Terrorism: managing and mitigating an evolving threat

In attendance

Ed Butler, head of risk analysis, Pool Re

Matthew Connell, director of policy and public relations, Chartered Insurance Institute

Laura Goldsworthy, head of political violence and terrorism, Advent

Chris Parker, lead terrorism underwriter, Beazley

Charlotte Pritchard, terrorism and political violence underwriter, Barbican Insurance Group

Gordon Woo, catastrophist, RMS

Moderator: Owen Faulkner, Intelligent Insurer

How has the terrorism threat evolved in recent years?

Ed Butler: We shouldn’t be surprised by recent terrorism events in London and Manchester. Islamist extremists’ intentions have not changed, but their capability and capacity to undertake more sophisticated attacks has. They appear to be in line with their strategy and this is demonstrated by their run of attacks in Europe over the last two to three years starting with the attack on the offices of Charlie Hebdo, and later in Paris, Nice, Brussels and wider Europe. What we are seeing now is the new “front” in terms of Islamist extremists undertaking brutal, mass casualty attacks within the UK.

In terms of surveillance of suspects—and all credit to the security agencies who, since 2013, have prevented 18 attacks similar to those we’ve seen in the last three months—the sheer volume of perpetrators is going to create the persistency and severity of incidents we’ve witnessed over the last three months.

The key issue is that their intent remains the same but their capabilities are increasing, ranging from low-tech off-the-shelf devices, bladed weapons and vehicles to the IEDs being used by the suicide attacker in Manchester. The concern is that we are likely to see them combining these methodologies into even more sophisticated ways and means of causing mass casualties.

We’re increasingly seeing lone actors being involved. The attacker at Westminster in March was acting on his own and it was certified by the government as a terrorist act. Salman Abedi acted on his own, but had the support of a wider network.

To quote the retired US General and former director of the CIA David Petraeus: “You can’t put a stake through the heart of an ideology.” The kind of terrorism I grew up with, during my military career, in Northern Ireland and elsewhere, was much more of a conventional fight; this is now very unconventional.

Gordon Woo: In relation to insurance, in our modelling we distinguish between micro and macro terror attacks. Micro terror attacks typically cause pretty minimal insurance loss. These are the kind of attacks which could occur on a fairly routine basis. For example, last year in London there were 61 stabbing deaths and in 2015 there were 427 pedestrian deaths in Britain. So, in terms of their impact for insurers of property or vehicles, micro terror attacks could be merged into those crime statistics.

When we talk about the new evolving terrorism threat, what is not evolving are the underlying principles. These always remain the same—for example, that terrorists follow the path of least resistance. If you put barricades up on bridges, we won’t see any more attacks on those bridges. We’ll see attacks somewhere else.

Another principle that is very important is that that too many terrorists spoil the plot. If you have too many people involved, it makes it more likely that one of them will end up being trapped by MI5, which has really exceeded expectations in recent years for countering the terrorist threat. The good news for insurers is that the kind of plots which cause serious property damage are the plots most likely to be intercepted by the security services. If there is a small number of operatives involved, it’s harder. For example, with the recent attacks at Westminster, Manchester and London Bridge with lone actors or a very tight group, I’d calculate that MI5 had only a 5 percent chance of stopping all three of those attacks.

From a modelling perspective, the Westminster and the London Bridge attacks are both micro attacks in the sense that the kind of harm inflicted on people—terrible though it was—can be merged with the general crime statistics.

Furthermore, on the morning after the Manchester Arena attack in May the Prime Minister made a very important statement when she said that it was the worst attack in Manchester. She would have known that 21 years ago the biggest Irish Republican Army bomb went off at the city’s Arndale Centre shopping centre. This has important implications for risk modelling because she was saying that the killing of 22 people and injuring many more at the Manchester Arena was worse than causing £400 million ($507 million) worth of insurance damage, but no deaths, at a shopping centre in 1996. While we may know instinctively that human life is more valuable than property, people often complain that you cannot monetise that human loss. But in modelling terms, Theresa May’s statement essentially does that.

Butler: A lot of the points raised by Gordon are absolutely pertinent to where the coverage is at the moment. It is still providing cover for “property over people”. We will have more attacks in Europe and in the UK. Success breeds success; others who are of the same ideology are looking at recent events and saying “I could do the same. All I need to do is sharpen some kitchen knives and hire a van.”

