Five factors to grow cyber ILS

Insurance-linked securities (ILS) designed to cover cyber risk seem a no-brainer to me. Cyber is a typical tail risk for insurers that binds significant capital and therefore insurers want to transfer some of that risk. Global investors on the other hand draw from a vast capital pool, seek attractive returns and look for risks that don’t correlate with the rest of their portfolio.

Towards the end of last year we saw the successful placement of the first public, easily tradeable (i.e. 144A) cyber cat bond hit the market, sponsored by Axis Capital. It was quickly followed by further releases from Chubb, Beazley and Swiss Re. While a few privately placed cyber cat bonds had been issued before, this clearly marked a milestone in the development of ILS for cyber risk transfer.

So where are we heading from here? I recently was asked for an interview on this topic by Leo Heinen, a master student from the University of Cologne, Germany. This ended up not only being a pleasant exchange in general, but really got me to ponder on what I believe is needed to further grow the cyber ILS space.

Explain cyber insurance

Insurance is actually a weird product – a fact often forgotten once you work in the industry. As an insurer, you sell a promise for future (mostly monetary) services under certain conditions - under the assumption that you roughly know what the COGS (cost of goods sold) are. And within the insurance product universe, cyber insurance is one of the more complex pieces. Two characteristics stand out for me: cyber cuts across many “traditional” insurance classes, with elements from property, fidelity, kidnap/ransom, liability and professional indemnity. And cyber insurance is a man-made peril offered in a rapidly changing environment, both technologically as well as legally. Furthermore, the last few years saw massive efforts to provide clarity around what is covered and what cannot be covered (war, infrastructure), a development that needs to be actively communicated. And we should recognize that investors were burnt by “unknows” before: paying COVID-related losses under property policies was on no one’s radar. So the first factor to win cyber ILS investors: ?we need to explain investors how cyber insurance works, building trust in the product and minimizing room for surprises.

Understand past losses

You often hear that there is no loss experience for any benchmarking. That is partially true… we have seen a few near-misses, but never a really catastrophic cyber incident of a size that would typically trigger an ILS product. However, there was a good number of smaller accumulation incident with cyber insurance losses. Microsoft Exchange, Kaseya, MOVEit, Change Health, CDK or Crowdstrike are some of the more recent ones. These could be used as blueprints for counterfactual analyses, extrapolating to possible larger impacts while remaining rooted in real events. But what we do lack is a good understanding of the details with respect to the number and type of claims filed, the coverages triggered and the payouts eventually made. So factor number two: we need to provide more clarity about how insurance policies responded to past cyber incidents – ideally as an industry in general, but certainly as an individual company trying to sponsor an ILS.

Improve models

There is a strong information asymmetry between an ILS sponsor, i.e. an insurer or reinsurer, and an investor. So understandably, investors want an independent third-party to assess the risk of the ILS investment. In natural catastrophe bonds, established cat modelling companies assume that role, providing often substantial detail about their models and the bond’s risk profile in the offering circular. Cyber cat modelling only started in earnest some ten years ago. They’ve come a long way, with substantial investment, and are by now widely used in the insurance industry for allocating underwriting capacity and managing company risk appetite. They may not be in their infancy anymore, but they are certainly not settled grown-ups either. So a third factor is the need to constantly push for further development and improvement of these models, and to be transparent about model strengths and weaknesses.

Tailor conditions

The traditional cyber reinsurance market is dominated by quota share and aggregate excess of loss / stop loss covers. Both of them do not require a definition of what constitutes a “cyber event”. Of course, ILS covers that mimic these products are possible (e.g. collateralized quota share/sidecar). But ILS investors generally want to stay away from small but frequent (“attritional”) ?loss covers, their true appetite being the large, infrequent catastrophe losses. And these require an event definition that leaves as little ambiguity as possible. Definitions exist in the reinsurance market, but it is fair to say that this is not yet as standardized as in property cat wordings. A further concern is that losses could develop over a long time, with investor collateral being locked up over extended time periods – shortening the tail via “claims made” cover, collateral release provisions or fixed cut-off dates are possible ways to address this. A further option we have at our hand are covers based on industry loss triggers such as those from PERILS/AcuView and PCS. So factor number four: we need to be creative in offering products that address legitimate investor concerns.

Assess correlation risk

A key selling argument for natural catastrophe bonds is that they are very unlikely to correlate with equity or bond market investments. A stock market crash will not trigger a Florida hurricane. And a Florida hurricane may have an impact on certain market segments (e.g. insurer and reinsurer shares may suffer), but a broad global sell-off seems hard to imagine. With cyber, there are more question marks. A devastating global computer virus spread that paralyses hundreds of thousands of companies for days on end would certainly trigger a market reaction. Is there a way to quantify this correlation risk? At what cyber incident severity would correlation kick in? Could the market reaction to the COVID pandemic serve as a proxy for a cyber catastrophe? So my fifth and last factor: we should foster research into how extreme cyber insurance loss scenarios would (or would not) affect global capital markets.

?

As we’re entering another round of reinsurance renewals, it’ll be exciting to learn how many cyber ILS products and what principal amounts will be placed this year. In early September Beazley already kicked it off with another PoleStar Re cat bond tranche. So stay tuned, I’m sure more is on the way.

?

Author’s note: the views and opinions expressed in this article are solely my own.

#cyberinsurance #cyberILS