Just hours after Anthem, the second-largest U.S. health insurer, announced it had suffered a massive security breach, the largest Lloyd’s of London insurer said cyber attacks are now too big for private insurance companies to handle, according to the Financial Times.
Catlin Group CEO Stephen Catlin told an insurance conference in London on Thursday (Feb. 5) that governments should take over risk coverage for hacking and malware. “Our balance sheets are not large enough to pay for that,” Catlin said, adding that cybersecurity was the “biggest, most systemic risk” he had ever seen.
Some governments have established risk pools to handle coverage for terrorist attacks, including the Terrorism Risk Insurance Program in the U.S. and Pool Reinsurance in the U.K. But Catlin said cybersecurity was an even bigger problem.
Insurance companies have previously pointed out that traditional risks, such as natural catastrophes, are more contained than cyberthreats. Earthquakes in Japan do not cause hurricanes in Florida, the FT noted, but a vulnerability in widely-used software or Internet architecture — both of which are turning up more and more frequently in cyberattacks — can bring down systems globally. That could leave insurers faced with simultaneous multibillion-dollar claims.
“It’s possible that you can have the same loss happening around the globe,” Catlin said.
While that’s not a completely unfamiliar scenario for both insurance companies and insured businesses — it’s exactly what the Y2K “millennium bug” threatened — the Y2K risk was specific, technically well understood, and had a firm deadline of Dec. 31, 1999. Security vulnerabilities in widely used software are typically unknown until a breach occurs, and attackers frequently hit a few targets at a time, leaving many companies unaware that they too are at risk. In the case of Anthem, for example, the breach came after a series of attacks on smaller health insurance companies.
Some insurers offer cyberattack policies to help companies meet the costs of forensic investigations and lawsuits if they are attacked. But those policies come with high premiums and serious coverage restrictions, the FT said.