Increasing demand for cyber re/insurance have made the need for fresh risk capital acute. After seeking support from the insurance linked securities (ILS) market, re/insurers may be on the brink of a major change.
Property Claim Services, a Verisk business, has conducted original research with 24 ILS funds representing nearly 80% of the sector as measured by assets under management. ILS appetite for cyber insurance risk has increased, with many funds interested in entering the market this year.
Historical barriers such as structure and modeling may not be as problematic as they were in the past, and narrowing spreads on cyber ILS have made the risk more attainable for providers of collateralized protection.
Market dynamics have pushed pricing to levels that ILS funds can reasonably contemplate, which means that scale may soon follow.
The cyber re/insurance market may be closer to a new source of capacity than it realizes, and it appears that the timing could not be better.
The access insurance linked securities’ (ILS) capacity for cyber risks
For years, the global reinsurance industry have either lamented the inability to access insurance linked securities’ (ILS) capacity for cyber risks or simply declared that ILS should become available to help with no reason other than the traditional market’s need for capital.
As a result, it appears that a mix of frustration and disinformation swirled across the global re/insurance industry regarding the ILS market, its appetite for cyber risk, and the barriers between ILS capital and the cyber re/insurance market.
Along the way, there has been little discussion of these issues with the ILS community, which is evident from the narratives being advanced. Based on Property Claim Services (PCS) research, the ILS market is ready to engage with cyber re/insurance risk, provided it can do so sensibly.
Market conditions have, in part, made it easier for the gap between cyber re/insurance and ILS to be bridged. Some re/insurers have reported increased struggles with capacity shortages over the past three years, and at the January 1, 2022, reinsurance renewal, it was reported that many insurers were not able to get all the protection they sought, even on reinsurance rate increases of up to 50%, which itself represents acceleration from the July 1, 2021, reinsurance renewal’s increases of 40% (Sheehan 2022, Reuters 2021).
Many reinsurers struggled with capacity, given a lack of access to retrocession, which would require new sources of capital, given the concentration risk observed in the cyber reinsurance sector.
ILS has often been raised to PCS by some as a potential solution to the capacity constraints experienced across the re/insurance industry, but rarely with any examinations of the conditions that have prevented for so long the connection of the ILS and cyber re/insurance markets.
While many of the conventional impediments to cyber ILS are concerns – such as model maturity, potential correlation with financial markets, deal structure, and deal price – not enough focus was put on more imminent challenges in the ILS market, such as the erosion of capital due to five years of heightened natural catastrophe activity, reinsurance rates inconsistent with the realities of collateralized instruments, and buyer expectations on price, which remained low until the current shortages helped tighten spreads.
With concentration risk among the largest cyber reinsurers in the world a reported significant problem for the global re/insurance community, new capital could be crucial to future market growth.
Outside capacity could support the development of a robust retrocession market, which is a role the ILS market has played before – in the property-catastrophe space. To help history repeat itself, this time in cyber, PCS surveyed more than 75% of the ILS community by assets under management (AuM) to gauge how they see cyber re/insurance risk and its suitability to the ILS market.
Contrary to popular belief, there is already consistent cyber ILS activity, although it remains limited in scope. Based on responses, many more ILS funds, however, have already evaluated the cyber re/insurance market, contemplated how they would assume the risk, and have even expressed an interest in engaging in cyber ILS trading in 2022.
What cyber insurance is and what it includes
Cyber insurance is notoriously difficult to define. The Association of British Insurers (ABI) offers the succinct effort: “Cyber insurance covers the losses relating to damage to, or loss of information from, IT systems and networks”.
The ABI further explains that such policies may also offer support related to managing cyber incidents. Other similar definitions can be found, but they ultimately fall short of an overarching definition. That is to be expected in a market that is still relatively new, experiencing rapid growth (at least until recently), and is continuing to evolve both to market demands and the threat environment itself.
While there is no single, coherent definition of the cyber insurance in the global market, what is generally accepted as the cyber insurance market includes the insurance used to protect customers in the event of breaches of proprietary systems, disruption of systems’ use and operation (which could be internal or external, unintentional or intentional), and ransomware and cyber extortion.
Other scenarios are a lack of standardization in the cyber insurance market, with some narrow programs addressing only specific scenarios, such as breach, and other taking a broader scope, to include technology errors and omissions (“tech E&O”).
The use of manuscript policies over standard forms results in further definitional challenges.
Cyber insurance is typically considered along two lines: first-party and third-party coverage, with the former regarding losses “directly suffered by the insured” and the latter those “brought by parties external to the contract”. The former tend to be seen as more straightforward, given that they involve the insured itself, according to conversations with cyber re/insurers.
