Federally backed insurance pools or similar structures should be explored to manage the risks of cybercrime, an underwriting expert says.

Axa XL financial lines cyber underwriter Grace Goleman won this year’s Australian Professional Indemnity Group and Wotton + Kearney scholarship with her video presentation The Rising Risk of Digital Monocultures. 

“Although the challenges and obstacles are daunting, starting to plan now is preferable to hastily developing a solution in the aftermath of the next major incident,” she said.

Ms Goleman’s video submission says modern infrastructure is dominated by standardised hardware, software and network configurations, creating a “digital monoculture” that is efficient but also risky.  

“Monocultures are inherently less resilient. Lacking diversity and natural defences, a single threat or incident can have widespread and devastating effects,” she said.

The CrowdStrike incident reinforced how a handful of software developers, cloud service providers, telecommunications networks and data centres dominate IT infrastructure and “showed how a single flaw or threat can disperse rapidly in uniform environments or systems”.

Ms Coleman says companies cannot opt out of the digital monoculture because of the “scope and heft” of providers.

A widespread event could generate huge losses affecting entire (re)insurance portfolios worldwide and destabilising countries’ traditional insurance markets, she says.

“Given this situation – embedded, systemic risk representing potential losses far exceeding available (re)insurance capacity – some have proposed federally backed insurance pools as a potential remedy. These structures have emerged in recent decades as an effective way to ensure sufficient resources are available to address high-impact claims and maintain stable insurance markets.”

Such pools have been implemented for risks ranging from floods and earthquakes in the US, Japan and Mexico to terrorism in the UK and nuclear energy in France.  

Ms Coleman says spreading the financial burden would reduce the risks to the broader economy. Such a pool could also set requirements or incentivise organisations to adopt strong cybersecurity practices in exchange for coverage.  

A federal pool could also expedite financial relief after significant cyber incidents and help affected businesses quickly return to normal operations.

“Like natural disasters, massively disruptive cyber incidents are becoming more frequent and severe. Moreover, given the monoculture-like characteristics of our modern IT infrastructure, this trend isn’t likely to abate,” she said.

Ms Goleman won $9500 to attend a global conference. See the video submission here.

From Insurance News magazine: Why the Crowdstrike outage should serve as a wake-up call for businesses worldwide