Catlin: cyber scares me to death’
The insurance industry’s exposure to cyber-risk is “an accident waiting to happen”, says Stephen Catlin.
The insurance industry veteran, who is leading $1.8 billion Bermudian start-up Convex Group, said some of the coverage being sold could not be honoured in the event of a huge cyber loss event.
In an interview, Mr Catlin said: “Cyber is the one thing that scares me to death. I cannot believe the amount of silent coverage that the industry affords. It’s an accident waiting to happen.”
“Silent coverage” refers to potential cyber-related coverage from traditional liability or property policies that were specifically designed to cover cyber-risk.
“If you think about cyber as a potential loss scenario, there’s no other loss that’s anywhere near as potentially catastrophic,” Mr Catlin said.
“If you think about wind, or a quake, or a man-made disaster, or even a political uprising, you’re never talking about more than about 10 per cent of the world. With cyber, it’s the whole world in a nanosecond. The aggregation of exposure is mind-boggling.”
The industry needed to solve the problem because clients wanted and needed cyber insurance, he said.
“I get that,” Mr Catlin added. “But I’m an old-fashioned guy. What I do is sign a promissory note, a promise to pay. I don’t want to sell a promise I can’t honour.
“And some of the promises that have been made over cyber can’t, in extremis, be honoured. There is not the capital in the marketplace to do it.”
He suggested thinking about the economic consequences of the internet being brought down for a day, or even a week.
“For one day, it’s a global economic crisis,” Mr Catlin said. “For seven days, it’s cataclysmic.
“It’s an exposure we live with in our personal lives and our business lives and we can’t change that.”
He believes the biggest risk is from terrorists, rather than governments, who would damage themselves along with their targets, if they pulled off a globally destructive attack, he said.
“As we saw from 9/11, terrorists can do the most enormous amount of damage for not too much expense,” Mr Catlin said. “Aside from the grotesqueness of the event and the human depravity, if you’re a terrorist, you can say it was quite efficient. That’s a frightening thought. What could terrorists do with hackers?”
He added that he himself was once targeted by a cyberattack emanating from Asia. He said they used a “highly intellectual process to try to get me”.
“They tried to steal, in three different ways, the best part of £500,000 from me,” Mr Catlin said. “Thankfully, I have a great PA, who saw the writing on the wall and stopped it. But I know one person who did lose £500,000 on one hack.”
Asked whether limits were the answer to writing cyber coverage, Mr Catlin said FM Global had just decided to limit cyber payouts to $1 million.
“It might solve their balance-sheet challenges, but it doesn’t really help the client,” he said.
“Maybe Pool Re has got the solution, where they do include cyberterrorism in their coverage. Basically Pool Re is a government backstop, so they know what their PML [probably maximum loss] is — after that it goes to the Government.
“The Government will expect payback over time. It has the advantage that it won’t take out the balance sheet. It’s in nobody’s interests for the whole of the insurance industry to go down the toilet in one go. The world stops working if that happens.
“The real problem is persuading governments that ‘you’ve got this risk anyway — what we can do is mitigate it for you’. But persuading people in government who are lucky if they’re in office for five years to take this kind of long-term view is very hard. That’s a global issue.”
Mr Catlin is chairman and chief executive officer of Convex, while Paul Brand, his former colleague at Catlin Group, is deputy CEO.
Convex Re, the Bermuda underwriting hub, will employ more than 50 people and Mr Catlin expects it to be fully staffed by November.
The $1.8 billion financing committed to the start-up is a far cry from when he started his first company in London. “I started Catlin in 1984 with £25,000 and two people,” he said. “You could not do the same thing today. Because of the compliance costs alone, you have to have the critical mass.”