Main Logo Expert commentary on tech and security

The narrow case for cyber insurance backstops

Tom Johansmeyer 22 October 2024
Share On:
Government backstops don’t make sense for cyber risk, except as a stimulus for market activity
Main Top Image
Image generated using Chat GPT-4o

Some potential disasters are so big that they could pose a profound economic threat. The terror attacks of 11 September 2001 caused an estimated economic loss of US$33-36 billion at the time. The 2011 Tohoku earthquake was responsible for US$210 billion. With such readily available reference points, it’s easy to imagine something so much worse. In fact, it’s to remedy failures of imagination that ‘insurance backstops’  exist. 

A backstop is a government programme designed to provide economic relief for loss events so extreme as to threaten the solvency or viability of the insurance system, either in a particular country or worldwide. The United Kingdom has Pool Re for terrorism risks, and the United States adopted the Terrorism Risk Insurance Act (TRIA) in 2002 to provide a remedy for extreme economic impact following a terror attack. Other mechanisms exist for flood, earthquake, and regional risks

The rise of cyber risk – particularly systemic cyber risk – has led governments to contemplate the need for cyber backstops. This follows the assumption that the potential economic consequences of cyber catastrophes could be unmanageable.  However, aggregate natural catastrophe economic losses from 1998-2023 are approximately 14 times greater than cyber catastrophe losses for the same period.

Why Rishi was right

Former UK prime minister Rishi Sunak ended consideration of a cyber backstop in March 2024. It’s a decision that makes sense. Cyber catastrophe economic losses have not been severe, and the US$324 billion impact from such events has been absorbed economically, even alongside much worse natural catastrophes. Further, the insurance industry has shown no signs of needing the depth of capital that a backstop is intended to provide. It handled with ease approximately US$1.5-2 billion in industry-wide insured losses from four recent cyber catastrophe events in 2023 and 2024. Busy natural catastrophe years like 2017, which saw US$144 billion in insured losses, reveal just how much capacity for loss the insurance industry has to offer. 

The limited case for backstops

A cyber backstop may not be an immediate economic security concern, but it does have a long-term role to play. Rather than provide direct support for economic losses from cyber catastrophes, a backstop could be used as a confidence-building measure for driving more capital into the cyber insurance market. In interviews conducted for my ongoing doctoral thesis with 34 cyber insurance and reinsurance industry professionals, the topic of government backstops arose only infrequently. 

However, three specific use cases for government backstops did arise: 

  • the depth of risk-transfer capacity available in the market, 
  • the psychological benefits of backstops, and 
  • the use of backstops to attract more insurance and reinsurance industry capital for future market growth.

Some respondents worried that the insurance industry lacks the depth of capital necessary to handle the ‘big one’, even though the ‘big one’ has likely already happened and been absorbed. After all, the US$326 billion in cyber catastrophe losses sustained since 1998 have not had a meaningful impact on commerce or society.

For those entering the cyber insurance market with lingering fears about the future, the notion of a cyber backstop is comforting. One respondent, an insurance-linked securities (ILS) manager, added a layer of nuance, suggesting that such a backstop should only be for the most extreme events, explaining that the market needs to ‘come to a view of what’s right for the private market to take and what’s right for the states to assume,’ using cyber war as an example of the latter. 

More interesting than the business and market implications is the connection to a pressing psychological concern. Insurers and reinsurers may be more inclined to increase their commitments to the insurance sector if they know government capital is available to support them if the unimaginable happens. A cyber insurance executive in the United States explained that ‘a backstop would be helpful psychologically’ because insurers and reinsurers would ‘know that there is a safety net of sorts – that [a cataclysmic event] is not just a continuous and open-ended freefall.’ It’s not the safety net itself that matters here, according to the respondent. Rather, it’s  the idea of it. That psychological element can make insurers and other risk-bearers more comfortable with cyber risk. 

Perhaps the most unusual suggestion was that a cyber backstop could be used not as a security measure but as a way to stimulate the growth of the cyber insurance sector, relying on the psychological factor. One ILS manager suggested, ‘Ideally, government would be the “midwife” to the delivery of a larger market in the future.’ It’s something that state actors have done before, he continued, ‘Florida has done a very skilful job of that,’ with regard to its state-backed insurer, the Citizens Property Insurance Corporation

Such mechanisms, the respondent explained, can be used to increase or decrease the amount of capacity needed based on the amount of capacity in the insurance market already, along with the demand for insurance protection. As insurers get comfortable and run profitable cyber businesses, the backstop could shrink, and after a significant industry-wide insured loss, the support from a backstop could adjust. 

The future is flexible

Rather than set a threshold at which the cyber insurance government backstop would write checks to insurers, the better alternative would be to structure a programme that ‘flexes’ – to borrow a phrase from the respondent fond of midwifery – based on the size of the cyber insurance market itself. Today, customers in the United States pay US$8 billion in cyber insurance premium, taking a 60% share of the estimated US$13 billion worldwide market. After a truly large cyber catastrophe, insurers would likely reduce their participation in the cyber insurance market, constricting the market. If the market’s cyber revenue shrank to US$4 billion, hypothetically, insurers would need less support from a backstop.

Instead of setting an overarching loss threshold, it would make more sense for a cyber backstop to change the point at which it pays based on losses relative to market size – called the ‘loss ratio’. A backstop could begin to provide financial relief following a cyber catastrophe that reaches a 300% loss ratio – meaning a US$24 billion loss to the US insurance industry as a whole. If the insurance industry were to shrink after such an event, due to insurer fears about the risk, the threshold would shrink as well. So, if premium dropped to US$4 billion the following year, the backstop would engage at US$12 billion. As insurers became comfortable with cyber insurance again, they would start writing more business, generating more premium, and pushing the threshold higher.

The implementation of a government backstop to stave off societal financial ruin isn’t necessary. However, if done properly, a cyber backstop could assuage the fears of the cyber insurance industry, stimulate an increase in economic security through market activity, and provide a safety net to catch the unimaginable.

avatar
Tom Johansmeyer

Related

Featured image
Binding Edge
Spyware could destroy our democracies
Sophie in t' Veld 7 November 2023
Read more arrow
Featured image
Binding Edge
How to ‘harden’ open-source software
John Speed Meyers / Jacqueline Kazil 7 November 2023
Read more arrow
Featured image
Binding Edge
Satellites: Our invisible infrastructure
Benjamin Charlton 24 January 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 15 December 2024, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.