The insurance industry cannot tackle cyberrisk alone, but the pooling mechanisms used to cover other systemic risks offer only a partial solution, panelists at a terrorism insurance conference said.
Cyrus Delarami, head of Europe and rest of world direct, cyber, in Munich Re's facultative and corporate division, told the annual conference of the International Forum of Terrorism Risk (Re)Insurance Pools, or IFTRIP, that the insurance and reinsurance industry should cover "as much as possible" of the cyberrisk. But he added that, like a pandemic, a cyberattack can have a global impact, eliminating the diversification benefit that insurers and reinsurers get from writing business in different countries and meaning that the industry's capital "at some point will be limited."
There has been talk of creating pools for cyberrisk along the lines of those set up to cover terrorism risk, such as the U.K.'s Pool Re. But Delarami said the global nature of the threat meant that "you're not really solving the problem" by simply creating pools. Pools "can help in order to tackle a couple of the problems," he said, but were "not the only way ... to overcome this."
He added that government-backed solutions were needed for extreme, uninsurable cyberrisks, such as cyberattacks that bring down critical infrastructure or cyber warfare, and that ideally there would be a global solution. But he noted that the challenge of bringing together so many opinions and attitudes was "a tricky one" and meant that the "chances of realization on a national level should be more easy to handle."
Fellow panelist Ariel Levite, senior fellow of the cyber policy initiative at the Carnegie Endowment for International Peace, said, "I wish pools were the answer" and that they "may be a part of the answer" to the cyberinsurance issue, but could not be a complete answer "because of the global cascading effects of such scenarios." He added that the global nature of the problem "has a dampening effect on the willingness of states to consider national solutions," making the situation "even trickier" than that outlined by Delarami.
Rachel Anne Carter, director of cyber at the Geneva Association insurance think tank, said on the panel that the organization was researching cyber pooling solutions for an upcoming report in conjunction with IFTRIP. Although the research had not yet arrived at any solutions, she said initial discussions suggested that "for true extreme tail events ... there will to some extent need to be government involvement. Whether that is in the form of a pool, [insurance-linked securities] and/or another solution is yet to be decided upon."
She also said that as far as possible, capacity to take cyberrisk "should remain with the market," and additional solutions applied only for risks that exceed the market's capacity and appetite.