ARGUMENT: CYER-INSURANCEIf Cyber Is Uninsurable, the United States Has a Major Strategy Problem

The most recent U.S. national cybersecurity strategy leans heavily on private-sector support, to include the insurance industry. Under Strategic Objective 3.6, the administration will explore the “the need for and possible structures of a Federal insurance response to catastrophic cyber events that would support the existing cyber insurance market.”

Tom Johansmeyer writes in Lawfare that Prudently taking the view that structuring a solution before an event occurs instead of rushing to provide aid after, the national cybersecurity strategy seeks a supporting role for government in the existing commercial insurance market, a view that many in the insurance industry support. 

He adds:

However, some key insurance industry leaders disagree, and the fact that they don’t could become a problem, impeding the flow of capital to the insurance industry and simultaneously forcing open a gap in U.S. cybersecurity strategy.

Despite the development of a reasonably large, stable, and resilient cyber insurance market, some observers still contend that cyber is not insurable. They claim that the risk is too big, too dynamic, too embedded, or simply too new to understand. Should the worst of worst-case scenarios occur, such as the complete shutdown of the internet worldwide for a week, as one insurance executive told me, the consequences would be virtually unimaginable. The disruptions to communications, supply chains, and end-consumer commerce would be both broad and deep—and on a scale certainly not seen so far. This inherent contradiction in the market could ultimately undermine the U.S. view of cybersecurity strategy. The U.S. national security strategy implies a role for a robust and reliable cyber insurance market, which means that U.S. cybersecurity relies on the availability of insurance. 

Insurability as a general matter relies on several underlying characteristics, including a large pool of “homogeneous exposure units,” independence among those units, and the avoidance of potential catastrophic events, among other things. Like many risks, including property, cyber could be seen as uninsurable. Technology, as is said all too often, has permeated our lives and become embedded in everything we do. We’ve all heard this ad nauseam, and it is largely true. The outage of a logistics system used by major shipping companies could cause backups at large ports and empty grocery shelves across the country. However, insurability is not limited to the academic definition above: Many classes of insurance risk do not consist of large pools of homogeneous exposure units. Specific and unique risks are regularly underwritten in the specialty market. And catastrophic risks are routinely transferred to reinsurers, as the property insurance market has done as a matter of course for decades. Cyber insurance is no different, with smaller risks following the definition of insurability above, and larger specialty risks requiring unique and specific attention.

The tendency to believe that cyber is uninsurable because of the vastness and interconnectedness described above comes down to a fear of the unknown applied to a large interconnected system that implies swift and significant consequences if something goes wrong. Such concerns are evident in the perspectives of several insurance executives on the insurability of cyber risk, including Zurich Insurance CEO Mario Greco, Convex Insurance Executive Chairman Stephen Catlin, and Swiss Re CEO Christian Mumenthaler. Theirs are opinions not to be taken lightly, as experienced leaders and among the most respected minds in the global market. And they’re concerned. Or downright terrified.

Johansmeyer concludes:

Cyber risk may be insurable, but the insurance market could certainly benefit from some more help. Reinsurance support has been crucial in expanding the breadth and depth of cyber insurance protection, but new sources of capital to address specific scenarios will provide the backbone for the next phase of industry growth. And for the risks too large and remote to be transferred even to new capital sources, a federal backstop could provide the comfort necessary that even the worst cases will be addressed according to plan.