate with policymakers to establish a government role in mitigating extreme peak risks, potentially encouraging the private sector to take on additional cyber exposure.

Recognizing the enormity of the global cyber protection gap, Pain dismisses the notion that the insurance and reinsurance sectors alone can close it, advocating for a collective approach. He proposes a public-private partnership as a critical tool in bridging this gap. While acknowledging concerns about government intervention, he draws lessons from established partnerships for other perils, emphasizing the importance of design and implementation over conceptual misgivings.

Pain contends that cutting the tail of the aggregate probability distribution for cyber losses is crucial to unlocking increased capacity from the private sector. He advocates for proactive measures to establish optimal risk-sharing arrangements before a major cyber event occurs, rather than scrambling to address the aftermath. Taking a multi-stakeholder approach, he emphasizes the need to engage with policyholders and other ecosystem players to build a more sustainable cyber insurance market.