When Islamist gunmen stormed the Westgate shopping mall in Nairobi in 2013 the ensuing gunfight with security forces eventually left 67 dead and many wounded. It also resulted in $78m of insured property losses.
“The military that went in to contain the situation went in very hard and created an awful lot of property damage,” says Tim Davies, head of sabotage and terrorism at Lloyd’s underwriter Sompo Canopius. This made Westgate one of the 20 costliest terrorist attacks from an insurance perspective and highlighted how terrorism is changing.
Inhabitants of the world’s major cities have witnessed the rise of new types of terror strike, where an individual or small group, apparently loosely affiliated to global terror networks, attacks soft targets such as shopping centres and music venues, intent on killing as many civilians as possible.
These attacks contrast with the high-profile targets and central orchestration of the likes of the September 11 attacks in the US in 2001, which aimed for mass destruction.
As terrorists have changed their strategies, insurers have had to adapt their business models and review the coverage they offer. Behind the human cost of sporadic assaults by small groups of terrorists is the damage to property and interruption of trading.
More than 170 people were killed in last November’s Paris attack and the follow-up assault in Brussels this March, including 10 perpetrators. The cost of the physical damage to property was exceeded by the widespread business interruption as authorities responded by shutting down parts of the cities.
“The size of the areas affected by cordons and police closures was almost unprecedented,” says Julian Enoizi, chief executive of Pool Re, the mutual reinsurer set up by the UK government in 1993 in response to the IRA bombing campaign. Most of the UK’s insurers are members of Pool Re, which provides a guarantee, backed by the UK Treasury, to cover any losses from terrorism.
Larger businesses often have insurance and disaster recovery plans to get back up and running quickly. But smaller companies typically do not. Pool Re has developed a discounted, bespoke version of terrorism insurance for small and medium businesses, but has work to do to encourage take-up. The reinsurer estimates less than 5 per cent of small businesses have terrorism insurance policies.
“Part of this is to ensure that business owners understand the true nature and scale of terrorist threats that face the UK,” says Mr Enoizi.
The increased incidence of attacks by smaller groups of terrorists in western cities has been met with rising demand for insurance against event cancellation, denial of access losses — where an attack means that the business owners and customers cannot get into the building — and third-party liabilities.
The latter, called ‘liability terrorism’ by some in the industry, would protect an insured business against being pursued for liabilities after an attack. An example would be a hotel without adequate security measures or a public space where evacuation procedures failed.
There is an increased sophistication now from five years ago
In the US, “active shooter” policies insure universities and other institutions against costs arising from a lone shooter rampaging on their property. These are designed to protect them against legal liability if they are judged to have failed to prevent an attack.
But thinking solely in terms of small groups can understate how advanced terrorist attacks are becoming. “There is an increased sophistication now from five years ago,” says Wendy Peters, terrorism practice leader at consultancy Willis Towers Watson, pointing to the plan by the recent Brussels bombers to target a nuclear power plant.
Another emerging threat to which insurers are having to adapt is the potential damage caused by attacks on digital infrastructure. Cyber hackers, which security experts believe may have been backed by the Islamic Republic of Iran, have made headlines with attacks targeting banks, oil companies and even dams.
But cyber insurance does not fall neatly into terrorism insurance, as it is often difficult to establish the perpetrators’ identity. In one of the best-known examples that included property destruction, reports emerged in 2014 that hackers had compromised the computer systems of a German steel mill, causing huge damage to a blast furnace. There was a similar attack on a Turkish oil pipeline six years earlier.
“Was it a terrorist, nation state, disgruntled employee?” asks Mr Enoizi of these acts. The consensus among security analysts is that terrorists without state or insider support do not yet have the technical resources to conduct a cyber attack, but Pool Re is conducting a wide-ranging study on the nature of this threat, the capability of the terrorists and the size of the losses that could be incurred.
Insurers expect further cyber terror attacks to follow. “If and when terrorists have the capability to utilise a cyber capability as a weapon, then they will,” says Mr Enoizi. “That threat may be one that only a mechanism such as Pool Re can deal with, given the potential scale of losses.”
If and when terrorists have the capability to utilise a cyber capability as a weapon, then they will
Lloyd’s insurer Novae Group says it has seen a huge increase in inquiries and take-up for cyber insurance in the past few years, though it does not provide numbers. Novae says the policies are no longer primarily focused on data privacy.
Dan Trueman, head of Novae’s cyber division, says: “We have moved beyond privacy towards policies that focus more on the first-party consequences, namely business interruption, reputational damage and system failure.”
The work still to do is about quantifying the risk and developing services that can manage it. But property owners are increasingly accepting that they can be subject to cyber attacks, and be affected by attacks by small groups of terrorists, which they would not have even considered until just a few years ago.