‘The wider challenge is how do you plan long-term thinking in a short-term political environment?’ says broker cyber practice leader
The insurance industry has been calling for a public backstop for the cyber insurance market for several years now.
For example, at last year’s Biba Conference – held in May 2024 – panellists speaking during a session entitled Insuring the uninsurable: Navigating exclusions and preparing for systemic risks pipped a public-private partnership model between the insurance industry and government as one method for tackling systemic cyber risks in the UK.
In the session, Tom Clementi, chief executive at terrorism reinsurance scheme Pool Re, said: “If you think about cyber, there’s the potential for that very large event. Having that structure of a public-private partnership where you can have a structure put in place before a big event – rather than be responsive, why don’t we put the infrastructure in place?”
A public-private partnership refers to collaboration between a government agency and a private sector company or industry for the purpose of delivering a project or service.
Insurers, brokers and others industry voices have repeatedly made the case for a cyber cover related backstop, using existing models Flood Re and Pool Re as examples – however, there has been little engagement from governments on either side of the Atlantic and progress remains thin on the ground.
The Insuring catastrophic cyber risk report, published by non-profit organisation Rand Corporation in June 2025, concluded that a federal cyber reinsurance backstop programme could unlock more capital for the US cyber market, achieve lower prices and ultimately narrow the cyber protection gap.
The report found that the risk of catastrophic loss has historically limited the availability of coverage for buyers. And while the cyber market has softened steadily since 2022, constraints on capacity remaining due to insurers’ fears of significant aggregated losses.
Anthony Cordonnier, global co-head of cyber at Guy Carpenter was a panellist last year alongside Clementi. He agreed with this report finding: “What’s crucial is the aggregation potential of the class.
“By aggregation, we mean lots of different losses stemming from the same event – very much like a natural catastrophe event.
“What’s different here is that it’s a man-made peril. The exposure is [caused] by the increasing digitalisation of the economy.”
Oliver Brew, cyber practice leader at Lockton Re, added: “We know that there are certain risks that are currently outside the scope of the private insurance market.
“You only have to look at what happened during the Covid-19 pandemic or some of the major flooding events in the UK or overseas to see that there’s a very large and important role for governments to play [in the provision of insurance].
“What we have now is the opportunity to recreate a bridge between private and governmental bodies by using established templates for backstops to try to address what is a very remote, but very significant, potential risk.”
ILS as an option
The cyber protection gap comes in two forms – uninsured losses from firms that do not carry cyber insurance and uninsured losses due to war and infrastructure policy exclusions, according to the aforementioned Rand Corporation report.
Read: Cost of M&S and Co-op cyber attacks up to £440m – CMC
Read: Google warns that hackers are targeting insurance firms
Explore more cyber related content here, or discover more news here
A primary focus of any government insurance intervention, therefore, would be to reduce the amount of uninsured losses that could be suffered by companies or individuals, the report continued.
Rebecca Bole, head of strategic engagement at risk analytics business CyberCube, told Insurance Times: “CyberCube believes that the potential catastrophic loss from a cyber event could exceed the capital that the cyber (re)insurance industry is willing or able to commit to insuring cyber risk.
“That said, the (re)insurance industry is projected to continue to grow strongly and will absorb many more losses than it does today as it grows.
“If a major cyber incident were to occur, the financial losses that fall outside of insurance cover would need to be covered by alternative capital sources.
“One source is the capital markets. We are seeing a growing volume of cyber risk transfer to the capital markets via insurance linked security (ILS) transactions today. This has room to grow.
“As the losses become more extreme at the tail of the loss curve, government support will be required to protect citizens and the economy.”
An ILS arrangement allows insurance companies to transfer some of their risk to investors in capital markets.
Fast-forward the business case
The cyber attacks targeting UK retailers Marks and Spencer and the Co-op, which took place across April and May 2025, provided a timely reminder of the devastating ripple effect that can stem from such intangible incidents.
These attacks saw many of the SMEs in the retailers’ supply chains be significantly impacted – not just the headline shop brand.
For example, non-profit organisation the Cyber Monitoring Centre (CMC) predicted in June 2025 that the total financial impact of these cyber attacks reached somewhere in the region of £270m to £440m.
The idea of a public backstop to extreme, wide-ranging risks is not a new one and there are long-standing, functioning examples. The US has its 2002 Terrorism Risk Insurance Act (TRIA), for instance, and the National Flood Insurance Program, while the UK has Pool Re and Flood Re.
Read: Briefing – High profile attacks represent penetration opportunity for cyber market
Read: Briefing – Brokers must bolster commercial cyber cover takeup
Explore more cyber related content here, or discover more briefings here
However, gaining traction for a cyber equivalent has so far proved elusive.
Bole said: “Public-private partnerships take time. Alignment is needed on a number of different fronts at once, [including] alignment on the scale of the problem [and] what is the potential financial loss from extreme events, the protection gap between losses [that] are insurable and those which fall outside of the (re)insurance sector’s scope [and] alignment is required with government for the political will to proactively structure a solution ahead of an event.”
Another major challenge for a cyber backstop is aligning the interests of different national jurisdictions for what is often perceived to be a cross-jurisdictional exposure.
Brew added: “If the government is going to have contingent exposure to this type of risk, then clearly you want that taxpayer funded pool to benefit the relevant people and not those who don’t contribute to it.
“The wider challenge is how do you plan long-term thinking in a short-term political environment? This type of issue is not headline grabbing and top of the agenda for people in government.”
The concept of a public backstop for cyber insurance could be seen as a dry, technical and technocratic one that is difficult to explain to non-industry parties. It is therefore incumbent on the industry to create a consistent and coherent narrative and take that to governments in order to make a robust economic case for a backstop.
Brew continued: “We need to demonstrate the return on investment on a risk pool mechanism.
“There are precedents – Pool Re, for example, goes back over 30 years and has over £10bn of reserves to keep the government’s exposure remote from the current market that’s being managed.
“It allows a more proactive risk management and engaging conversation in how you build up resiliency through education, risk management, insurance takeup or recovery processes. All of those aspects of the way Pool Re operates have been very effective.
“There is an economic case that needs to be made [more] clearly than has so far been the case.”
No comments yet