In a political environment in which the role of government is reducing, is there a place for intervention in the availability of Cyber insurance?
When the basics of a functioning market have failed, previous interventions have proven to work. Pool Re was set up in 1994 in response to IRA bombings, when the insurance market began to withdraw coverage. More recently the Government helped form Flood Re, which will provide affordable flood cover for UK households.
The UK market capacity for cyber insurance is thought to be around £500m but is that adequate? There has been talk in Whitehall of a possible 'Cyber Re', whereby the government could help the insurance industry fund the extreme losses caused by Cyber. One of the prerequisites of formulating a Government 'Pool', however, is to be able to define the risks that need insuring. Cyber Risk covers such a broad range of exposures - customer data loss, errors and omissions, crime and loss of revenue, that it is difficult to clearly define and quantify the risks to be covered. Take into account overseas data storage, supply chain vulnerabilities and interdependency, then assessing these risks becomes even more problematic.
The UK Government is already contributing positively to Cyber risks by helping increase the awareness and the extent of potential harm. They have also introduced good standards for security and risk management. Financial intervention, however, is probably one step too far for now.In the meantime there is a clear need for the insurance industry to adopt a consistent approach to risk assessment and policy coverage. And they can only do so in conjunction with British businesses who need themselves to develop a better understanding of the risks, and manage them more effectively.