Woo: In terms of insurers being prepared to write more terrorism cover for property damage, the market could expand. I’ve always favoured a risk-based approach for aggregating potential losses around any particular terrorist attack site.

Rather than just drawing a circle and saying ‘if a 2-tonne bomb goes off here then you’ll get this loss’, it should be risk-based, ie, you should weigh the outcomes according to their likelihood. The chance of a really mega-sized bomb going off, such as the last IRA bomb in 1996, is much smaller these days.

Butler: If you use hazardous chemical material or put a chemical agent in an IED then you’re doubling the effect. You’re quadrupling the effect if you start using radiological dispersal devices (RDDs) in particular, something like caesium-137.

To Gordon Woo’s point about Prime Minister May saying Manchester Arena was a greater loss than Arndale, we covered the £400 million property and business interruption loss through the Pool Re scheme. However, when you start looking at some of the economic losses, including denial of access and loss of attraction, that we saw in Paris, Brussels and Nice (and we will see similar effects after the attacks in London) these are big figures. KPMG reported that, during 2015/16, the French economy lost between $10 and $12 billion, a significant amount and a large proportion of GDP. Belgium suffered similar losses to France.

Charlotte Pritchard: The new French president Emmanuel Macron has announced the creation of a counter terrorism unit and that definitely ties in very much with what you’re saying. We can all agree that the threat has evolved, moving away from property damage to an increased focus on human targets. Alongside this, according to the Global Peace Index, the world’s expensive slide into violence and unrest continued last year with conflict, terrorism and political instability costing the global economy $13.6 trillion.

Is the industry prepared? How has coverage widened from recent events?

Laura Goldsworthy: The insurance industry has a responsibility to make sure that they’re not just responding to these events but making sure customers and businesses are protected, their people are protected; we need to move away from just thinking like property insurers.

Pritchard: In the last three years in particular, we’ve seen a vast increase in standalone business interruption (BI) cover coming into the market, removing the need for a property damage trigger and active assailant wordings. We are seeing what were historically written as extensions, or sub-limits within covers, now becoming policies in their own right to attempt to bridge the evolving gaps.

Goldsworthy: People aren’t going to keep buying terrorism coverage if it’s thought that it won’t respond.

Chris Parker: It has to evolve, you’re right.

Goldsworthy: The attack in Westminster meant insurers had to drill right down into our data to see where are we offering BI coverages such as denial of access, because we knew there was going to be minimal property damage loss. But how many neighbouring businesses do we insure? For the market, that might make insurers nervous because they aren’t used to paying claims in the UK, but we have to be providing this broader cover to some extent or people are going to stop buying it.

Pritchard: The property damage trigger has always given us a level of comfort because we have a visible tie to a probable maximum loss (PML). Now that we are seeing a shift in moving away from having the property damage trigger, that’s leading to more research and modelling per risk. A number of insurers now have teams dedicated to establishing what that maximum loss could look like.

Parker: You can work out pretty quickly whether you’ve got any visible damage, but do you put in your model all of the denial of access, all the ingress, egress, all those contingent BI risks? Not many people in the market model them, I guarantee you that. So that idea has to change, but I think the market has for several years been writing policies like loss of attraction.

You don’t need to have physical damage anywhere near your property as long as it’s within a set radius of wherever your property is—you set that yourself—and it could be a key trigger location. If your hotel business had been affected because of attacks at the weekend, you would have coverage because you would see your revenues go down, and you could prove that using forensic accountants.

We’ve sold more loss of attraction policies in the last 12 months than in the last five years. That product has been evolving all the time. It’s akin to the political risk market where you create a lot of bespoke policies. Terrorism cover has quite often been off the shelf. When it comes to the loss of attraction every client wants to be covered in different ways and create different zones rather than just a 5km radius from a key asset.

Some clients have had an independent company model where all their properties are and all the other likely targets around them so you get an irregular shape, and they cover everything within that shape. They’re certainly buying it at the moment, and I think that will continue.

Butler: Are they buying that under their property cover?

Parker: No, we’re writing it as a purely standalone product because our belief is if you’re going to write these coverages you should do so on a standalone basis rather than as a supplement under a terrorism or a property policy. Give a proper coverage with a proper wording, you can have response services around the product if you need to as we’ve been doing it for many years in the kidnap and ransom (K&R) world.

Woo: Who is buying this kind of policy?

