We use performance cookies to collect information about how you use our website (for instance which pages you visit most often). Cookies help us to improve your online experience with Aspen. Find out more here


Aspen Opinion

U.K. Commercial Property: Universal and Unique Approach

April 19, 2018

The perceived risk of cyber terrorism has increased following a number of recent cyber attacks. Clive Edwards, Head of UK Corporate Property & Casualty at Aspen Insurance, welcomes the U.K. Government’s response to include cyber terrorism cover through the Pool Re initiative.

Automatic protection against this notoriously difficult-to-assess risk was introduced in April 2018 and brings a universal benefit to all policyholders with (re)insurance underwritten by Pool Re members. In turn, this enables underwriters to focus on their clients’ unique requirements where risk is more readily calibrated and priced, and highlights where the real value lies.

Emerging risk

Cyber terrorism is fuelled by ideology and has been defined as “an act of politically-motivated violence involving physical damage or personal injury caused by remote digital interference with technology systems”.  It, therefore, contrasts with the purely financial or egotistical goals of other cyber crime. It is considered an emerging risk and, as with other forms of terrorism, it is difficult to model and price.  A successful attack is dependent on significant investment in time and financial resources and so many still consider the risk of cyber terrorism to be low although this view is now open to greater debate given the recent number of cyber attacks.

The acquisition of cyber capabilities by terrorists has long been expected but, to date, there has been no known terrorist incident using cyber to cause physical damage and destruction. Terrorists have openly declared their intention to upgrade their weaponry and enhance their cyber skills and this has led to the formation of terrorist groups such as the United Cyber Caliphate, Team System Dz and the Hezbollah Cyber Group.

Cyber attacks in 2017 exacerbated fears and caused a step change in the public’s perception of global cyber crime and the disruption it can cause. In May 2017, the Wanna Cry ransomware spread quickly across every continent and infiltrated both public and private services. A month later, the Not Petya attack rapidly infected devices in 64 countries within 24 hours. The destructive potential and the far-reaching impact of business interruption were highlighted by these attacks, increasing fears and affecting thousands of computers worldwide.

The broadening of attack surfaces, combined with growing technical abilities of terrorist groups, have increased concerns of a potential incident. Vulnerabilities embedded in digital devices are ever-present and are growing as the internet of things introduces layers of weakness to many existing physical systems from manufacturing to biological security systems. Vulnerabilities in hardware, software, network protocols and programming languages can be exploited and there is debate whether these weaknesses are limited or infinite.

The certainty is that digital systems are exposed and the development of new and updated technologies will create new embedded system flaws which can be compromised. In the “known knowns” parlance, there are vulnerabilities that are acknowledged and recognised, latent vulnerabilities that are known to exist but have not been isolated and an unknown quantity of vulnerabilities which are yet to be discovered; the internet of tomorrow will be different than the internet of today.

The dynamic nature of the risk is also embodied in terrorist groups as the threat actors are likely to change and become difficult to track. The black market for mercenary cyber activity has developed with forums on the dark web enabling an unsophisticated group(s) to buy highly-sophisticated cyber “warfare” capabilities. As a result, sufficiently funded and motivated terrorist group(s) need not go through the time-intensive process of enhancing its technical proficiency in order to conduct targeted or widespread malicious activity.

The “successful” disruption witnessed in the WannaCry and NotPetya attacks will likely accelerate the amount of black market investment in these types of tools, thereby potentially shortening the timeline for terrorist enterprises.

Providing a backstop

The losses from a cyber terrorist attack could be significant and potentially as large as any losses from a natural catastrophe. Yet, unlike natural catastrophes, the raison d’etre of modern terrorism (including cyber terrorism) is to be dynamic in the choice of target and mode of attack which makes risk prevention and mitigation more difficult.  Models based on the laws of nature help us predict and quantify natural disasters. In contrast, there are no models which can be meaningfully used to predict or quantify cyber terrorist attacks since terrorists are not constrained by any laws.

Following the escalation of U.K. terror attacks in 1992 (including that of the Baltic Exchange) and the U.S. 9/11 World Trade Centre attack, insurance capacity withdrew from the market. Respective governments stepped in to act as a backstop to cover costs and support the insurance market which underpins economic activity.

In the U.S., Terrorism Risk Insurance Act 2002 (“TRIA”) - currently set to expire on December 31, 2020 - required business insurers to offer terrorism coverage for certain types of insurance with the Government providing reinsurance on the bulk of the claims costs (82% in 2018 to a limit of US$100 billion) for certified terrorist events costing more than US$160 million (2018).

In December 2016, the U.S. Treasury Department issued a Notice of Guidance that clarified a previous ambiguity as to whether cyber liability was included as a covered line of property and casualty under TRIA. Insurers are now obliged to offer cyber terrorism cover with a cyber policy - however, as with the offer of a terrorism policy, the insured retains the choice to accept the premium and insure the risk of cyber terrorism. Cyber terrorism and terrorism cover are now embedded as part of the insurance buying process and are assessed alongside the insureds’ other risks including fire, flood and theft.

In the U.K., Pool Re, which was established in 1993, has also responded to the threat of cyber terrorism since April 2018 through the acceptance of material damage and its associated direct business interruption losses arising from cyber terrorism. It can be argued that unlike the U.S., the automatic acceptance of the cyber terrorism risk by Pool Re (and its members) effectively removes the risk from the submission conversation. There is a clear advantage for an insured who is insuring with a Pool Re member as there are no inner limits regarding policy liability, no postcode lottery and it comes with a Government backstop. This safeguard is activated once Pool Re’s resources of over £8billion comprising investment funds, a £2.1 billion retrocession agreement plus members’ retention have been paid out. [1] [2]

Pool Re members are therefore able to focus on the unique aspects of the clients’ requirements where risk is more readily calibrated and priced, highlighting where the real value lies.

Buying the appropriate cover depends on finding an insurer who can adapt to the changing needs of the business. New plant, new product lines, relocation, rationalisation and reorganisation are just some of the features of this dynamic process. Changing risk exposures is only part of the calibration: the risk appetite of both the insurer and insured also may change and should be communicated clearly to avoid unpleasant surprises either at renewal or following a claim. The insurer who is forward-thinking and able to adapt with the changing needs of business will have the ability to offer their insureds a truly value-added service that will stand out from the crowd.


[1] https://www.poolre.co.uk/who-we-are (April 10,2018)

[2] https://www.poolre.co.uk/pool-re-renews (April 10, 2018)

Click here for a pdf version of the article.

Back to articles

The above article/opinion reflects the opinion of the author and does not necessarily represent Aspen's views. The article reflects the opinion of the author at the time it was written taking into account market, regulatory and other conditions at the time of writing which may change over time. Aspen does not undertake a duty to update these articles.