Insurers in talks on adding state-backed cyber to UK reinsurance scheme

Insurers have held discussions with the UK government over whether its terrorism reinsurance scheme should cover state-backed cyber attacks, amid growing concern over holes in the safety net provided by the private sector.

Senior industry executives have had initial talks with Treasury officials over whether Pool Re, created to share terrorism risks, could be expanded to cover state-sponsored or war-related cyber attacks, according to people familiar with the matter. These events are not covered under standard insurance policies.

The Treasury, which only last year completed a strategic review of Pool Re, has yet to take a position on the issue, the people said.

Pool Re was set up in 1993 after underwriters, spooked by IRA bombing campaigns in the UK, pulled back from insuring acts of terror. It shares risk with primary insurers, and though it is owned by the insurance industry, it can call on funding from the government in extreme circumstances. It has so far paid more than £600mn in claims for events declared by the government to be the work of terrorists and built up a near-£7bn investment fund. It has never called on the government guarantee.

Pool Re declined to comment. The Treasury said it was focused on delivering the outcome of last year’s review, which recommended that risk be transferred off the public balance sheet and back to the market.

“The review sets the strategic direction for the organisation over the coming five years, to ensure the scheme delivers in the best interest of its members, the government, taxpayers, and the wider economy,” the Treasury said.

The surge in cyber attacks bringing increasing disruption to companies and infrastructure has raised fears among industry chiefs that the threat will become “uninsurable”.

Lloyd’s of London announced last year that it would demand policies written in the market have an exemption for state-backed attacks. It warned that such losses “have the potential to greatly exceed what the insurance market is able to absorb”.

But defining which attacks are linked to state actors is difficult, leading to legal battles over what should be covered. In 2021, pharma group Merck succeeded in a US court claim that an exclusion for war-related claims should not be applied to its losses in the 2017 NotPetya malware attack, for which the UK has blamed Russia. Food group Mondelez recently settled with its insurer Zurich in a dispute over whether the NotPetya attack was a “warlike” action and thus excluded from its policy.

Bruce Hepburn, chief executive at Mactavish, which advises commercial insurance buyers, said extending Pool Re to cover state-backed cyber would be a “recipe for huge arguments”.

Pool Re currently reinsures physical damage caused by terror attacks that have a cyber trigger, but not if they are state-backed. And it does not underwrite any financial losses or seizure of data from cyber assaults that are the primary focus of insurance policies.

Hepburn added: “The government is well able to determine whether an event was a terrorism event, there are mechanisms for doing that. How in hell do you decide it is a state-sponsored cyber attack?”

Policymakers around the world are grappling with the threat from cyber attacks and the insurance industry’s ability to absorb costs. The US government called for views last year on whether a federal response to cyber was warranted, and whether its public-private terrorism insurance programme should have a role.

Lloyd’s responded to that consultation last month, arguing “there could be utility in such a [federal programme] for those areas in which the insurance industry has limited appetite to provide cover — specifically, losses caused by broad infrastructure outages or state-backed cyber attack”. But take-up might be limited, it added.

Additional reporting by George Parker