Biba 2024: Could a public-private partnership provide an answer for systemic cyber risk?

Biba 2024: Industry experts speaking at trade body Biba’s 2024 conference have pipped a public-private partnership model between the insurance industry and government as one method for tackling systemic cyber risks in the UK.

Speaking during a fringe session on 15 May 2024, entitled Insuring the uninsurable: Navigating exclusions and preparing for systemic risks, Anthony Cordonnier, global co-head of cyber at Guy Carpenter, noted that cyber risks – such as cyber attacks and data leaks – are often described across the market as being “systemic” and “uninsurable”.

For him, this is because of “the aggregation potential of the class”.

He explained: “What’s crucial here is the aggregation potential of the class. By aggregation, we mean lots of different losses stemming from the same event – very much like a natural catastrophe event.

“What’s different here is that it’s a man-made peril. The exposure is [caused] by the increasing digitalisation of the economy.”

Rampant digitalisation has also extended the perimeters of cyber risks, Cordonnier added. While risks such as flooding are location-based, cyber attacks are not geography dependent.

Tom Clementi, chief executive of terrorism reinsurance scheme Pool Re, agreed. He said: “The UK is the most digitally attacked country in the world by some measure.”

Cordonnier believes the UK is “more vulnerable” to cyber risks “because English is more widely spoken” globally.

Size of the market

Despite this industry perception around the dangers of cyber risk, both fringe session speakers at the Biba Conference confirmed that, in their experience, penetration of cyber cover itself is low in the UK.

For Cordonnier, this presents a growth opportunity – he noted that the motor insurance market, for example, is 20 times the size of the cyber insurance market in this country.

The growth of the cyber insurance market, however, hinges on some key factors.

Firstly, the need to create systemic risk management models that are “relevant for specific geographies”, Cordonnier said. In turn, this can help firms build event and geography specific covers.

A further issue is scalability, Cordonnier continued.

He said: “The challenge with cyber specifically at the moment is scalability. Premiums are very small – we need the cyber pool, the cyber insurance business to be much bigger before we can scale up the offering of the product.

“The size of the market is too small to actually be suitable for a [risk] pool. There could well be market failure in the context of a very large scale cyber event.”

Clementi added that as cyber events are an “international problem”, then ideally an international risk pool would be appropriate – he feels this is unlikely to happen, however, and that country specific schemes will be the preferred route forward in tackling cyber risks.

Additionally, “we need to think about what defines a cyber event”, Cordonnier noted.

“There’s been a lot of work done by the industry in defining cyber events, be it on the reinsurance side with event specific covers but also industry led initiatives,” he continued.

These initiatives could include collaboration with academics to improve the knowledge base around cyber risks.

Risk removal or distribution

For Clementi, the opportunities in the cyber insurance market are “phenomenal”.

He said: “If you think about cyber, there’s the potential for that very large event. Having that structure of a public-private partnership where you can have a structure put in place before a big event – rather than be responsive, why don’t we put the infrastructure in place?

“Also, it’s about bringing stakeholders together. We have issues around cyber war exclusions. It’s about bringing [the] industry together and government to address those issues.

“Whether it’s going to be government led, whether it’s going to be industry led, I don’t have an answer for that but I do think there is a place for both. There’s no reason why there couldn’t be support from the government for an industry led proposition and whether the Treasury would back an unlimited cyber pool like they do for terrorism, I’m not sure.”

A public-private partnership refers to collaboration between a government agency and a private sector company or industry for the purpose of delivering a project or service.

Clementi added that there are “two approaches” when using public-private partnerships to tackle uninsurable risks – “risk removal” and “risk distribution”.

Risk removal refers to a risk that is potentially too big for the insurance industry to deal with, Clementi explained, so the risk is moved to the “balance sheet of another entity, like a Pool Re or a Flood Re – a protection gap entity specifically set up to deal with that”.

He continued: “So, the industry can still issue policies and take in premiums, but ultimately, the risk sits in a separate entity with a government guarantee.”

Regarding risk distribution, Clementi described this as being like Flood Re, where there is a “small number of high risk policyholders who can’t get insurance or it is prohibitively expensive.”

He explained: “What we’re going to do is we’re going to spread that risk of that small group across a much wider pool.”

Clementi believes that the risk distribution approach is easier to implement in line with government because “it has less significant ramifications for the government”.

When exploring how to tackle systemic cyber risks, Clementi noted that it is important to investigate the root causes and find out why insurers do not want to insure certain facets of the risk. He questioned whether more data could be useful to facilitate insurance provision.