Insurance

Governments should not be the cyber insurers of last resort


Unlock the Editor’s Digest for free

Insurers are in the business of risk. But some perils make them nervous. Attacks on computer networks are a prime example. Berkshire Hathaway’s Warren Buffett compares them to rat poison because of the spiralling impact on policies of a single event.

The escalating global cost of such crime — expected by US officials to exceed $23tn in 2027 — far outstrips the cyber insurance market, at roughly 800 times smaller. Insurers argue that such a vast gap can only be bridged by governments. The case is not clear cut. 

Insurer Zurich and broker Marsh McLennan are the latest to advocate state intervention. They point to precedents provided by nuclear energy risks, natural disasters and terrorism. A government backstop might encourage insurers and reinsurers to extend coverage and offer extra capacity, says the Geneva Association, a global association of insurers. Such a move could improve resilience because insurers should require policyholders to install strong controls. That might create a virtuous cycle, reducing the chance the government is ever forced to step in. 

Bar chart of Number of complaints  received by FBI's internet Crime Complaint Center in 2023 showing US infrastructure sectors hit by ransomware

But there could be unintended consequences. Knowing a government would foot the bill might encourage more attacks — especially state-sponsored ones. Another worry is that it could cramp the development of the fledgling but fast-growing cyber insurance market. A badly designed government backstop might impede innovations such as last year’s pioneering cyber catastrophe bond

Defining the threshold that would trigger a government backstop is fraught. Cash-strapped governments could find themselves on the hook for more than they bargained for, some experts reckon. Patrick Tiernan, chief of markets at Lloyd’s of London, argues the insurance industry needs to do more modelling and client education before it can ask for government help. Citing intelligence sources, he suggests that roughly nine out of 10 cyber attacks could be prevented with better cyber hygiene.

Read More   Reinsurers pull back from Israel and Middle East risks

Given the poor controls in many companies, a government backstop clearly creates moral hazard. It might well make companies less motivated to shore up their protections against cyber attacks. It is not clear why companies that do not employ basic cyber protections should be subsidised by taxpayers, says Daniel Woods, lecturer in cyber security at the University of Edinburgh. 

There is a case for state intervention to bridge the gap created by the war and infrastructure exclusions in insurance policies. But governments are rightly reluctant to write blank cheques. As things stand, there is limited evidence that a broadly based backstop is needed. It would probably take a truly catastrophic cyber attack to change that view.

vanessa.houlder@ft.com



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.