shutterstock_659137978_framestockfootages
10 August 2020Insurance

How to clear the fog of cyber war and terrorism insurance

“We’re looking at it holistically from the standpoint of the insurance industry.” Rachel Anne Carter cyber director at The Geneva Association.

· Whole industry approach needed to tackle global fog of cyber war and terrorism insurance
· Development of an industry wide “common language” will aid cyber insurability · Taskforce creates new term to begin filling the gap between definitions
· Work towards a potential international solution taking a “holistic” view

The joint global insurance taskforce, set up by the International Forum of Terrorism Risk Re/insurance Pools and The Geneva Association last year, is working to defog the discussion around cyber’s grey area.

The SARS-CoV-2 virus has overshadowed much of 2020, but a taskforce set up by the insurance industry warns that the next bug to appear and wreak worldwide havoc could be a digital one.

With more than one nation state accused of cyber attacks, in addition to the acceleration of global interconnectivity, the future threats of cyber terrorism and cyber war can’t be ignored.

The NotPetya malware attack in 2016 was believed to be backed by a nation state and digital assaults have increased in number and ferocity since then.

To make any real progress on dealing with what is a global issue, the insurance industry needs to come together and tackle the risk at a global level. This was the rationale behind the joint taskforce on cyber terrorism and cyber warfare launched in October 2019 by the International Forum of Terrorism Risk Re/insurance Pools (IFTRIP) and insurance industry think-tank The Geneva Association (GA).

Rachel Anne Carter, cyber director at GA, leads the taskforce, supported by Julian Enoizi, chief executive officer of Pool Re and Christopher Wallace, chief executive officer of Australian Reinsurance Pool Corporation and president of IFTRIP.

To kickstart discussions, in July the taskforce published a report, titled “Cyber War and Terrorism: Towards a common language to promote insurability”. The thinking is that an agreed common language and definitions for this ethereal but vital area of business will enable the global re/insurance industry to work together on tackling the wider challenge.

As lead author of the report, Carter says it will mean the whole industry can discuss terrorism and war in the cyber context and insure cyber activity more accurately.

This will also help to better define the limits of what can be privately re/insured. This report is the first in a series of three on this area of cyber risk; the taskforce is working on two more that will be published later this year (see below for more information).

Carter says the problem is that cyber terrorism and cyber warfare present a large risk accumulation potential for the industry, but they are areas that are understood in traditional physical senses.

“People understand what warfare is in the boots-on-the-ground type of conflict. For example, in recent times London has experienced different types of terrorism events.

“In a physical sense people have an idea of what those risks and/or perils are. Where we as the insurance industry needed to come to as a starting point is how do we pool our knowledge in what these events are and how they translate from the physical world into the cyber world, and that convergence between physical and cyber,” she says.

She says it was in the course of discussions about this with the industry that researchers found a gap between translating traditional physical events within the cyber world and a potential gap between cyber terrorism or terrorism that was triggered by a cyber means, which are slightly different things, and cyber warfare.

This makes it difficult to determine whether a cyber attack should come under the definition of terrorism or war, with implications for insurance cover. In response to this challenge, the report proposes a new term: hostile cyber activity (HCA).

The term is intended to reduce ambiguity around an increasingly prevalent type of activity that falls somewhere between cyber terrorism and cyber war.

Greater clarity should improve consistency and transparency, in turn supporting a better understanding of the associated spectrum of risks and how they are underwritten.

Fill the gap

“In terms of cyber terrorism, what has been envisioned are more traditional events triggered by a cyber event. For example, overheating a building that then causes the building to catch fire. That can be done through cyber means such as getting into the system and making it overheat. That could also be done through a physical route,” says Carter.

“What could have been done in a physical way can now be done in a cyber sense.”

She explains that cyber war refers to a declared war or a situation of the war, where there was some physical activity but there was also a cyber war or cyber activity.

“What we’ve created in terms of filling the gap or trying to bridge that knowledge between those two examples is the HCA. A lot of activity is engaged in by nation state actors, and by organised groups with different degrees of connectivity to a state, that are more than an act of terrorism but less than what we would think of as conventional warfare or a declared act of warfare or warfare with a physical ramification.

“That’s where that term HCA comes into play.”

She adds that it was important for the taskforce to categorise it and that work towards a common language for this area is a work in progress.

“The more we gather information, the more we share among ourselves and with pools, with other stakeholders and with governments, etc, the closer we can come to an alternative solution in the future.”

The HCA is, for now, an intermediate option as the landscape for this risk is changeable.

The taskforce acknowledges the different viewpoints of re/insurers regarding the magnitude of the grey area between cyber terrorism and cyber war. This lack of clarity is due to the complexity of the risks, different commercial perspectives, legal systems and risk appetites involved. The objective is to move towards clarity and to initiate discussions.

Carter reiterates that the taskforce is focused on the implications of cyber terrorism and cyber war for the insurance industry as a whole.

“Unlike other events such as natural catastrophes that may be bounded by natural geographical boundaries, a cyber attack can infiltrate multiple carriers and multiple clients across jurisdictions either simultaneously or within a short period of time.”

This insidious, potentially all-encompassing, nature of attack is why the taskforce is looking at a potential international solution.

Carter says: “We’re looking at what that could look like or what coordination between, for example, insurers could look like. We’re looking at it holistically from the standpoint of the insurance industry.
“From that, you can derive what the industry can and can’t insure, what there is or isn’t capacity and/or appetite to underwrite. If there needs to be further clarity that can then be put in place so that there’s a continued momentum towards sustainable underwriting.”

More reports

The report “Cyber War and Terrorism: Towards a common language to promote insurability”, is available on The Geneva Association website.

The second and third reports in the series will examine the importance and difficulty of attribution in the current cyber insurance framework and proposed remedies; and how to quantify the impact of potential losses as well as proposing potential solutions from insurers, capital markets and public entities.

Global hits

Cyber attacks could cost the global economy $6 trillion per year by 2021, according to cyber security firm Specops Software. The firm analysed data from the Center for Strategic and International Studies for the period May 2006 to June 2020 to find which countries were targeted most.

America suffered the most cyber attacks classified as significant, with 156 incidents; the UK ranked second with 47 major attacks; India was third, suffering 23 substantial incidents.

In 2019, the UK National Cyber Security Centre helped UK organisations tackle more than 650 cyber attacks in the previous 12 months. It said hostile nation states were responsible for a significant number of the attacks on UK-based targets.

Already registered?

Login to your account

To request a FREE 2-week trial subscription, please signup.
NOTE - this can take up to 48hrs to be approved.

Two Weeks Free Trial

For multi-user price options, or to check if your company has an existing subscription that we can add you to for FREE, please email Elliot Field at efield@newtonmedia.co.uk or Adrian Tapping at atapping@newtonmedia.co.uk


More on this story

Insurance
21 August 2020   The UK reinsurance firm placed into run-off by CNA and sold to legacy vehicle Tawa UK in 2002.
Insurance
3 September 2020   Fusion and AGCS will offer W&I solutions serving the private equity and corporate M&A marketplace.
Insurance
3 September 2020   The company has hired a specialist D&O underwriter who previously worked at Neon, QBE, Navigators and Antares.