A Common Insurance Fund to Improve the U.S.-China Cyber Relationship

Fred Tsai is a senior director of strategy at Salesforce.com in San Francisco. Previously, he served as Dell Inc.’s director of China strategy.  His comments represent his personal views and not those of Salesforce.com.

Strengthening the U.S. economy against cyber threats from China and mitigating the effects of cyberattacks against the United States is a national imperative. Cybercrimes are estimated to cost U.S. businesses more than $100 billion per year and many analysts deem China to be a leading external source of cyberattacks against U.S. corporate targets. These attacks affect businesses of all sizes and U.S. consumers. Indeed, the fast paced growth of cloud computing only exacerbates the dire need for greater defenses against nefarious cyber actors.

Novel approaches to this problem are necessary and there is a window of opportunity to push for solutions. Almost one year ago, Xi Jinping’s visit to Washington, D.C., led to a U.S.-China cyber agreement that launched a joint effort against cyber espionage for commercial gain. There are some signs that cyberattacks of Chinese origin on the United States have moderated somewhat. U.S. policymakers should build on this momentum and negotiate a U.S.-China bilateral cybersecurity insurance fund to cover the losses that result from a cyber incident instigated by a national of either country.

Here is how it would work. The United States and China would each contribute $1 billion to a shared insurance fund, for a total of $2 billion. To put this in context, the total U.S. market for cyber insurance (as measured in premiums) is about $2.75 billion today.  Private companies (or insurers) in each country could then file claims to draw money from the fund to relieve financial losses incurred by cyberattacks initiated by someone in the other country. For example, if a Chinese company suffered a breach and financial loss as the result of a U.S. cyber criminal, the Chinese company could draw on the fund to cover the damages. Attribution would be completed through joint law enforcement investigations or by the insurance fund itself.

After the initial $2 billion investment, the fund would be replenished through premiums, which would increase for the country found to be the source of an attack. This is a very simple representation as many fund structures are possible; the U.S. government could fully commit its side of the funds or the private sector could manage the entire mechanism. At its core, however, the insurance fund would work to improve the U.S.-China relationship on cyber issues and improve U.S. cybersecurity in at least four ways.

First, it would grow the nascent private cyber insurance market. The U.S. cyber insurance market currently lacks the critical mass and actuarial data necessary for scale. It is simply too small, difficult for non-savvy customers to access, and provides patchy coverage. The U.S.-China fund could act as a financial backstop that insurers would gain access to, much like terrorism insurance. The fund would also provide a cache of precedent data and lessons learned that insurance companies would leverage for their actuarial needs. With the U.S.-China fund, the private insurance market would grow much quicker. The span of coverage would also expand to include small and medium sized businesses and individuals, especially those that do not have the means or expertise to purchase expensive and complex cybersecurity policies.

Second, it would impose real financial liabilities on the Chinese government. The U.S.-China fund would ensure that China has skin in the game and faces repercussions if a cyberattack can be attributed to a Chinese national, regardless of whether or not that individual is connected to the government. This would incentivize the Chinese government to reign in malicious hackers and companies that engage in commercial espionage even if they are not agents of the state.

Third, an insurance fund would create more cybersecurity tools for U.S. diplomats and officials.  Today, cybersecurity issues often become bilateral political stand-offs that have cost enormous amounts of U.S. government time and energy. A joint cybersecurity insurance fund would provide an additional set of market-oriented tools for U.S. policymakers, augmenting existing ones such as law enforcement actions and sanctions. Similar to the idea of a cyber bond, the insurance fund would encourage the Chinese to collaborate while building mutual confidence and trust in the search of solutions to common problems. The threat of increased premiums could also spur cooperation between the Federal Bureau of Investigation and its Chinese counterparts to jointly investigate cybercrime instead of indicting officials that will never be tried.

Finally, a common fund would help develop internationally enforceable norms. The U.S.-China fund could eventually be expanded into a multilateral approach under the auspices of an international organization such as the World Bank. It would also act as a mechanism to enforce the existing norm that states should not “knowingly allow” their territory to be used for cyberattacks, a commitment the United States and China have both made at the United Nations. U.S. and Chinese action on this front would act as a model for other countries to follow, such as Russia.

The U.S. economy needs more tools to combat cyber threats and a U.S.-China bilateral cyber security insurance fund would boost the U.S. fight against cybercrime of Chinese origin. The benefits, however, do not end there. More cybersecurity insurance would improve the U.S. private sector’s resilience while also contributing to the confidence and strength of the Chinese economy.  The Chinese economy incurs losses amounting to about $60 billion per year due to cybercrime.  Considering the enormous potential benefits, cybersecurity insurance offers the potential to serve as a pillar for future U.S.-China economic cooperation.