The Australian Reinsurance Pool Corporation (ARPC) says a “computer crime” exclusion has left a gap in the nation’s government-backed terrorism cover as the risk of a devastating attack rises. 

Several factors are making it cheaper, quicker and easier for terrorists to obtain and use cyberattack capacities that could result in physical damage, and the coverage gap is a key risk if such groups reach a capability tipping point, the corporation says in a paper updating 2020 research. 

“This paper has outlined the indicators of both the growing capability and motivations for such an attack,” ARPC says. 

“If capabilities continue on this trajectory, the impact would be potentially catastrophic.” 

The ARPC-administered terrorism pool, which provides reinsurance for commercial property and associated business interruption losses from a declared event, was set up after the private market backed away from cover following the September 11 2001 attacks in the US. 

A scheme statutory review in 2021 decided the computer crime exclusion should remain, despite ARPC research on potential impacts. 

The review found there was no clear and evident market failure in relation to physical property damage from cyber terrorism, the underlying risk was low, and terror groups lacked the technical sophistication to threaten Australia’s security through a cyberattack. 

“The gap in cover continues to exist and the capabilities of cyber actors continue to increase,” ARPC says in its update paper. 

Examples of non-state actors launching physical cyberattacks include the 2021 Colonial Pipeline disruption that hit petroleum supplies in eastern US states. 

The Australian Signals Directorate Cyber Threat Report 2022-23 says: “Globally, a broad range of malicious cyber actors, including state actors, cybercriminals and issue-motivated groups, have demonstrated the intent and the capability to target critical infrastructure.” 

ARPC says the US Government is assessing the need for a federal insurance response to cyberattacks on critical infrastructure, and in Britain insurers are reportedly discussing with the Government whether a terrorism insurance program should cover state-backed cyberattacks. 

A hypothetical large-scale cyber-terrorism attack resulting in physical damage to facilities in an Australian town could cause property damage and business interruption losses of more than $10 billion, according to ARPC modelling.  

Under current arrangements, “ARPC would cover a ‘conventional’ declared terrorist attack, but a cyberattack by terrorists with an identical destructive outcome may not be covered”, the paper says. 

The terrorism pool has $14.4 billion available for claims arising from a declared incident, its latest annual report says. That includes a $10 billion Commonwealth guarantee, $3.5 billion in retrocession cover and $910 million in net assets.  

Reviews of the scheme legislation were conducted once every three years initially, but the time frame has been extended and the Terrorism and Cyclone Insurance Act now states a review is due as soon as practicable after July 1 2025, and at least every five years thereafter.

From Insurance News magazine: After rolling catastrophes and amid intense scrutiny from authorities, how can insurers get it right next time disaster strikes?