By Professor Michael Mainelli, Executive Chairman, Z/Yen Group Limited
In January 2011 over €45 million was stolen from the carbon markets in several ‘cyber crime’ incidents.
Carbon markets were closed on 19 January 2011 and have fitfully reopened since at much lower values. The January 2011 attacks were preceded by attacks in 2009 and 2010. A 2 February 2010 phishing theft of 250,000 carbon emission permits reportedly netted €3 million and also closed the markets. Furthermore, other financial markets, witnessing the slow responses of the authorities, have questioned the basic links between government bodies and their own markets’ protection.
In our recent book, “The Price of Fish: A New Approach to Wicked Economics and Better Decisions”, Ian Harris and I argue that wicked solutions need to blend four streams of thinking — choice, economics, systems and evolution. How might that apply to cyber-crime?
Cyber-crime needs to be viewed from a number of perspectives. No political, economic, technical or legal solution alone will work. In this blog I’d particularly like to contrast cyber-crime with ‘normal’ crime, against which we are able to purchase insurance. A realistic comparison would be burglary insurance; people contract with insurers in commercial terms they understand, with contracts they know and financial risks and rewards they can analyse.
Cyber-crime insurance is a weak market where it is hard to get significant risks underwritten; market cover is sporadic above small networks and fades completely above £100 million. Cyber-crime (e.g. ‘e-risk business protection’) insurance typically covers: crisis-management costs; customer-notification expenses; data extortion; professional services; multimedia liability (e.g. defamation and copyright infringement); security and privacy liability; and privacy regulatory defence and penalties. In the USA, this market is driven by legal requirements to inform customers of personal data breaches, but does little for business interruption.
Cyber-crime at scale is indistinguishable from cyber-terrorism. State actors may be involved. In fact, it is likely that only failed or corrupt states would allow attacks to originate from their territory. So firms are sensitive about the commitment of the state to protect them from incursions of substance, whatever the source. Cyber-terrorism, e.g. insurance against state-sponsored terrorism doesn’t exist. A realistic economic goal for government is to create a framework where insurers want to write cyber-crime and cyber-terrorism business, because they know it pays. And this means blending choice, economics, systems and evolution.
The carbon market problems resemble terrorism property insurance problems. Following the 10 April 1992 bombing which devastated the Baltic Exchange for shipping, international insurers withdrew cover for acts of terrorism and the UK government formed a reinsurer, Pool Re, rapidly by 1993. As a reinsurer, Pool Re helps other insurers provide policies directly to property owners and backs up insurers’ capital with regulators. At the moment, insurers in the UK can reinsure liabilities from terrorism, in excess of the first £75m, with Pool Re. A Pool Re member’s retention is proportionate to their participation in the scheme. The only exclusions applying to the terrorism cover of Pool Re are in respect of: “war and related risks; and damage to computer systems caused by virus, hacking and similar actions.”
Could we have a Cyber Re where government helps the insurance industry fund extreme losses? As an example, government takes responsibility, via a reinsurance club, for risks at the highest levels. Below that level normal insurers write cyber policies which help spread information and best practice. Reinsurance helps form successful commercial insurance markets by providing assessable mutuality for random events. Cyber Re can increase supply by spreading large losses and (over time) playing a role in establishing a body of data to support more accurate pricing of the risk. It also helps demand by promoting an understanding of cyber risks and the value of defending against them, especially through technological defences.
A business-interruption insurance model might be most appropriate. A good example of business interruption or ‘loss of earnings cover’ is industrial-dispute insurance. In a business-interruption model, the client states in advance how much a day’s outage will cost and this simplifies the claims, e.g. a day’s outage costs £5M, the retention is the first two days, followed by payments for the next 10 days. A Cyber Re would:
- Help members to assess their exposure and, working with members, to plan risk-reduction programmes;
- Share best practice in assessment and risk reduction, including the development and use of appropriate standards (e.g. ISO 27000 series);
- Provide controlled risk-transfer mechanisms for members who achieve stated levels of risk reduction or undertake risk-reduction activities to stated levels of quality.
Cyber Re might confer competitive advantage on the UK. With Cyber Re, the UK would have definite attractions to firms that depend on computers, particularly financial exchanges and large internet firms, as it would be the only country that indemnifies when it fails to protect against cyber-crime at scale.
So we’ve blended four streams — giving customers a financial choice they can understand, making the risk-sharing economics work, looking at the problem holistically, and providing a system that can evolve standards and prices in line with learning.
How would we know when government and industry are working well together on cyber-crime? When we can buy ‘normal’ insurance.