In Depth: Terrorism - Protecting the City: is the market prepared for a terror threat?

A bomb detonates in London, injures 44 people, kills one man and leaves £350m in damages. It’s not a scenario the city has to imagine, the Irish Republican Army’s bombing of Bishopsgate left London to deal with that exact outcome 23 years ago.

In the 1990s several major blasts hit the city’s financial heart, both around Liverpool Street and at Canary Wharf. The claims that followed triggered the launch of terrorism reinsurer Pool Re, the government’s Ring of Steel series of protection measures and other long-term changes to the financial markets.

However, as both the nature of the terrorism threat and the market itself have changed since, is London’s insurance sector ready to face another threat close to home?

Pool Re currently covers property damage and business interruption that results from that damage but the reinsurer has consulted with government to widen its remit in the past, particularly following the attacks on the World Trade Center in 2001, when its definition was expanded from acts involving fire or explosion to include risks posed by chemical or nuclear attacks among others.

Pool Re’s chief underwriting officer Steve Coates said the attacks in Paris last year and Brussels earlier this year have precipitated discussions around modern terrorist methods and the impact on the sector.

“Now there’s more of a debate in the insurance industry about the extent to which things like non-damage BI can be covered and if most of the terrorism pools around the world respond to actual damage or damage in the vicinity of something,” Coates said.

“We have a purpose in the broad area of terrorism to understand the risk, to help the insurance industry respond and if the industry is changing, then clearly we need to be part of the debate to see if there is a better way for insurance products to respond to these threats.”

In February this year Pool Re appointed a head of risk analysis, Ed Butler, to specifically look at how the threat was changing and, on the cyber front, the reinsurer has engaged academics to examine its role in cyber terrorism cover.
Coates said: “We have been asked if we will look at the risk of cyber terrorism as distinct from other forms of cyber [risk], and work out can we understand the risk to the extent that we might be able to offer some cover in the future.

“However, it’s probably the back end of this year by the time we get the report and digest it and work out what we’re doing [with it].”

On an industry level, key players in the market are taking steps to prepare for a major attack, whether at home or abroad.

Element of fear
Hiscox chairman Robert Childs has long been pushing for a plan to stress test the Lloyd’s market, particularly since much has changed following the WTC attacks, which he said was a defining moment for the sector.

“It had that essential element of fear; it’s important to get some practice in how we react to something like this,” Childs said.

“Lloyd’s at the time had disaster scenarios that envisaged aircraft crashing over New York but what actually had the impact was people flying planes into the building, and a lot of people in insurance worked in those buildings, a lot of people from Marsh and Aon, so people in the industry had friends who died.

“What affects the response is that there’s a sadness. If an event happens where decision-makers live, that also doubles the impact. There’s nothing like a senior person looking out the window and seeing [for example] his own car floating down the street.”

He said the world, and the financial markets within it, had changed greatly since 2001. Solvency II has changed capital requirements while the Prudential Regulation Authority’s predecessor, the Financial Services Authority, was only in its infancy and just covering banking supervision.

“The decision chains have changed. What I want to do is have a dry run and just test what might happen,” he said.

“Most of the people now who are the key decision-makers in a lot of insurance businesses are people in their 30s, and they probably would have been at school or university on 9/11.”

He said the market is moving towards a trial in quarter three this year and discussions have taken place with several key stakeholders.

“It has to be a reasonable representative group; the key point is to look for deliverables, so actions to come out of it, we’re not doing this for fun.”

Nick Misselbrook, associate principal at Thornton Tomasetti Defence, which specialises in protective design, said the threat was increasingly multi-faceted.

“We’re looking at really a holistic approach to security covering a wide variety of measures, that’s what all the government advice is telling us at the moment,” Misselbrook said.

“In the city context, the EC3 context for example, there are now a lot of road closures and one-way systems, which minimises the different routes that vehicles can take or the size of vehicles that can come into the City.

“We’re the last resort because we’re preventing the worst case from happening if there is a bomb blast event for example. You’re preventing the building from collapsing, you’re preventing glass from being thrown into or out of the building.”

Changing security approaches
Changes like the National Counter Terrorism Security Office’s crowded places risk management programme, which Pool Re encourages through a discount for businesses taking up the scheme, are new and have changed security approaches since the IRA bombings in the 1990s.

“There’s specific advice on protecting private spaces for example, that type of advice wasn’t available in the 90s and there is a focus on that specifically in the reinsurance industry,” Misselbrook said.

He said the make-up of the city changes the potential impact of a blast but there were improved modelling technologies to help better predict losses.

“We have sophisticated computational fluid dynamics  analysis tools to better define what the pressure impulse loading is from that type of explosive event and relate that to new types of building damage so that you get a more accurate measurement of what losses could be,” he said.

“You get what’s called the urban canyon, where blast can romp up a street, or you can get blast seemingly going around buildings in possibly a counterintuitive way.”

While blast remains a threat, cyber hacks have grown substantially since the 2001 WTC attacks.

According to a report by JLT Re, as insurers of last resort, pools may better serve the market by providing backstops for risks that carriers have difficulty modelling or where systemic risks lie, such as chemical, biological, radiological and nuclear threats and cyber.

Tokio Marine Kiln underwriter Justyn Hardcastle said while a cyber attack could come from anywhere, the major risk scenario it models is a key vendor breach.

“You’re looking at companies along the size of Google, Amazon, where a large number of our insureds would all use the same vendor,” Hardcastle said.

“The capability of the insurers is there, it’s really having the service providers [forensics and legal] to deal with a large scale incident which may be lurking, it’s yet to be fully tested outside of the US.”

However, he added: “The UK, in terms of cyber response, is catching up with other areas of the world, the government has done quite a good job in terms of setting up the specific part of the national crime agency to respond to cyber threats.”

A more complex threat
Chris Holt, head of credit, political and security risk consulting at JLT Specialty, said: “Terrorism has evolved into a more complex threat for businesses and insurers, with both attacks and fatalities seeing steep increases since 2011.”

“But this isn’t just about an increase in activity. The rise of Islamic extremism, combined with the potential access to weapons, explosives and toxic materials, comes at a time when modern communications and technologies are being exploited by groups as recruitment tools, communication channels and potential attack vectors.

“This means today’s terrorist threat is more dynamic with impacts that are difficult to accurately predict.”