Parker: Hotel companies, car rental companies, anyone in the tourist industry. Restaurants, theatres, and transportation because people are not flying to some of these areas or using the trains to go to them. Those industries are buying this sort of loss of attraction policy. When it comes to the active shooter, so many different industry sectors are buying that product.

Woo: What kind of excess are you requiring? I can imagine that quite a lot of these events would need to demand factors for a time period of days rather than weeks or months?

Parker: It does vary and some have a number of days, but all our policies have a trigger. Profit has to drop below a certain amount. Once it drops below that, the policy kicks in. Clients can set the trigger. Some may be happy to retain the first 30 percent but when profit reduces by more than 30 percent they want coverage. If profit keeps reducing the policy keeps paying.

Woo: Where are you seeing this kind of cover?

Parker: We’ve sold policies to clients in Germany, Holland, France and the UK.

Goldsworthy: How do you manage the ultimate downside if you’ve got multiple different companies in one country all buying this and a major airport is attacked?

Parker: This is where we’ve had to change our model to look at all the other exposures. Before, we’ve just had a circle with a particular radius, our blast zone, and we know what’s in that blast zone so we’ve worked out what we can lose if a loss occurs within that zone. We look at the other exposures, apply PML to all of those.

Just because an event occurs at another location, if a client had bought the loss of attraction coverage and the event was within their 5km zone, they may not have suffered any financial downturn at all. It’s not necessary that they have a loss but you have to have the risk captured on your aggregate system and then calculate your potential exposure.

Matthew Connell: The powerful thing is that the sophistication and understanding about the effects of terrorism then feeds through to other benefits right across society because you’re sharing the risk with the businesses. Your understanding of how things are effective can then feed back into the terms of the advice you give to businesses and in turn the measures they take to mitigate the economic impacts.

Butler: From the Pool Re perspective, the ‘insurance gap’ is now better understood, but there is a bigger issue. The government is starting to recognise that there is a gap in the cover available for property versus that for people, for which compensation is paid under the Criminal Injuries Compensation Scheme.

Payments under the UK criminal injuries compensation scheme are some of the lowest in Europe. What the government paid out after the 7/7 London bombings was small in comparison to what was paid out by the US government after 9/11 and by the Spanish government after the March 2004 Madrid train bombings. If customers’ personal life cover excludes terrorism, the insurance market has a role to offer cover, or as a minimum, alert the customer that there is a gap in their standard cover.

In addition to the ‘insurance gap’ there are two other gaps: the ‘information gap’ and ‘penetration gap’. It’s very hard to sell the policy if the consumer does not understand what the threat is and why they are vulnerable. Generally, understanding of the threat is better in London than in the regions. It is particularly hard for a broker to sell a product to somebody who has a small independent business on the High Street if they don’t believe that an attack will happen in their city or town, if they believe their standard insurance will cover it, or if they think the government will pick up the bill.

Regrettably, they are misinformed on all accounts. All these gaps, as illustrated by the uninsured losses that occurred in London Borough Market, need to be addressed.

Goldsworthy: You’re talking about the UK where insurance penetration is huge and people understand insurance: they buy it for their dog, their bike; but if we’re talking about terrorism insurance outside the UK, even when there are threats, in Nigeria, for example, insurance penetration as a whole is less than 1 percent so growth for our market outside the UK relies on trying to change their habits just to buy insurance full stop.

Butler: You’re as likely to be a victim outside London as you are in London. The impact of terrorism is growing and insurance penetration is far lower outside London. One of our challenges, from an educational and thought leadership perspective, is to get the right message across to our members and to insureds.

As for the threat to British interests overseas, we’re doing some work with the Office for Security and Counter Terrorism (OSCT), looking at the feasibility of having similar re/insurance cover schemes to those we have in the UK, in countries of concern.

For example, if you go on an overseas business trip or holiday the balcony outside your hotel or the gas heater has to meet ABTA-approved standards; but there is no quality standard for security for the majority of international hotels. We need the same sort of approach to security. Just as a structural engineer checks the physical safety of a hotel, so too can a security consultant undertake a security review looking at physical, procedural and technical security measures, such as baggage X-ray machines or the quality and standard of the hotel security guards. If these can be accredited to a UK standard, then not only will the guests be more secure but appropriate insurance cover can be provided.

The police and MI5 are facing a capacity issue. This was illustrated by assistant commissioner for specialist operations of the Metropolitan Police Service Mark Rowley stating recently that the security services are dealing with over 500 ‘live cases’ at any one time and there are 3,000 individuals who are judged to pose a threat and are under investigation and are being actively monitored.