The belief that third-party issues could profoundly elongate the cyber insurance claims process has yet to be thoroughly tested, at least among losses of at least US$100 million, according to data from PCS Global Cyber, because there have been so few single losses of that size and because the economic losses in those cases have tended to be much larger than the insurance in place.
Finally, particularly in the reinsurance market, the cyber is increasingly seen according to yet another distinction: privacy and business interruption. In this context, privacy refers mostly to data breach events, while the latter refers to the disruption of systems to the point where the ability of the business to operate is impeded.
Business interruption tends to be seen as having the greater potential for insured loss between the two, according to client conversations across the market. However, the data does not bear this out, at least not yet.
The largest insured loss is for a breach event, at an industry-wide insured loss of approximately US$350 million. On the other hand, the largest industry-wide insured loss for a wiper or ransomware so far is only US$275 million, with the total affirmative cyber loss from NotPetya (including Merck) still falling short of the Marriott total.
This oversimplification does omit a wide range of other loss types, but it reflects the general sentiment of the sector, with those writing more specific areas, like tech E&O, consisting of smaller pockets of the broader segment.
Historical misconceptions about Cyber ILS
Much has changed since Strupczewski wrote that “reinsurers remain conservative about their cyber risk exposure,” when premium was estimated to be a mere US$525 million. Today, PCS estimates that each of the three largest cyber reinsurers writes more premium than that.
Worldwide affirmative cyber reinsurance now sits at approximately US$2.8 billion, based on PCS client discussions, with the four largest accounting for US$2.1 billion in premium and the next three almost US$350 million.
The cyber reinsurance sector has grown with remarkable speed over the past five years, even if that pace has ground to a near halt recently.
In addition to size, the cyber reinsurance sector has undergone structural changes, as well. The liberal use of quota shares noted by Strupczewski five years ago, has reportedly given way to more frequent adoption of excess of loss treaties and a willingness to evaluate other risk transfer structures, including the index-triggered instruments he mentions, such as industry loss and parametric. Some of this apparently comes from an appetite to manage risk and capital more effectively, although the growing flexibility in risk transfer likely has much more to do with the availability of capacity. Even with the rapid growth in cyber reinsurance over the past five years, PCS has seen underlying demand increase even faster, allowing reinsurers more of a voice in structure and terms.
The increased use of new forms of risk transfer in the cyber reinsurance market appears to have renewed discussions about the potential role insurance ILS could play in the sector.
The ILS market originally formed as a way to bring fresh capital to the property-catastrophe when demand was acute and capital was in short supply, and similar characteristics appear to be present for cyber, if not to the extent witnessed for property-catastrophe after Hurricane Andrew 30 years ago. While the ILS community could certainly play a role in enabling greater cyber re/insurance sector flexibility and growth, little attention appears to have been paid in the scholarly community to the mechanics of the ILS market, to include structural barriers that have prevented broad adoption of ILS by the cyber re/insurance market so far.
Attitudes on cyber re/insurance and ILS tend to be as polarized as they are blunt. Some simply posit a role for various forms of risk transfer – to include industry loss warranties (ILWs) and parametric instruments – using ILS capital with no justification other than the need for capacity in the cyber re/insurance market. There has been little use of either approach in cyber re/insurance so far, with some early efforts in 2020 for parametric triggers (trigger details not disclosed) and progress toward ILWs with no completed transactions yet.
Cyber ILS trades have been completed, and several of them have apparently become strategic relationships that have been renewed several times, according to PCS market sources, even in what is largely perceived as an increasing threat environment.
While there have been many barriers to cyber ILS – including modeling, historical loss activity, and general discussions about price and familiarity with the risk – some of it comes down to end-investor expectations and ILS fund manager strategy.
Losses require focus. With the past five years being loss-intensive – and with major catastrophe losses requiring fund manager attention for years after the wind has stopped blowing – the ILS sector has had to spend time and effort understanding loss events, reserving, communicating with end investors, and revisiting their portfolios. Many have raised additional capital.
Although property-catastrophe risks have been problematic, ILS funds specialize in that category and have needed to address the loss events, a process that continues, particularly with Hurricane Ida in 2021.
Reduced capital positions have also made it more difficult to experiment with new classes of business, particularly one as large, high-profile, and difficult to understand as cyber. Even at attractive ROLs, cyber has not been able to find an easy home in the ILS sector.
Of course, cyber pricing likely would have to increase not just from what had been quoted in the past; it would also have to compete with the higher property-catastrophe ROLs that come with a hardening market.
