The UK needs to insure itself better against the cyber-terrorist threat
December 3, 2015
In the week after the devastating atrocities in Paris, the Chancellor of the Exchequer announced that infiltration of our online infrastructure ranks alongside “guns, bombs and knives” as a terrorist threat against which the UK needs urgently to defend itself. Elevating cyberterrorism in such a public manner, backed up with commendably generous financial resources for our security services, is a critical first step in tackling the evolving dangers to Britain’s national security. But how capable are our major institutions and the broader economy of withstanding damage from a cyber-onslaught?
So concerned is the Bank of England about the systemic risk posed to the financial system of a targeted cyberattack, that for almost two years now it has worked hand in glove with GCHQ to test resilience in the Square Mile. This work recognises both the potential financial impact of a cyberattack on businesses and citizens, and implicitly concedes that our institutions are not currently adequate to handle the physical impacts of the cyberterrorist threat.
In October telecommunications firm, TalkTalk, was hacked by two teenage schoolboys who leaked millions of people’s bank details online, costing the company around £35 million. Meanwhile the Federation of Small Businesses claims that September’s tube strike came with a price tag of £600 million in economic disruption. A terrorist cyberattack would likely seek to replicate both of these events, albeit on a much larger scale. With UK cities becoming ever ‘smarter’ and more reliant on sophisticated computer software, it is vital that we have the confidence that these systems can be backed-up, protected or swiftly rebuilt in the event of a catastrophic breach.
Unfortunately, however, there is serious concern about whether the existing insurance cover for such events is robust enough. This is where a reinsurance vehicle, which effectively guarantee insurers and governments against heavy losses, stands to play a crucial role. The IRA bombing of the Baltic Exchange in my constituency in 1992 proved a seminal moment in the Square Mile’s centuries-old insurance industry. The scale of damage was so colossal that re-insurers began to withdraw cover for terrorism in double-quick time. It swiftly became clear that the gap could only be plugged if the insurance industry and government worked together. The result was Pool Re, a partnership between the UK Treasury and Britain’s insurers which – for the first time ever – made government insurer of last resort. Following the 9/11 attacks, its coverage was extended to include incidents of chemical, biological, radiological, and nuclear terrorism risks. Just as the terrorists have evolved, so have we.
With the threat now more dispersed but no less deadly, the question for the insurance industry is how to calculate and manage that unpredictability. One area where surely we require better cover before major incident occurs, is cyberterrorism. This is not wholly unfamiliar territory for this government. A similar insurance gap was recently identified following the serious floods of 2013, with the insurance industry and government stepping in to create Flood Re to ensure that those domestic properties in the UK at the highest risk of flooding could receive affordable cover. Now that the cyber threat is so clearly tied up with terrorism, the time may now be ripe for the UK government to create a new, standalone reinsurance fund – ‘Cyber Re’ – to ensure that major British businesses and institutions are covered in the event of cyber-attack.
This made it all the more curious when as recently as March, the erstwhile coalition government declared that there was no need for state intervention in this area. Despite all the emerging evidence and vocal campaigning from security experts and academics, as well as insurance underwriting insiders, the Cabinet Office (the government department with chief responsibility for cyber issues) concluded that the insurance industry could handle known risks without the need for a Pool Re type structure.
I accept that a Cyber Re proposition is not without difficulties, particularly when it comes to defining what constitutes a ‘terror attack’ – it can be tricky to assign responsibility in the online world, sorting industrial espionage from security threat. However, the importance of financial, professional and business services to the UK economy as a whole should now incentivise government into taking a lead alongside our world-leading insurance sector to withstand one of the greatest systemic risks that UK Plc currently faces. As we all know in the insurance business, providing the right cover – at the right cost – relies on our ability accurately to predict the probability and severity of future losses. But as the Baltic Exchange and the Twin Towers showed to such devastating effect, single events can turn assumptions on their head in a flash.
Whilst I am a free marketeer, bringing all these perils under one roof might ensure a much more resilient economy in the face of threats otherwise difficult to insure. It could give the insurance industry the confidence it needs to expose its balance sheet in the knowledge that it has a safety net, simply because the potential losses at stake cannot be handled by the private sector alone.
So the Chancellor is right to raise the issue of cyber terrorism. As nations prepare themselves against bomb plots, gun attacks and airline hijackings, so terrorists will adapt, finding new weaknesses to exploit. The provision of insurance and re-insurance for such threats will become an increasing factor in the Government’s fight against terrorists and their criminal gang cohorts. We must face facts: in the event of a catastrophic cyberattack, it will only be reinsurance that will collectively enable us to get back on our feet.