Many observers believe that our counter terrorism policy and legislation are still pretty firmly lodged in the last century, structured on dealing with ‘conventional’ terrorism, as opposed to extremists who are ideologically driven. How do we move into the 21st century and have a counter terrorism strategy and capability that meets and exceeds the full spectrum of current and future terrorism threats?

Parker: These attacks have raised awareness in the UK for people who have not been affected by them before, but there’s still a mentality of ‘it won’t happen to me’. You’re going to scare people if all of a sudden you tell them how many people you’re looking at and the real threat. But we have to raise that awareness still further and actually make sure people understand that this is something we’re living with right now and for the next 20 or 30 years.

Butler: In the last 12 to 18 months, the police and MI5 continue to arrest one person a day for a terrorism-related offence. One of the many challenges for business is how best to communicate the threat to their staff, making them aware but not alarming them.

Connell: It’s inviting people to be active. People feel that they know how to reduce crime more than they know how to combat terrorism.

Butler: We’ve been at ‘Severe’ since 2014; it was raised to this level after the discovery that terrorists had the potential to deploy non-metallic bombs on aircraft. The threat level in the UK has not been reduced since. The challenge for everyone is to prevent complacency among the public and make sure they remain alert to the changing threat environment and implement the appropriate crisis response and mitigation measures.

The attack at the Manchester Arena saw the threat level rise to ‘Critical’; this alert state defines the threat as imminent or an attack is ongoing. There appeared to be varying responses by the private sector to this increase in the threat level; some initiated their business continuity plans, others remained ‘business as usual’. At Pool Re, we advised our staff to work at home as we understood that the threat was not confined to Manchester and, in our judgement at the time, a follow-up attack could have occurred in London.

We very much saw this as a duty of care matter and, based on our understanding of the threat and our in-house experience, put the safety of our people first and foremost.

We’ve had three Islamist extremism motivated attacks in three months. If there are more over the next two to three months, people will become more alarmed, and in this scenario leaders and managers need to decide what to say to their staff.

Is advice given to them to come into work or to work at home? What’s the best advice and where do managers find that advice? How do companies maintain ‘business as usual’ when there is a sustained threat level and staff are worried? These are all high level decisions and plans that need to be agreed and rehearsed pre-event as opposed to post-incident.

It’s fine if you’re a big business with in-house security expertise, but if you’re an SME and you don’t have a security professional or consultant, how do you make balanced, risk-aware decisions? Appropriate and timely communication with your employees is essential to business continuity.

Woo: When the so-called operational forecast events for tsunamis and earthquakes, etc, are commensurate with the level of threat then measures can be taken in terms of, for example, evacuation. I was interested to hear that because, clearly, there is gap.

Parker: There is a gap, it’s an extension on the loss of attraction coverage called government lockdown. In Brussels at New Year when they’d had attacks earlier in March, the government decided to close the city. There was no threat, they just said it was the prudent thing to do so all those businesses on the busiest and largest financial night of the year couldn’t open. If you looked at the standard loss of attraction policy at that time, that event wasn’t actually covered because again, it’s about the trigger.

We decided that we had to expand the policy to cover such an event so we created an additional insured peril ‘forced government lockdown’ so that any such future event would be covered.

Butler: When the government provides travel and security advice it is concerned about the liability it might be exposing itself to. The massacre of British tourists on the Tunisian beach is an interesting case in point. At the time, the Foreign Office advice was that travel to Tunisia was permissible. Therefore, businesses, travel agents and travellers followed that advice and assumed it was safe. We are now seeing this advice being challenged in the courts with families who lost loved ones and travel companies taking legal action against their travel agents and the government for the advice they provided.

We are seeing the same with the motor claims insurance market after the Westminster and London Bridge attacks where vehicles were hired from hire companies. Where does the liability fall? Is it the responsibility of the terrorism re/insurance providers or motor insurers?

Goldsworthy: A standard all risk liability policy is often silent on terrorism, so our market is providing an evolving standalone terrorism product for liability. Initially it was relatively restrictive cover, but people understand now that products need to respond.

Is there a greater appetite for reinsurance based on these types of risk?

Parker: There will always be a need for it because exposures can aggregate quite quickly. If a lot of companies had bought contingent BI coverages, then the insured losses could have been enormous.

