The UK’s terrorism reinsurer, Pool Re, recently secured retro cover for its cyber terrorism risk offering, which included a first of its kind catastrophe bond placement. The deal demonstrates a welcome appetite for cyber risk among reinsurers and capital markets.
However, Pool Re’s cyber terrorism cover is not a complete solution for companies concerned with nation-state attacks and cyber incidents from other politically motivated groups.
Cyber CAT bond
In March, Pool Re announced the completion of a GBP 2.3 billion three year retrocession programme, one of the biggest reinsurance deals in the world and the largest terrorism risk placement ever. Interestingly, the programme included GBP 75 million from a new catastrophe bond, the first ever catastrophe terrorism bond.
Both the bond and the retro programme cover cyber terrorism, mirroring the cover provided by Pool Re to its member insurers.
The transaction is the latest example of the growing appetite for cyber risk from reinsurers and capital market investors.
In October 2018, the Finance Minister of Singapore announced the world’s first commercial cyber risk pool, backed by both insurance-linked securities (ILS) and reinsurance.
The proposed pool will provide up to USD 1 billion in capacity and has already attracted over 20 insurers.
To date there have not been any examples of terrorists or extremists using cyber to launch disruptive or destructive attacks, according to Pool Re.
However, the intent to do so has been expressed. There has also been at least one case of insider threat with the potential to enable or launch a cyber attack, for which an individual working at Heathrow was convicted of terrorist offences.
According to Pool Re’s 2018 Threat Analysis Report, terrorists appear to have a low cyber capability.
Yet the growing availability of cyber attack tools and the consistently high global terrorism threat make it essential to build a thorough understanding of terrorist groups’ capabilities and intent in this area, the report says.
Cyber attacks have never been easier to carry out, as the tools become increasingly available for anyone to acquire on the dark web, and as the ability to deliver more complex and higher impact attacks becomes commoditised, says Pool Re.
There is also the ongoing potential for nation-state developed offensive capabilities to be released unauthorised into the wild.
In response to the emerging threat of cyber attacks, Pool Re extended its offering to include cyber terrorism. In April 2018, the reinsurance pool offered member insurers the option of including cover for material damage and direct business interruption, caused by acts of terrorism, using a cyber trigger.
Pool Re’s cyber terrorism cover is, however, no panacea to today’s complex cyber threat. Pool Re’s cover excludes state sponsored acts and is limited to attacks that directly cause physical destruction to property, excluding intangible assets.
While Pool Re recently extended its property cover to include non-damage business interruption, this does not extend to incidents triggered by remote digital means or cyber terrorism.
Cyber terrorism overlaps with another rising threat for businesses, state sponsored cyber attacks. These have been of growing concern following a number of high profile incidents — for instance, one researcher linked last year’s Marriott data breach to Chinese intelligence.
Iran is thought to be behind a series of cyber attacks against oil and gas companies in the Middle East, and the US blames Russia for the 2017 notPetya malware attack, which initially targeted organisations in Ukraine before spreading around the world.
Given its exclusion for state-sponsored acts of terror, Pool Re’s cyber terrorism cover would not protect against cyber attacks like notPetya.
The property market seems intent on not covering state-sponsored cyber losses and is willing to deny claims through the use of war clauses, which include broad language like “warlike” or “hostile acts”.
In contrast, the standalone cyber insurance market has shown a greater willingness to pay claims for cyber attacks that are linked to nation states.
It is also possible to purchase cover in the specialist cyber market for state sponsored attacks via write-backs, and there is some talk in the cyber market of ways to clarify coverage further.
For example, cyber insurers could exclude “kinetic warfare”, which would allow cover for non-physical losses caused by state sponsored cyber attacks.
For more articles like this, download our
about cyber insurance solutions and risk management >>