Cyber risks and government pools. Too soon?

With penetration of cyber risk re/insurance increasing and seen as a huge opportunity for the market, questions turn to how best to back-stop the growth of this emerging line of business, with the help of government support or through private initiatives, including using the capital markets?

Rick Welsh, Chief Executive Officer (CEO) of Sciemus, Tom Johansmeyer, Assistant Vice President, PCS Strategy & Development at ISO and Alex Mican, Product Development Manager, PCS at ISO, address the question in this article, exploring whether private and capital market (or ILS) efforts could provide the best risk transfer, reinsurance and retrocession solution for cyber risks.

Cyber Risks and Government Pools: Too Soon?

Think back to 20 years ago. We were still coming to grips with the future potential of the Internet. Cocktail parties often featured ‘what if?’ conversations that seemed utterly fanciful. What if your refrigerator knew you were running out of milk and ordered it for you automatically? And nobody figured it could be a drone that delivered the order. What if your car could tell your insurer about your driving behaviour to get you a better rate based on your verifiable risk profile? Or perhaps, what if you could find the love of your life on your mobile phone? The speculation was endless, and it’s starting to become a reality.

With progress and convenience, however, comes exposure. Absent a mature insurance market, it’s ultimately the insured that very often bears the exposure, be it personal or commercial. And that’s where we are with cyber right now… for now. Cyber exposures have grown at an incredible rate, and the traditional insurance industry has struggled to keep up. There are pockets of innovation across the insurance industry that have the potential to support significant cyber insurance market growth, but it will likely take time for these new developments to take hold. So, what do we do until then?

There are generally two basic schools of thought on this. One is to double down our interest and investments as an industry to drive greater cyber insurance penetration based on the innovative efforts completed or in progress. The other is to seek a government-based solution.

In a recent survey, Deloitte claimed that a number of factors affect cyber insurance penetration rates—with too much heterogeneity in policy wordings and language that was both impenetrable and esoteric at the top of the list. With this in mind, would a government-based solution be the answer? The wordings would still be difficult—they’d merely move the burden from the insurer to the taxpayer! And in any case, a government-based solution ultimately would likely be achieved with the help of private industry.

So, is this really an issue of capital—and whether the private insurance and reinsurance industry can provide enough? Or is it one of data and threat intelligence?

When you consider the real risks that insureds (or uninsureds with cyber exposure) face, it becomes clear that the latter is a greater problem than the former. Capital is often abundant for well understood risks. With cyber, perhaps the understanding is the problem. Can we ascertain at the moment whether Iran, China, North Korea, and Russia are on a ‘digital war’ footing? Did the US government tell us about the silent cyber war involving North Korea over two presidential administrations? Or that India is defending itself against Chinese and Pakistani hacking? How do we know that 97 per cent of attacks reportedly start with a phishing attack?

Given the exposures involved—as well as supposedly thin data on insurance loss history and other factors—it’s tempting to see the state as the preferred provider of cyber cover.

Cyber may be difficult to write, meaning that concerns about profitable underwriting arise fairly quickly, particularly where little of the necessary security subtext exists. Even with few large losses in the past decade and low combined ratios, the fear of the ‘big one’—the ‘cyber hurricane’ of accumulation—persists. Yet, to turn to the government at this stage in the cyber line’s evolution might be to seek a hasty solution to a problem the commercial market could likely solve more effectively.

For context, let’s assume the argument for government intervention is loudest for critical national infrastructure (CNI). The exposures are high, as measured by financial and political measures alike. While one would think CNI would be a classic case for government involvement in risk transfer, the contrary tends to be true. In the UK and US, for example, there’s considerable government support to incentivise commercial involvement in providing protection—not to mention for developing markets so the state doesn’t have to fund the ultimate risk. After the 2008 financial markets contagion and aftermath, it seems more likely that government will encourage market forces and private capital to deal with the problem first. There may come an inflexion point where the global insurance and capital markets can’t provide the certainty or volume of protection required by society, at which time a state solution would likely emerge as the accepted ‘insurer of last resort’. But we aren’t there yet.

In any event, for all the posturing, the politics involved would like render a government backstop almost impossible in the absence of a catastrophic event affecting CNI (be it natural or man-made). The gentle encouragement by regulators in the UK and US could be interpreted as testament to that.

‘Mother should I trust the government?’

The musings of Pink Floyd seem appropriate here. Generally, government-backed programs in the insurance industry have done a good job of protecting citizens. The Turkish Catastrophe Insurance Pool, PAID in Romania, the California Earthquake Authority, Citizens Property Insurance Corporation, and various residual markets have made insurance available at reasonable prices where it might not be possible otherwise. And the terror pools in Europe and Australia played an important role in providing protection for a peril that was historically difficult to underwrite.

