Insurers asked UK government about reinsurance cover state-backed cyber attacks

Insurers have held discussions with the UK government over whether its terrorism reinsurance scheme should cover state-backed cyber attacks, amid growing concern over holes in the safety net provided by the private sector.

According to The Financial Times, senior industry executives have had initial talks with Treasury officials over whether Pool Re, created to share terrorism risks, could be expanded to cover state-sponsored or war-related cyber attacks, according to people familiar with the matter. These events are not covered under standard insurance policies.

Pool Re was set up in 1993 after underwriters, spooked by IRA bombing campaigns in the UK, pulled back from insuring acts of terror.

It shares risk with primary insurers, and though it is owned by the insurance industry, it can call on funding from the government in extreme circumstances.

It has so far paid more than £600mn in claims for events declared by the government to be the work of terrorists and built up a near-£7bn investment fund. It has never called on the government guarantee.

The review sets the strategic direction for the organisation over the coming five years, to ensure the scheme delivers in the best interest of its members, the government, taxpayers, and the wider economy

Treasury said

The surge in cyber attacks bringing increasing disruption to companies and infrastructure has raised fears among industry chiefs that the threat will become “uninsurable”.

Lloyd’s of London announced last year that it would demand policies written in the market have an exemption for state-backed attacks. It warned that such losses “have the potential to greatly exceed what the insurance market is able to absorb”.

Insurers asked UK government about reinsurance cover state-backed cyber attacks

But defining which attacks are linked to state actors is difficult, leading to legal battles over what should be covered. In 2021, pharma group Merck succeeded in a US court claim that an exclusion for war-related claims should not be applied to its losses in the 2017 NotPetya malware attack, for which the UK has blamed Russia.

Food group Mondelez recently settled with its insurer Zurich in a dispute over whether the NotPetya attack was a “warlike” action and thus excluded from its policy.

Pool Re currently reinsures physical damage caused by terror attacks that have a cyber trigger, but not if they are state-backed.

And it does not underwrite any financial losses or seizure of data from cyber assaults that are the primary focus of insurance policies.

Policymakers around the world are grappling with the threat from cyber attacks and the insurance industry’s ability to absorb costs. The US government called for views last year on whether a federal response to cyber was warranted, and whether its public-private terrorism insurance programme should have a role.

In a statement, Lloyd’s welcomed the discussions, saying state-backed cyber attacks were at such a scale that “insurance and tech industries will need to work in partnership with governments to address these risks”.

by George Parker – The Financial Times reporter