How to clear the fog of cyber war and terrorism insurance
Digital attacks are on the rise and a number of nation states are in the frame. The global insurance industry needs to come together to find a solution but it is mired in complexity and differences in definition. Intelligent Insurer finds out what a global taskforce is doing to bring clarity to the discussion.
The SARS-CoV-2 virus has overshadowed much of 2020, but a taskforce set up by the insurance industry warns that the next bug to appear and wreak worldwide havoc could be a digital one.
With more than one nation state accused of cyber attacks, in addition to the acceleration of global interconnectivity, the future threats of cyber terrorism and cyber war can’t be ignored.
The NotPetya malware attack in 2016 was believed to be backed by a nation state and digital assaults have increased in number and ferocity since then.
To make any real progress on dealing with what is a global issue, the insurance industry needs to come together and tackle the risk at a global level. This was the rationale behind the joint taskforce on cyber terrorism and cyber warfare launched in October 2019 by the International Forum of Terrorism Risk Re/insurance Pools (IFTRIP) and insurance industry think-tank The Geneva Association (GA).
Rachel Anne Carter, cyber director at GA, leads the taskforce, supported by Julian Enoizi, chief executive officer of Pool Re and Christopher Wallace, chief executive officer of Australian Reinsurance Pool Corporation and president of IFTRIP.
To kickstart discussions, in July the taskforce published a report, titled “Cyber War and Terrorism: Towards a common language to promote insurability”. The thinking is that an agreed common language and definitions for this ethereal but vital area of business will enable the global re/insurance industry to work together on tackling the wider challenge.
As lead author of the report, Carter says it will mean the whole industry can discuss terrorism and war in the cyber context and insure cyber activity more accurately.
This will also help to better define the limits of what can be privately re/insured. This report is the first in a series of three on this area of cyber risk; the taskforce is working on two more that will be published later this year (see below for more information).
Carter says the problem is that cyber terrorism and cyber warfare present a large risk accumulation potential for the industry, but they are areas that are understood in traditional physical senses.
“People understand what warfare is in the boots-on-the-ground type of conflict. For example, in recent times London has experienced different types of terrorism events.
“In a physical sense people have an idea of what those risks and/or perils are. Where we as the insurance industry needed to come to as a starting point is how do we pool our knowledge in what these events are and how they translate from the physical world into the cyber world, and that convergence between physical and cyber,” she says.
“The report ‘Cyber War and Terrorism: Towards a common language to promote insurability’, is available on The Geneva Association website.”
She says it was in the course of discussions about this with the industry that researchers found a gap between translating traditional physical events within the cyber world and a potential gap between cyber terrorism or terrorism that was triggered by a cyber means, which are slightly different things, and cyber warfare.
This makes it difficult to determine whether a cyber attack should come under the definition of terrorism or war, with implications for insurance cover. In response to this challenge, the report proposes a new term: hostile cyber activity (HCA). The term is intended to reduce ambiguity around an increasingly prevalent type of activity that falls somewhere between cyber terrorism and cyber war.
Greater clarity should improve consistency and transparency, in turn supporting a better understanding of the associated spectrum of risks and how they are underwritten.
Fill the gap
“In terms of cyber terrorism, what has been envisioned are more traditional events triggered by a cyber event. For example, overheating a building that then causes the building to catch fire—that can be done through cyber means such as getting into the system and making it overheat. That could also be done through a physical route,” says Carter.
“What could have been done in a physical way can now be done in a cyber sense.”
She explains that cyber war refers to a declared war or a situation of the war, where there was some physical activity but there was also a cyber war or cyber activity.
“What we’ve created in terms of filling the gap or trying to bridge that knowledge between those two examples is the HCA. A lot of activity is engaged in by nation state actors, and by organised groups with different degrees of connectivity to a state, that are more than an act of terrorism but less than what we would think of as conventional warfare or a declared act of warfare or warfare with a physical ramification.
“That’s where that term HCA comes into play.”
She adds that it was important for the taskforce to categorise it and that work towards a common language for this area is a work in progress.
“The more we gather information, the more we share among ourselves and with pools, with other stakeholders and with governments, etc, the closer we can come to an alternative solution in the future.”
“We’re looking at what that could look like or what coordination between, for example, insurers could look like.”
Rachel Anne Carter, cyber director, GA
The HCA is, for now, an intermediate option as the landscape for this risk is changeable.
The taskforce acknowledges the different viewpoints of re/insurers regarding the magnitude of the grey area between cyber terrorism and cyber war. This lack of clarity is due to the complexity of the risks, different commercial perspectives, legal systems and risk appetites involved. The objective is to move towards clarity and to initiate discussions.
Carter reiterates that the taskforce is focused on the implications of cyber terrorism and cyber war for the insurance industry as a whole.
“Unlike other events such as natural catastrophes that may be bounded by natural geographical boundaries, a cyber attack can infiltrate multiple carriers and multiple clients across jurisdictions either simultaneously or within a short period of time.”
This insidious, potentially all-encompassing, nature of attack is why the taskforce is looking at a potential international solution.
Carter says: “We’re looking at what that could look like or what coordination between, for example, insurers could look like. We’re looking at it holistically from the standpoint of the insurance industry.
“From that, you can derive what the industry can and can’t insure, what there is or isn’t capacity and/or appetite to underwrite. If there needs to be further clarity that can then be put in place so that there’s a continued momentum towards sustainable underwriting.”
The report “Cyber War and Terrorism: Towards a common language to promote insurability”, is available on The Geneva Association website here:
The second and third reports in the series will examine the importance and difficulty of attribution in the current cyber insurance framework and proposed remedies; and how to quantify the impact of potential losses as well as proposing potential solutions from insurers, capital markets and public entities.
Images (from top): Shutterstock / Getmilitaryphotos, bibiphoto, zefart