Let’s take a look at a few of these cases, though. Generally, they’re different from the situation we’re seeing with cyber.

Terror, of course, is the classic case. The last major loss was the series of coordinated attacks on September 11, 2001. And of course, it was massive, with a PCS® (Property Claim Services®) catastrophe loss estimate of $18.8 billion. Prior significant losses include the 1993 World Trade Center attack ($510 million, according to PCS) and the Oklahoma City bombing of 1995 ($125 million, according to PCS). In the 1990s, the NatWest tower bombing of 1996 resulted in an industry-wide insured loss of £500 million, according to data from Swiss Re Sigma. Frequency is low for high-severity events. And following an outlier event of unexpected magnitude, the insurance industry effectively pulled out of the terror market. However, the need for protection persisted—and was arguably greater than ever (the situation in the UK following the terror attacks of the 1990s is similar).

The combination of demand and absence of realistic supply begged for a government solution. And it worked. For a while. Over time, the global insurance and reinsurance industry became more comfortable writing terror risk, to the point where, today, rates are generally falling and some terms are broadening at a pace that makes some in the market a tad uncomfortable. When the standard refrain is, ‘I can get you all the UNL you want’, it’s probably time to take a breather.

But that’s not the point.

What’s illustrative is the fact that terror went from being virtually uninsurable to a case study in soft market dynamics in less than 20 years. During that time, the government-backed solutions stepped in and did an effective job of providing protection for their citizenry. And now, the commercial market has reengaged to the point where capacity is seemingly abundant (more on this another day).

The Florida market provides another interesting view. Several mechanisms (such as Citizens and the Florida Hurricane Catastrophe Fund) sought to make property insurance more accessible. And they did. Over the past few years, a wave of start-ups has facilitated the depopulation of Citizens, returning that risk directly to the commercial market. Where the company is needed, it still serves its purpose effectively. And where the commercial market can pick up the risk, it does. Recent moves to purchase commercial reinsurance by the National Flood Insurance Program (NFIP) suggest a similar trajectory, along with vocal interest in covering flood coming from the insurance-linked securities (ILS) community.

Where necessary, government-backed insurers provide a vital service. But is cyber there yet?

‘Mamma’s gonna put all of her fears into you’

Again, we think Pink Floyd’s on to something here. Cyber is scary. All of those ‘what if?’ conversations from the 1990s are becoming a reality. Personally and professionally, cyber exposure is massive. And we still haven’t seen the industry-defining cyber event—the way Hurricane Andrew reshaped the property-catastrophe space for decades to come.

Well, some actually might say the redefining of the cyber sector is already upon us.

Certainly, regulators on both sides of the Atlantic are asking pertinent questions. As Symantec recently pointed out, the cyber insurance market will irrevocably be changed by the Dyn (Mirai malware) attack of 2016. So far, the market may not realise this, not to mention how the recent Amazon Web Services failure (not an attack) should be of more concern.

But does it have to be scary? Or as Pink Floyd would put it, will mamma ‘make all of your nightmares come true’? Will a government cyber scheme ‘keep baby cosy and warm’?

It’s probably a bit early in the game to cede it all to a government solution. The commercial space hasn’t had enough of a chance to give it a go, and early signs are positive. Those insurers with a deep understanding of cybersecurity are more likely to grasp the nuances of Tallinn Manual 2.0 (which addresses concerns of international law as related to cyber attacks and defense), equipping them to engage in risk analysis and capital allocation more effectively—both in terms of generating returns for shareholders and broadening protection (to increase relevance) to original insureds. Meanwhile, a state-backed alternative may not provide better risk understanding, a point far more important right now than capital availability. To understand why cyber should reside in the commercial market (for now at least), it helps to consider other risks in which government involvement has occurred.

When you look at global terror, Florida wind, California earthquake, and similar risks, there was a clear need for a government scheme, and then many insurers (existing or start-up) sought ways to ‘repatriate’ the risk back to the commercial market. It makes sense. Otherwise, citizens effectively transfer the risk back to themselves—from their personal accounts to themselves as taxpayers, although perhaps pooling the risk with unaffected taxpayers provides a little relief at the expense of social equity. Ultimately, moving the risk back to the commercial market has shown signs of being quite effective. And if that changes, there’s a track record in place to address it.

Let’s not lose sight of the fact that the above risks were tested. And the need for government intervention was apparent. Cyber, on the other hand, hasn’t quite gotten there yet. Insured losses, in general, have been low because of the historical paucity of cover (excess $100 million is a relatively new development). Even the overall economic losses haven’t been catastrophic. There have been few shareholder events, and the overwhelming majority was brief. In fact, some of the highest-profile losses had little impact in the way of share price.