Based on many PCS client conversations over the past five years, ILS funds would require a premium for cyber relative to property-catastrophe risk (effectively a novelty premium) for theoretically commensurate risks. Even then, though, many ILS funds would likely sacrifice a generous novelty premium to stay with familiar classes of business.
An important change in the cyber re/insurance market
An initial sense of discouragement would be as forgivable as it is intuitive. PCS client conversations might seem to suggest a stasis in ILS appetite regularly reinforced by increasing property-catastrophe ROLs, to the point that cyber ILS could not be a realistic alternative.
However, despite the headwinds detailed above, ILS interest in cyber re/insurance risk has shown signs of increasing over the past 18 months, even in the face of the ransomware epidemic and a wide range of geopolitical considerations. In casual client conversations, part of the reason for this comes down to simple fatalism – many just feel that cyber will become part of the ILS market eventually.
It is hard to see that much demand for a cover so broadly needed go unaddressed for too long.
Underlying that fatalism, however, is an important market dynamic that is helping to hasten the entry of cyber reinsurance risk into the ILS sector: A lack of access to retrocession.
Reinsurance has become a fundamental factor in the growth of the cyber insurance industry, identified as far back as 2014 by Biener, Eling, and Wirfs, who observe, “The development of a viable cyber market could thus benefit from increasing reinsurance capacity for the risks”.
Insurers cede approximately 55% of what they write to reinsurers, PCS has learned through many client conversations, and they generally remain reluctant to grow by retaining more risk.
For a while, many reinsurers reported they were content with this relationship, but as industrywide affirmative cyber reinsurance premium surpassed US$2.5 billion in 2020, according to PCS internal estimates growth began to slow, still reaching US$2.8 billion by the end of 2021.
While the prospect of a government body as “an insurer of last resort” has not been necessary to fuel profound cyber re/insurance market growth.
Based on PCS estimates, the drop from the fourth largest cyber reinsurer to the fifth is quite steep (more than US$250 million). In fact, the “next four” (reinsurers ranked fifth through eighth based on cyber reinsurance premium) show US$425 million in aggregate premium, making them together only slightly larger than the fourth-largest cyber reinsurer.
Even the entirety of the cyber reinsurance market below the top four amounts to just over US$700 million in premium. The concentration of premium among such a small cohort – and the lack of alternatives below them – indicates some of the structural challenges faced by the cyber re/insurance market.
Concentration risk could be one of the biggest difficulties the sector faces, and it manifests in a practical manner in several ways.
First, the four largest reinsurers struggle to gain access to retrocession capacity with any scale, according to PCS market sources, given that trading among them would likely result in only further increases in concentration risk. This has been evidenced in the market with at least two such risk-transfer transactions, both of which have become only more difficult to place, according to conversations with clients that have direct visibility into or experience with those placements.
Additionally, it can be difficult for mid-sized and smaller reinsurers to engage in retrocession with each other, for the same concentration reasons. While the demand for capital may not be early as large as it is for retrocession placements among the top four, smaller players still encounter the same issues around capacity constraint and concentration risk. Two smaller players may have the same challenges as two larger players, for example. The result is a logjam in the cyber reinsurance market as a result of limited access to retrocession capacity, and it comes at a time when demand has been higher than ever.
2 of the 4 largest cyber reinsurers, according to PCS knowledge and client discussions, and two more in the top ten, have engaged in cyber retrocession transactions over the past two years.
At least three more cyber reinsurers are looking for retrocession capacity as of this writing. Further, there could be significant uncommunicated demand, with reinsurers not looking for cyber retrocession capacity because they do not believe any is available, and further still, some reinsurers might look to cyber retrocession, if it becomes available, as a way to fuel a new or revised strategy for that class of business.
Given sufficient capacity and the reasonable expectation that more will become available, demand for cyber retrocession could accelerate rapidly. The flow of additional cyber reinsurance capacity – to include retrocession – has been limited to a trickle so far according to market sources, with some new players engaging at the January 1, 2022, reinsurance renewal.
Far more capacity will be necessary to make a difference in the smooth functioning of the market as it is today, let alone to bring the original cyber insurance industry back to a trajectory of rapid growth. While many have identified the ILS sector as a potential source of capital – including Dal Moro, Carter (S.) and Mainelli, and the teams writing for the Geneva Association – nobody has tried to ascertain what developments would be necessary to bridge the rest of the gap between the cyber re/insurance market and the ILS sector.
AUTHORS: Tom Johansmeyer – PCS Verisk (Bermuda), Alex Mican – PCS Verisk (United States) by The Journal of Risk Management and Insurance