Postulate Ammann (18.3565): Damage coverage. Event limits for cyber attacks
Submitted text
The Federal Council is instructed to Introduction of an event limit for cyber attacks to be examined, above which the federal government will provide damage coverage in a specified amount.
Justification
Digitalization is leading to strong networking of the economy. This brings many benefits, but also increases the risk of major events that can cause huge damage. The current threat potential of cyber risks is therefore very high; this will cause annual costs of up to 9.5 billion Swiss francs in Switzerland alone. With such high amounts of damage and potential victims, the question arises as to the role of the state.
The Risks of “daily life” are already insurable today and this is also being used by more and more companies. In the case of major incidents, however, the question of insurability or the necessary insurance capacities arises. The loss amounts in the event of a large cyber attack on central infrastructures or on a large sector of the economy would be no longer bearable for insurers. In this area, therefore, only limited compulsory insurance could be introduced anyway, as is the case, for example, in the field of Nuclear Power Plants knows. At the same time, the question arises as to how far the state itself should compensate for damages. After all, in the case of a major event, the federal government would hardly be able to avoid a certain level of coverage due to public pressure. Similar questions were raised when a model for nationwide earthquake insurance was being developed. At that time, the federal government showed itself willing to cover an amount of 10 billion Swiss francs per event. The question is whether such a solution could also be introduced in the area of cyber risks.
A report will show how such coverage could be introduced and what the consequences would be. What effects would such a regulation have on the economy, in particular on the insurance industry – keyword “moral hazard”? What legal adjustments would have to be made to introduce such coverage at the federal level? From what event limit would the federal government have to assume a certain level of coverage in order to avert the greatest possible damage without competing with the insurance industry? What is the Federal Council’s position on such a governmental fallback solution for cyber risks?
Statement of the Federal Council of 29.8.18
The Federal Council is monitoring the development of the Insurance market for cyber risks with great interest and notes that in recent times very many new offers have arisen in this area. This really raises the question of how to deal with the risks of major events with serious consequences for the whole of Switzerland.
In its report on the framework conditions for the insurability of cyber risks, the advisory board “Zukunft Finanzplatz Schweiz” addressed this issue, among others. The report was submitted to the Federal Council in June 2017. In it, the experts come to the conclusion that the Question of government coverage for cyber damage to be considered as an option at a later date, if there is “insufficient market capacity or significant market gaps in the insurance market for this.”
The Federal Council shares the Advisory Council’s assessment that an examination of the option of state coverage of cyber risks should only take place once it can be assessed what potential market-based solutions have. Because the market for cyber insurance in Switzerland is has only existed for a short time and is currently developing rapidlyIt does not seem sensible for the state to determine today whether an event limit should be introduced and, if so, how high it should be. The effects of a possible state catch-all solution can also only be speculated on at the present time, since such an assessment would first require consolidation of the market, which is only just beginning to develop.
Finally, the Federal Council considers a discussion on state coverage of cyber risks to be premature, in particular because it could lead to market-based solutions for risk coverage, such as insurance pools, reinsurance and alternative risk transfer on the capital market, no longer being examined for cyber risks. An assumption of residual risks by the insurance industry by the federal government would also run counter to efforts to strengthen the personal responsibility of financial institutions, such as with the “too-big-to-fail” provisions.
However, the legal situation can already be assessed. Today there is No constitutional basis for federal coverage of cyber losses. For a governmental fall-back solution, as outlined in the postulate, a constitutional amendment would therefore be necessary before any possible legal adjustments.