PCS has analysed about a dozen major events within the last decade. From that, we can draw some interesting conclusions. Some companies have sustained significant shareholder value impacts following cyber events, among them Yahoo, Verizon, Target, Sony, and Xoom. However, the shareholder value outcome is hardly uniform. Some affected companies have been able to maintain their credibility with shareholders following a cyber event; others were hit hard. Essentially, it all seems to come down to the timing of the announcement and how a company is perceived by its customers or clients.

Ten years ago, from our research (based on limited loss history), the shareholder impact of a cyber event was far greater than it is today. After all, the line of business is still in its infancy—which means it was a zygote, of sorts, in 2007!

Let’s start with Heartland Payment Systems. A breach occurred in 2009. Trading in the stock halted after the price fell more than 9 per cent during the day. Ultimately, it reached a low that was minus 73 per cent below its pre-breach trading level within two months of the incident.

Since then, the market has evolved. Understanding of cyber threats has increased (even if only modestly). With the Target breach, which occurred in 2013, the share price slid for 50 days, ultimately reaching a low of 13.3 per cent below the company’s share price before the breach announcement. A combination of brand value, consumer behaviour, and greater acceptance of cyber risk likely made a difference. More recently, Yahoo suffered a 6 per cent decline over three days as a result of a series of breach announcements. The loss is still developing though, with the Verizon takeover a complicating factor for any analysis.

Share price impacts due to cyber attacks - Source: PCS, a Verisk Analytics business

As the market becomes more comfortable with cyber risk, thoughts are going to turn toward how to transfer it more effectively—especially as that option becomes more realistic. The standard consideration of a massive cyber catastrophe may prompt a visceral reaction resulting in the contemplation of a government-based solution, but loss history suggests otherwise. Ultimately, to rely fully on government solutions to cyber would likely result in a longer and more tedious process for capital recovery than the private market could facilitate, while likely forcing the cost onto unwitting taxpayers—rather than shareholders who have opted into the risk (and return) through company ownership.

‘[D]id you exchange a walk-on part in a war/For a leading role in a cage?’

There’s a clear need for greater cyber protection, both broader and deeper. And the question remaining is whether the commercial market has sufficient capacity to absorb the risk. The answer, it seems, is a resounding ‘yes’. In particular, the ILS market could play an important role in keeping cyber risk in the commercial market.

According to various market sources, there’s more than $1 trillion in capital worldwide looking for access to insurance risk. At the recent Artemis ILS NYC 2017 event, John Seo of Fermat Capital, said, ‘For every dollar of money that you see in the market right now, I think there is roughly $10 on the sidelines waiting to come in if the market hardens’. That thinking can be extended, ostensibly, to the introduction of original risk into the market, even if not at a 10:1 rate.

The ILS market is hungry for cyber. Not everyone, of course, but the interest is palpable. This was clear at the Artemis Executive Round Table in Monte Carlo last year. The challenge now is to make that role real—a leading role, if you will. For this to happen, we have to take the abject fear out of cyber. Modelling capabilities are available. It’s possible to understand the risk. It’s a learning curve. That’s it. There’s a big difference between a learning curve and uninsurability!

Rick Welsh:

Rick Welsh joined Sciemus Cyber Limited in 2015 as Chief Executive Officer. He has over 25 years’ experience in the insurance industry and 16 years’ experience in cyber insurance, having built technology and cyber insurance practices in both Sydney and London. Prior to Sciemus, he established one of the first London cyber insurance practices at ACE Global Markets in 2000 and latterly, the global cyber practice at AEGIS in 2012.

Tom Johansmeyer:

Tom Johansmeyer is assistant vice president, PCS Strategy and Development, at ISO Claims Analytics, a division of Verisk Insurance Solutions. He leads all client- and market-facing activities at PCS, including new market entry, new solution development, and reinsurance/ILS activity. Previously, Tom held insurance industry roles at Guy Carpenter and Deloitte. He’s a veteran of the U.S. Army, where he proudly pushed paper in a personnel position in the late 1990s.

Alex Mican:

Alex Mican is product development manager, PCS, at ISO Claims Analytics, a division of Verisk Insurance Solutions. He focuses on helping PCS develop new solutions for the global specialty market – including marine and energy, cyber, and terror. Alex joined Verisk Insurance Solutions in 2014 and PCS in 2016. Originally from Romania, he came to the United States to study for his Master of Business Administration degree, which he completed at Plymouth State University in 2011.