Goldsworthy: We have some very intelligent people in our modelling team and as of this year they picked up on the extra coverages that are coming through and it is something we can pull out and report on.

Woo: I imagine there would be a demand for an annual aggregate cover in which you take all the events that occur in 12 months. Because, in terms of reinsurance, no single event necessarily acts as a trigger.

Goldsworthy: My book has been much more focused on emerging markets, with higher frequency, lower severity style attacks, and social perils—things that would rarely trigger a traditional XOL reinsurance protection.

Butler: We buy just under £2 billion of reinsurance cover, which is all we can secure from the global market at the right price and the right quality. We buy this cover because it provides further protection against the consequences of a major terrorist attack and puts the taxpayer further away from the loss. It also protects our overall fund which is the buffer we provide until we have to draw on the government guarantee. This reinsurance cover extends the protection that Pool Re’s fund provides for a macro terrorism event.

The current debate is all about non-property damage and associated business interruption and the tragic loss of human life. However, we cannot ignore the possibility of another spectacular attack, as warned late last year by Sir Michael Fallon when he said Al Qaeda still has the intent to mount a spectacular attack the UK.

The challenge facing the police, MI5 and the insurance sector is that no threat ‘falls off the table’. By this, I mean that we have to be prepared to manage the consequences of low technology, off-the-shelf attacks, focused on causing mass casualties, as well as a catastrophic attack on critical national infrastructure which would result in a huge property claim.

The preferred target, especially for Al Qaeda, remains the aviation sector and to deliver another 9/11.

Connell: That’s where the model of the first line being commercial insurance and then the government standing behind the completely unexpected and the huge scale, is important.

Butler: Providing effective reinsurance cover for a catastrophic cyber terrorism or the CBRN event remains one of our top priorities. The major issue with a CBRN event is that the size of a potential loss is a quantum more than a conventional attack; we could see a loss increasing by a factor of 10.

The same is true with the aggregate losses that might result from a cyber terrorism incident. If a terrorist could cause a fire or an explosion through a cyber trigger, for example causing a crowded office building to collapse, we could be looking at similar losses to 9/11. We have been working with Judge Business School at Cambridge on these types of scenarios and, most importantly, how companies might prevent and mitigate such attacks.

How do you make the distinction between the two? When is a cyber attack considered a terrorist attack?

Goldsworthy: That’s such a grey area and that’s why we haven’t got involved just yet until we are more familiar with it.

Butler: You’ve put your finger absolutely on the nub of the problem: attribution. For any terrorist incident, it has to be certified by the Treasury before claims can be processed by us.

If, for example, Daesh was able to cause a fire explosion by a cyber trigger which killed 1,000 people, it will be very hard to determine who the actual perpetrator was. Will the government be able to say such an attack was terrorism, state-backed or another rogue actor?

Goldsworthy: Which is one of the main differences between the pool and standalone terrorism—we have a definition of terrorism and it doesn’t need to be certified. We don’t write cyber, but that must be what the cyber market is doing, they have their specific definitions.

Pritchard: That’s another part of the problem—there’s still so much that is unknown. As cyber terrorism continues to develop, this is another aspect of the market which is evolving. The direction it will take is still very much to be seen.

Could Pool Re be a template for other countries? Could this risk be taken by private sector?

Goldsworthy: A lot of European countries, America, Australia have very similar templates, with varying coverages. Some cover CBRN, some don’t. On the whole that tends to work. The Boston Marathon bombing in April 2013 for example wasn’t classified as terrorism by the Secretary of State and which was necessary for the Terrorism Risk Insurance Act to have triggered. There are limitations to the pools’ cover, but there’s no denying their reinsurance capacity is far bigger than any single standalone market.

In emerging markets, I am sceptical that the insurance sector is mature enough to operate and coordinate or have the infrastructure to operate an effective terrorism pool.

Pritchard: I agree, in a number of territories I just don’t think there’s the knowledge of the cover provided, whether from the pools or private sector. This is combined with a reluctance to understand or concede that there’s a problem—and that’s where there needs to be progress.

Butler: Since autumn 2015, we have been collaborating much more closely with our international partners. This collaboration and understanding is all about sharing our experiences, knowledge of the threat and how our individual schemes can provide terrorism cover which is both accessible and affordable. We believe that it’s absolutely the right thing to do because there’s no advantage in acting unilaterally when the threat is global, persistent and evolving.