While also bolstering the resilience of the economy in the event of a catastrophic attack, even one stemming from a hostile state, The Insurer can reveal.
The proposal – revealed in a consultation document seen by this publication and authored by UK terrorism reinsurer Pool Re and Marsh McLennan’s consulting arm Oliver Wyman– recommends the creation of a “Cyber Re” reinsurance pool. The structure would comprise two separate schemes administered by the UK (re)reinsurance sector and backstopped by the UK state.
The first scheme is a reinsurance pool which would cover only the most sophisticated larger corporates and those businesses and industries deemed to be critical to national infrastructure.
The second is a public-private compensation scheme designed to protect smaller, typically less sophisticated corporates. SMEs – which currently make up almost 99 percent of UK business – generally do not buy standalone, affirmative cyber cover, with take-up rates currently estimated at below 20 percent. This “safety net” would be funded by a mandatory tariff added to cyber-adjacent traditional P&C lines.
Both schemes could be administered by the same organisation and would feature parametric triggers, with cover being triggered under a systemic event declaration and classification system such as the one operated by the newly launched UK Cyber Monitoring Centre (CMC).
Launched on 1 January 2024 as a not-for-profit organisation supported by leading UK cyber MGA CFC, CMC grades cyber attacks on a 1-5 classification system based on how severe and widespread the impact is on the economy.
Cyber Re for sophisticated buyers
In contrast to the levy-backed compensation fund for SMEs, the Cyber Re platform for large corporates with robust cyber defences will operate in a similar way to Pool Re, providing reinsurance to the current market to address its current inability to cover large-scale systemic cyber events via a separate premium.
It would be voluntary for insurers to participate in and be funded via a cyber premium-driven reinsurance contribution. The plans put forward suggest a pool with ~£1bn-£10bn of reserves would likely provide sufficient funding to mitigate a systemic cyber catastrophe event if supported by a state-funded backstop.
Start-up funding would be taken from Pool Re’s current £7.5bn reserve fund, which would then be able to recoup the costs as the UK cyber market expands (the market is expected to be ~£1bn by 2025).
Payouts under the schemes would be limited to the proportion of a business’s income that is declared for corporation tax purposes to ensure that compensation is provided for UK losses rather than those experienced by overseas subsidiaries.
SME compensation scheme
The compensation scheme would provide a “safety net structure” for unsophisticated firms. It is designed to pump instant liquidity back into the economy and provide the necessary funding to keep SME business afloat in the event of large-scale cyber attack.
The compensation scheme for SMEs will be funded through a mandatory levy, administered by the insurance industry.
Under the proposals, the levy would be applied as a percentage of premium to lines of business deemed to sit adjacent to cyber risk – such as property or business interruption – with the size of the levy dependent on the sophistication of the policyholder’s cybersecurity, a move which would also act as an incentive to buy cyber insurance and to improve risk mitigation.
The proposals have been put forward by Pool Re, which is road-showing the plans to major London/international cyber markets including Beazley, CFC, Hiscox, Munich Re and Swiss Re.
They were initially first unveiled by Pool Re to the high-level industry cyber task force at a meeting in March. The group – co-chaired by Hiscox UK CEO Jon Dye and Lloyd’s head of underwriting solutions Patrick Davison – was formed discreetly by the Association of British Insurers (ABI) late last year after this publication revealed executives realised a new forum was necessary for the industry to present a united front in liaising with Whitehall in how to address the risk.
The proposals were born out of work carried out by Tom Clementi-led Pool Re – working with Marsh McLennan – to provide further analysis behind its 2023 report, ‘Evaluating the case for intervention in the UK cyber market’, with a focus on managing systemic cyber risk.
The report examined the scale of the cyber protection gap, caused by both weak take-up among SMEs and the lack of capacity and increasingly narrow coverage terms available to larger corporates in the event of a large-scale cyber loss. Citing the worst-case outcome of a £400bn+ estimated hit to the UK economy caused by major damage to national infrastructure, it made seven recommendations, including the possibility of a state-backed cyber reinsurance backstop similar to Pool Re.
Although the UK government has shown little enthusiasm for any new public-private (re)insurers, there is growing political awareness on both sides of the Atlantic that the current status quo is inadequate. It also comes at a time of heightened geopolitical risk which has prompted (re)insurers to exclude cyber loss emanating from state actors.
Data from the report highlights that the UK was the most digitally attacked country in Europe in 2022, accounting for 43 percent of all cases, and continues to be the most at-threat European nation with the breadth of cyber attacks on a variety of targets across the UK suggesting an apparent vulnerability perceived by cyber criminals.
The report cited the hacking attempt on the UK’s Sellafield nuclear site in December 2023 by groups linked to China and Russia, as well as high-profile malware attacks on Royal Mail and Greater Manchester Police in January and September 2023, respectively, as examples of cyber attacks in the UK.
In December, a group of British MPs criticised the current state of the private cyber insurance market and said a lack of planning left the UK a “hostage to fortune”. After taking advice from both the ABI and Marsh, the group also recommended that the UK government and (re)insurers collaborate to establish a state-backed reinsurance scheme for major cyber events, in a move welcomed by the ABI.
The UK has a strong track record of working with financial services – particularly the (re)insurance sector – to build long-term risk mitigation and pooling solutions.
But while Pool Re and flood pool Flood Re represent successes, policymakers have failed to put measures in place to mitigate the impact of new catastrophic risks that the country faces.
The UK insurance industry’s recommendation in 2021 that the government provide an unlimited guarantee for a new pandemic reinsurer, Pandemic Re, received a lukewarm reception from officials, suggesting that HM Treasury is reluctant to entertain more contingent liabilities on behalf of insurers and certainly any that are uncapped.
The prospect of a new UK government later this year – a general election has to be held b y 28 January 2025, which means voters are likely to head to the polls in the second half of 2024– means there is only the prospect of modest engagement with Whitehall until then. However, the report recommends that the industry proactively engages with all sides of government on cyber intervention, and works behind the scenes to develop a market consensus on a structure and a business case that can then be shared with policymakers and advanced in 2025.
The Insurer Comment
This is an exciting initiative and it is good to see the UK insurance industry is taking a thoughtful and collective approach to tackling an issue which is a challenge to all developed economies. But a reality check is also necessary: it took seven years for British insurers and the government to come up with Flood Re and that was for a peril that is easier to model than cyber.
In addition, the limited availability of flood cover for homeowners became a pressing political problem. Sadly, most public-private partnerships only emerge after a major catastrophic loss and when policymakers fear the consequences at the ballot box more than inaction. Let's hope this is not the case in the UK – and other economies – when it comes to the potential for a devastating cyber attack…
For continued access to market leading content click here to enquire about a subscription to The Insurer - your company may already have a corporate subscription in place…
Scan here to download the app