The head of the largest Lloyd’s of London insurer has called for governments to cover the risks of cyber attacks, saying the potential liabilities are too large for insurers to cover.
Stephen Catlin, founder of Catlin Group, said cyber security presented the “biggest, most systemic risk” he had encountered in his 42-year career in insurance, in part because a vulnerability in widely-used software or internet architecture can affect systems globally, putting the industry on the hook for simultaneous, multibillion-dollar payouts.
“Our balance sheets are not large enough to pay for that,” Catlin told the Insurance Insider London conference on Thursday, according to The Financial Times.
In the latest cyber attack against a major U.S firm, health insurer Anthem reported earlier this week that hackers stole the account information of as many as 80 million customers. Other recent corporate victims include Sony Pictures, JPMorgan Chase, and Target.
Such electronic incursions present an opportunity for the insurance industry to sell more coverage. Policies are designed to help companies meet costs including mounting forensic investigations and defending lawsuits.
But Catlin stressed that cyber attacks are unusually systemic, rather than, for example, a natural disaster that affects only one specific region. “It’s possible that you can have the same loss happening around the globe,” he explained.
Governments have already established state-backed schemes to provide coverage for acts of terrorism — such as Pool Re in the United Kingdom and the Terrorism Risk Insurance program in the U.S. — because the insurance market was unwilling to do so. But Catlin said cyber security posed an even bigger threat than terrorism.
“He’s got a valid point,” Andrew Horton, chief executive of Beazley, a rival Lloyd’s insurer, told the FT. “We’re very mindful of the potential aggregation impact. It’s something governments should be putting a lot of thought into.”
Rob Lay, a security expert at Fujitsu, said businesses should not rely on insurance to protect themselves from a cyber attack. “While insurance may help mitigate some of the financial impact of a security incident or breach, the reputational impact and the impact to the business operation cannot be mitigated with insurance in the same way,” he said in a news release.