Dear FIO…
Two pence worth on the Federal Insurance Office’s request for information on a potential response to catastrophic cyber incidents.
Dear Federal Insurance Office,
Thanks for soliciting opinions about a “potential federal insurance response to catastrophic cyber incidents,” which you’ve said could be like TRIA. Here’s my two pence worth.
Some risks are so large and ugly-looking that the insurance industry cannot be expected—or is understandably unwilling—to cover them on its own. Typically they’re risks that emerge rather suddenly, like terrorism or nuclear. When that happens, talk turns quickly to state intervention of one sort or another, because well executed interventions can remove the “un” from uninsurable. However, their sometime success does not mean they’re always the right thing to do.
Taxpayers to the Rescue (of Profits?)
A recent micro-example from the United Kingdom is a program to insure “EWS-1 surveying” risk. London’s ghastly Grenfell Tower Fire, which killed 72 people in 2017, was exacerbated by the 24-story building’s flammable exterior cladding. It literally surrounded the building in a flaming chimney. Afterward, “external wall surveyor” became an almost entirely uninsurable occupation. That has meant, in extremis, that some property owners cannot get a mortgage.
A broker of professional indemnity risks told me recently that banks sue surveyors almost as a reflex when their income is stifled by arrears, no matter what the cause of the borrower’s default. In this time of rising interest rates, that reflex may kick mule-like, hard and ruthless, but fortunately a brand-new public/private insurance arrangement will protect them. Today in the United Kingdom, when lenders sue surveyors because borrowers are not making their mortgage payments, the potential now exists (albeit distant) for taxpayers to cover the cost.
The threat of random downtown bombings in major urban centers is the type that makes insurers’ aggregation models judder, flash, then release a whisp of smoke. But a dollop of government guarantee can make an explosion of difference.
Excuse me, but no portion of my tax expenditure should go toward propping up the money-making circle of mortgage lenders, chartered surveyors, and residential landlords. Frankly, those organizations should be able to find enough money in their system to cover the cost of ensuring buildings are not firetraps. If they cannot, their model is broken.
Risk-Based Market Pricing
Sometimes it is right for the state to intervene in insurance markets. For example, the U.K. government did so with massive success in 1914, when war made much of Britain’s international shipping affordably uninsurable overnight and the nation feared starvation.
To shorten a long story, a government plan to cover marine war risks—designed largely by Lloyd’s legend Sir Walter Hargreaves—was so effective and cleverly designed that the state paid for almost all the losses, while private insurers, who were free to undercut the arrangement, made a fortune. A key characteristic of the “solution” was that vessels at relatively low risk of being sunk by the Kaiserlichemarine were not forced to fund the indemnities of ships at very high risk. So effective was the plan that it was reintroduced in 1939.
Head Back to Private
Public/private partnerships have certainly worked wonders around the world in the face of terrorism risk. The threat of random downtown bombings in major urban centers is the type that makes insurers’ aggregation models judder, flash, then release a wisp of smoke. But a dollop of government guarantee can make an explosion of difference.
The success of Pool Re, the United Kingdom’s state-backed terrorism risk reinsurer, is undeniable. One magical part of its mandate is an obligation to return risk to private insurers when possible. It has done that consistently by raising the market’s terrorism loss retention and by purchasing open-market reinsurance. Both tactics have successfully pushed taxpayers’ cash increasingly further away from prospective indemnities. For Pool Re, its ultimate success will be its own obsolescence.
Focus on Unavoidable Risks
The big difference between ships sunk by U-boats, buildings blasted by extremists, and punitive suits against surveyors is that the latter risk—contrived by people within a system—is utterly avoidable. In contrast, war and terrorism are entirely outside the control of the groups of parties involved (on our side). Risk mitigation and management can help to minimize their impacts, but their innocent victims are not part of the system that breeds them.
Bankers, Bombers or Bandits?
This brings me, dear FIO, to the topic of cyber insurance. A great deal of breath and ink has been expended in debates over whether or not the state should provide an insurance backstop for cyber risks. To answer, we must determine if the risk is more like bankers suing surveyors, bombers killing innocents, or a third group: bandits shaking down businesses. Simple, right?
I propose that you begin your efforts by defining, with exceptional rigidity if you can, the lines between insurable cyber crime and uninsurable acts of cyber war and cyber terrorism.
Ransomware attacks, the form of cyber crime which caused the recent cyber-market meltdown, are simply acts of criminal extortion. Except, of course, when they are perpetrated by state actors or by state-funded hackers. But NotPetya, the 2017 global ransomware attack possibly launched by Russia against Ukraine, was an act of war because it was state-sponsored (or perhaps it wasn’t, but we think it was).
When a state levels a massive cyber attack against businesses and people it perceives to be “the enemy,” it may perpetrate an act of war (though maybe war needs to be declared for it to be an act of war, or maybe it needs to be “kinetic,” as policy language often decrees). If a state funds the hackers, their actions may look like crime but actually be war, but that’s quite a bit more difficult to prove. Meanwhile if an extremist brings down the grid, it is probably terrorism. Unless they ask for a ransom, then it’s just crime (and if that seems like an oversimplification, you’re right—just ask anyone from Belfast).
Crime Mustn’t Pay
As a baseline, perhaps we can agree that, if it’s crime (like most cyber attacks), we won’t insure it with taxpayers’ cash. We spend tax money on law enforcement to combat crime. We do not spend money on insurance to make crime pay. Homeowners insurance would be unaffordable if we negotiated with burglars over which of our possessions they could cart off. Already cyber criminals attack businesses because they know those firms are insured against their act—and for how much (because they’ve hacked in, poked around, and had a look at the target’s coverage limits). I can see no benefit to anyone of establishing a state institution to solidify criminals’ income.
Dear FIO, you have asked, as part of your public consultation, for possible definitions of what constitutes a “catastrophic” cyber incident. That, I believe, is the wrong question. I propose that you begin your efforts by defining, with exceptional rigidity if you can, the lines between insurable cyber crime and uninsurable acts of cyber war and cyber terrorism.
The best starting point to begin understanding the complexity of the issue is probably the freely available paper by global reinsurance brokerage Gallagher Re titled “Cry Cyber and Let Slip the Dogs of War.” It points out, for example, that a “declaration
of war” is not the same thing as a “state of war.” Gallagher Re argues, “The challenge of attribution prevents the market from clearly delineating between state-sponsored attacks and simple criminal or otherwise-malicious cyber events.”
I don’t have all the answers, but I assert strongly that public/private insurance plans must not prop up profits or fund criminal activity. If you can find a way to protect people from cyber war and terrorism without such collateral impacts, I applaud you.
Sincerely, Adrian
