Slide 1

Summary

High-profile cyber-crimes on financial markets have led to significant losses. Cyber-crime insurance is a weak market where it is hard to get significant risks written. Market cover is sporadic above a handful of computers and fades completely above £100 million. Cyber-terrorism, e.g. state sponsored terrorism, insurance doesn’t even exist. This market problem resembles terrorism for property insurance where the government created Pool Re to help in 1993. Why don’t we have a Cyber Re where government helps the insurance industry fund extreme losses? As an example, government takes responsibility, via a reinsurance club, for risks at the highest levels. Below that level normal insurers write cyber policies which help spread information and best practice. With a fully functioning market, the UK would be more attractive to ICT businesses such as financial exchanges and large internet firms.

“The certainty and confidence that insurance provision brings to all our daily lives, whether business or personal, enables us to breathe more easily, to find the confidence to let innovation flourish and to engage with the present and the future, chastened by the past but not allowing the fear of the possible to paralyse us in the present.”

[Mary McAleese, President of Ireland, remarks to the European Insurance Forum, RDS Concert Hall, Dublin, 30 March 2010]

Background
This proposal originated with reactions and inactions to cyber-enabled thefts on the carbon trading markets associated with the European Trading System, though a version of it was proposed in 1997 during Y2K/Millennium Bug preparations. In January 2011 over €45 million was stolen from the carbon markets. Carbon markets were closed on 19 January and have fitfully reopened since. The January 2011 attacks were preceded by attacks in 2009 and 2010. A 2 February 2010 phishing theft of 250,000 carbon emission permits was reported to net €3 million and also closed the markets.

Cyber-crime (e.g. “e-risk business protection”) insurance typically covers crisis management costs, customer notification expenses, data extortion, professional services, multimedia liability (e.g. defamation, copyright infringement), security & privacy liability, and privacy regulatory defence & penalties. Cyber-crime insurance is a weak market where it is hard to get significant risks written. Market cover is sporadic above a handful of computers (cyber equivalent of appliance insurance) and fades completely above £100 million.

Cyber-crime at scale is indistinguishable from cyber-terrorism. State actors may be involved. In fact, it is likely that only failed or corrupt states would allow attacks to originate from their territory. So firms are sensitive about the commitment of the state to protect them from incursions of substance, whatever the source. Cyber-terrorism insurance doesn’t yet exist.

This market problem bears some resemblance to property insurance in the UK in 1992. Following the 10 April 1992 bombing which devastated the Baltic Exchange for shipping, international insurers withdrew cover for acts of terrorism and the UK government formed Pool Re rapidly. “Pool Reinsurance Company Limited was formed in 1993 following a series of terrorism incidents in the early 1990’s in London and elsewhere in England related to the situation in Northern Ireland at that time. The cost of these losses caused insurers and reinsurers to focus on the difficulties of providing terrorism cover for commercial properties, in particular the high potential cost of losses and the lack of any reliable method of estimating what the future loss experience might be. Insurers depended on reinsurers for financial protection should very large claims occur and, accordingly, both insurers and reinsurers decided they could no longer provide terrorism cover using traditional methods … During the latter part of 1992 it became clear that any new scheme would require the joint involvement of the insurance industry and government. Following extensive dialogue, a suitable structure emerged and the details of the Pool Re scheme were developed. [Pool Re website as at 11 June 2011 - https://www.poolre.co.uk/history.html]

At the moment, insurers in the UK can reinsure liabilities from terrorism, in excess of the first £75m, with Pool Re. A Pool Re member’s retention is proportionate to their participation in the scheme. The only exclusions applying to the terrorism cover of Pool Re are in respect of: “war and related risks; and damage to computer systems caused by virus, hacking and similar actions.”

Proposal
Why don’t we have a Cyber Re (or extend Pool Re) where government helps the insurance industry fund the extreme losses of cyber-crime? As an example, government takes responsibility for risks above a point, say £100 million. Below that point normal insurers write cyber policies which help spread information and best practice and bear the risks up to £X million on any single incident or £Y million on combined incidents (X and Y might be numbers in the range of 50 to 100). Reinsurance helps form successful commercial insurance markets by providing assessable mutuality for random events. Cyber Re can increase supply by spreading large losses and (over time) playing a role in establishing a body of data to support more accurate pricing of the risk. It also helps demand by promoting an understanding of cyber risks and the value of defending against them.

To get things started – “The risks covered by Cyber Re are first [and third] party losses attributable to information and communications technology (ICT) problems caused by external persons unknown. Losses are determined by reference to historic turnover and profitability of business operations disrupted by significant ICT problems caused by external persons unknown. The calculation of the net income aspect of loss of business income shall be based on an analysis of the revenues and costs generated during each month of the twelve months prior to the loss occurring and will also take into account reasonable projections of future profitability had no loss occurred and will include all material changes in market conditions that would affect the future profits generated.”

