The recent Financial Times article “Governments shouldn’t be the cyber insurers of last resort” sparks an important discussion on whether governments should step in to bolster the burgeoning but still fragile cyber insurance market. Insurers like Zurich and brokers such as Marsh McLennan are calling for state intervention, drawing parallels to government involvement in terrorism or natural disaster insurance. On the surface, this argument seems rational, but the article rightly identifies significant issues with this approach, which could undermine long-term resilience in both the insurance sector and the wider world of cybersecurity.
Are We Missing the Point?
However, the ongoing calls for government intervention may be missing the bigger picture. The real issue is not that governments need to step in, but that businesses must take responsibility for their own cyber safety. The FT article touches on this but doesn’t fully explore it. We live in a time where, according to industry experts, up to 90% of cyber attacks could be prevented with better cyber hygiene. Why, then, should governments become a safety net for businesses that fail to put the basics in place?
The problem is that our industry, until recently, lacked solutions that could scale effectively across organisations of all sizes. Smaller businesses, in particular, were often left vulnerable, unable to afford comprehensive cyber risk management tools. But with the advent of automation, artificial intelligence, and improved cybersecurity technology, this has changed. Today, it is both technically and commercially possible for businesses to gain insights into their own cyber risk posture, helping them to take proactive measures before threats materialise.
Critiquing the Core Arguments
The FT piece notes Warren Buffett’s caution, with cyber risks likened to “rat poison.” With global cybercrime forecast to reach a staggering $23 trillion by 2027, and the cyber insurance market only a fraction of that size, it’s easy to understand why the insurance industry feels vulnerable. Yet, as the article highlights, the gap between coverage and risk has led to calls for government intervention, which may bring about unintended consequences.
One key concern is moral hazard. If firms know that a government backstop will kick in during a catastrophic attack, they might become complacent in their cybersecurity efforts. It is this very complacency that we must avoid. Businesses must take control of their own risk, and with the right tools now available, there’s no excuse not to. The notion that cyber insurance alone will solve the problem is flawed, as it does not address the core issue: inadequate cyber defences.
The article also questions the effectiveness of a state-backed insurance model in an area that is constantly evolving. Government schemes, if poorly designed, could stifle the innovation needed to address ever-changing cyber risks. A heavy-handed approach could discourage market-driven solutions, such as the cyber catastrophe bond launched last year, which demonstrated the insurance sector’s capacity for innovation.
Are Governments Ready for This Role?
Another concern that the article touches on is whether governments are truly equipped to manage these risks. The track record of public institutions handling cybersecurity is, at best, inconsistent. Defining when a government backstop should kick in could be fraught with complexity. Moreover, governments dealing with financial constraints may find themselves footing much larger bills than anticipated.
Instead of taking on this immense responsibility, governments could play a more supportive role, fostering public-private partnerships aimed at improving cyber resilience across industries. Initiatives such as tax incentives for businesses that invest in their own cybersecurity, or co-funding for cybersecurity research and development, could prove far more effective in the long run.
The Comments Section: A Broader Perspective
The comments following the FT article offer a variety of insights. Some readers echo concerns around moral hazard, while others highlight the limited coverage provided by insurers due to exclusions for war or infrastructure-related attacks, pointing out the need for state intervention in such extreme cases. What emerges from these comments is a general consensus that businesses should do more to protect themselves, rather than expecting the government to pick up the pieces.
Conclusion: Taking Responsibility for Cyber Risk
The FT article presents a thoughtful critique of the complexities involved in government-backed cyber insurance. While the cyber insurance market must undoubtedly grow to meet the demands of an increasingly digital world, relying on state intervention risks stifling innovation and fostering complacency in businesses.
Instead, the focus should shift towards empowering businesses to manage their own cyber risks. With the right tools, organisations of all sizes can now gain insight into their vulnerabilities and take action to improve their cyber hygiene. This approach not only reduces the need for government intervention but also builds resilience across industries, ensuring that businesses are better prepared for the evolving threat landscape.
Call to Action: It’s Time for Businesses to Take Control
At Cyber Tzar, we believe the future of cyber risk management lies in businesses taking responsibility for their own security. We specialise in providing scalable solutions that help businesses of all sizes, particularly those with complex portfolios and supply chains, to gain clear insight into their risk positions and implement the necessary protections. It is no longer a question of whether these solutions are available—they are. Businesses must act now, rather than wait for uncertain government backstops.
Visit cybertzar.com to discover how our tailored approach can help you safeguard your organisation from evolving cyber threats and ensure a robust defence for the future.