Governments should not be the cyber insurer of last resort

Unlock Editor’s Digest for free

FT editor Roula Khalaf selects her favorite stories in this weekly newsletter.

Insurers are in the risk business. But some dangers make them nervous. Attacks on computer networks are a prime example. Berkshire Hathaway’s Warren Buffett compares them to rat poison because of the spiraling impact on policies of a single event.

The growing global cost of such crimes – expected by US officials to top $23 billion by 2027 – far outstrips the cyber insurance market, which is about 800 times smaller. Insurers argue that such a large gap can only be covered by governments. The case is not clear.

Insurer Zurich and broker Marsh McLennan are the latest to support state intervention. They point to the precedents provided by nuclear energy risks, natural disasters and terrorism. Government support could encourage insurers and reinsurers to expand coverage and provide additional capacity, says the Geneva Association, a global association of insurers. Such a move could improve resilience, as insurers would have to require policyholders to install strong controls. This could create a virtuous circle, reducing the chance that the government will ever be forced to intervene.

But there could be unintended consequences. Knowing that a government will foot the bill could encourage more attacks — especially state-sponsored ones. Another concern is that it could hinder the development of the nascent but fast-growing cyber insurance market. Ill-conceived government protections could stifle innovations, such as last year’s pioneering cyber disaster liability.

Defining the threshold that would trigger government protection is difficult. Some experts believe cash-strapped governments could find themselves on the hook for more than they bargained for. Patrick Tiernan, head of markets at Lloyd’s of London, says the insurance industry needs to do more modeling and customer education before it can apply for government help. Citing intelligence sources, he suggests that around nine out of 10 cyber attacks could be prevented through better cyber hygiene.

Given the weak controls in many companies, government support clearly creates moral hazard. It could make companies less motivated to strengthen their defenses against cyber attacks. It’s not clear why companies that don’t use basic cyber protections should be subsidized by taxpayers, says Daniel Woods, a lecturer in cyber security at the University of Edinburgh.

There is a case for state intervention to bridge the gap created by war and infrastructure exclusions in insurance policies. But governments are rightly reluctant to write blank cheques. As things stand, there is limited evidence that a large-scale protection system is needed. It would probably take a truly catastrophic cyber attack to change that view.

[email protected]