ICT is defined as digital information processing machinery and networks. This definition includes embedded circuitry, such as lift/elevator controllers. ICT could include computers, personal computers, personal organisers, mobile telephones, fax machines, motor vehicles, global positioning systems, satellites and telephones. Defining ICT will be important.

The legal form could range from LLP arrangements to corporate structures to quangos, but operationally Cyber Re should have a ‘club’ feel, like the traditional shipping mutuals (P&I clubs) or industrial disputes insurances (strike clubs). The objectives of the Cyber Re club are to provide risk mitigation for members by:

  • helping members to assess their exposure and working with members to plan risk reduction programmes;
  • sharing best practice in assessment and risk reduction, including the development and use of appropriate standards (e.g. ISO 27000 series);
  • providing controlled risk transfer mechanisms for members who achieve stated levels of risk reduction or undertake risk reduction activities to stated levels of quality;
  • managing members’ interests to achieve equitable risk sharing;
  • handling reinsurance with HM Treasury and other governmental entities.

It is likely that the business interruption model might be most appropriate. A good example of business interruption or “loss of earnings cover” is The Strike Club, originally for industrial dispute insurance but now providing a wide range of business interruption insurance to shippers, fleets, ports and facilities. In a business interruption model, the client states in advance how much a day’s outage will cost and this both sets the premium and the claims, e.g. a day’s outage costs £5M, the retention is the first 2 days, followed by payments for the next 10 days, for a premium of £500,000. When claims are made the estimated day’s outage costs must be reasonable, but otherwise the model is simple.

The following table, partially reproduced from Insurance Day, 7 June 2011 [their source: DatalossDB], of the biggest losses over the past ten years would seem to indicate some sense in the numbers above:

Company Year Type Impact ($)
TJX Companies Inc 2007 Hack exposes credit card numbers and transaction details 94,000,000
Sony Corporation 2011 Names, personal data, possibly credit card details, obtained from PSN/Qriocity users 77,000,000
Card systems: Visa, Mastercard, American Express 2009 Major card processor breached, credit card numbers lost 40,000,000
RockYou Inc 2009 Hackers access user-names and passwords 32,000,000
US Department of Veterans Affairs 2006 Social security and personal data of US military veterans stolen 26,500,000
Sony Online Entertainment 2011 Data, including birth dates, email and credit card details accessed by hacker 24,600,000
Heartland Payment Systems 2009 Malicious software/hack compromises unknown number of credit cards 130,000,000

Benefits
How would we know when government and industry are working together on cyber-crime? A realistic comparison would be burglary insurance. People contract with insurers in commercial terms they understand, with contracts they know and financial risks and rewards they can analyse. A realistic economic goal for government is to create a framework where insurers want to write cyber-crime business, because they know it pays.

With a fully functioning market, the UK would be more attractive to ICT businesses such as financial exchanges and large internet firms. A few points of note emerge from the above:

  • Cyber Re exists not to insure, but to allow insurers to insure by providing re-insurance, in turn providing regulators with the assurance that cyber insurance can be safely underwritten;
  • Cyber Re is focused on creating a club with members, thus encouraging members to share information and reduce risk by sharing information with government, such as near misses, as well as to grow their market;
  • Cyber Re should be quite small operationally and operate at close to no-cost.

Cyber Re can confer competitive advantage on the UK. The 10 April 1992 St Mary Axe bombing was a significant catalyst for Pool Re. As insurers refused to provide cover against acts of terror, financial services firms, noting what had happened to the Baltic Exchange, stated that they had troubles locating or expanding in London and the UK generally. With Cyber Re, the UK would have definite attractions to firms that depend on computers, particularly financial and internet firms, as it would be the only country that indemnifies when it fails to protect against cyber-crime at scale.

So far, Z/Yen has held discussions, with support from CityForum, in formal or informal fora with, among others, government bodies, military institutions, insurance brokers, underwriters, insurers, reinsurers, Lloyd’s, financial markets firms, trade bodies, lawyers, ICT firms, think-tanks and academics. Discussions so far have been encouraging - financial and ICT services would like the cover; insurers would like the reinsurance; government entities see the gains. Z/Yen welcomes further discussion on next steps, such as:

  • a costed proposal, perhaps under the sponsorship of a lead government department;
  • market research, particularly among insurers and the financial services industry, to gauge take-up and pricing;
  • financial modelling under various scenarios;
  • clarity on legal, regulatory and tax issues, leading to the drafting of requisite legislation or incorporation in a finance act.

Related articles