Insurers’ Role in Managing Systemic Risks

Systemic risk has been defined by the Financial Stability Board as the risk of an entire market or financial system being disrupted – with far-reaching negative consequences for the real economy. The Global Financial Crisis of 2007/08 focused minds with a renewed sense of urgency on the threat posed by systemic risks. Since then, a range of measures and initiatives have been put in place with the aim of better protecting us all from the consequences of future systemic risk events. Yet the general perception today – as vividly underlined by the impact of Covid-19 and the increasingly obvious threat of cyber – is that the world is more at peril than ever from systemic risk. Insurers have a key role to play in identifying and managing such risks.

Cyber, climate change, pandemic and demographic change (specifically the prospect of ageing populations) have been cited as the Four Horsemen of the systemic risk apocalypse, with issues around globalisation variously identified as a fifth – or simply as an accelerant of the other four. Insurance and reinsurance companies have long stood out as analytically robust prophets of the damage likely to result from rising global temperatures. Based on its past experiences with asbestos claims, Piper Alpha and the LMX Spiral, the insurance industry is also well attuned to how risks ‘go systemic’ and what happens when they do.

The financial turmoil that erupted back in 2007 may have originated within an operation of global insurer AIG – albeit one that had very little to do with insurance as such – but the global banking system was correctly identified as the source of what became a jarring shock to global financial stability. Efforts to forestall any similar shocks initially focused on banks and other lending institutions. But, from the early years of the last decade, the International Association of Insurance Supervisors has done a considerable amount of work on identifying systemically important sources of insurance capacity and implementing regulatory interventions designed to mitigate against their failure.

There seems little doubt, however, that another severe pandemic, a dramatic escalation of the looming climate crisis, or hostile cyber activity on a scale sufficient to imperil the secure operation of financial systems worldwide (or even to take much of the world offline) would quickly overwhelm the entire collective resources of the insurance and reinsurance community and all its adjunct hinterland in areas like the insurance-linked securities market. At which point, government intervention – potentially on a scale that would dwarf the support provided to banks in 2008 and 2009 – would be the only available recourse.

Insurance expertise can certainly play a valuable role in helping governments prepare themselves to mount an appropriate response to any future crisis. There is, after all, some precedent for this. Terrorism has been proposed as another potential catalyst for systemic risk events. State-backed initiatives like the TRIA programme in the U.S. and Pool Re in the UK illustrate how a combination of insurance capacity and know-how and the resources of national governments can provide solutions to challenges on a scale that would otherwise be unmanageable. Flood Re is another. But the four horsemen cited above could all require private-public provision on a massively greater scale.

In the longer term, climate change could emerge as the systemic risk to put all others in the shade, and few could fail to recognise the very real threat of another pandemic, but perhaps the most dramatically escalating risk at this precise moment in time is cyber. The major uptick in state-sponsored cyber hostilities associated with Russia’s invasion of Ukraine highlighted the potential for escalation. Lloyd’s itself was the target of a suspected cyber attack, while the risk of far-reaching disruption to essential civic infrastructure is becoming increasingly and alarmingly clear. Serious doubts are even starting to be voiced around the long-term viability of mission-critical military and civilian systems that rely on hackable communications and control technology.

There is a growing awareness of the extent to which cyber risk in the industrial and commercial world remains uninsured. In a report highlighting the potentially catastrophic fallout from cyberattacks targeting private businesses and critical infrastructure, Swiss Re estimated that 90% of cyber risks worldwide are not currently covered by insurance. Soberingly for the insurance industry, some of this shortfall could yet be picked up by policies not specifically intended to cover cyber risk. This is the ‘silent cyber’ category of losses that might ultimately rebound on insurers in the same way unanticipated Covid-19 business interruption claims were imposed on carriers following legal rulings.

Cyber is a major challenge to insurers, not least because these rapidly evolving and massively proliferating risks are notoriously hard to model. Faced with events that are both high-frequency and high-impact, the market has responded primarily by attempting to limit the scope and extent of cyber coverage. Over time, increasing specialisation within the broader field of cyber risk could help insurers provide a level of cover that better responds to its corporate customers’ real needs. But, if there was ever any doubt that cyber would qualify as a systemic risk, that moment has clearly passed. Some even argue that cyber risk – already pervasive – could yet become so ubiquitous and so critical that it ellipses all other risk categories.

Clearly, the insurance industry will never be able to tame systemic risks like cyber on its own. But the knowledge and insight that carriers like DOCOsoft’s global P&C (re)insurer clients have built up real-life claims relating to such risks provides an invaluable insight into how such things could play out at scale. At DOCOsoft, we see it as an important part of our mission to support our clients in applying state of the art technology to leverage the learnings amassed within their claims management systems. This can help lay the foundations for an effective future response to systemic risk threats.

The insurance industry can play a key role in increasing societal resilience by supplying some of the current expert skills shortage in fields like cyber, adopting common data standards and smarter modelling approaches, and identifying new sources of capital. We’ve all seen enough to recognise the urgency of addressing these far-reaching challenges.