Stop waiting for a cyber cat bond: Johansmeyer & Welsh

It’s time to stop waiting for a cyber catastrophe bond to magically appear in the ILS market and work to make this happen, according to Tom Johansmeyer, Assistant Vice President, PCS Strategy & Development at ISO and Rick Welsh, Chief Executive Officer (CEO) of Sciemus.

The pair believe that cyber risk modelling techniques and our understanding of catastrophe level cyber risk exposure is now at a place where the insurance-linked securities (ILS) market can become the next major risk capacity provider.

Johansmeyer and Welsh discuss where the perception of cyber risk is today in the re/insurance and ILS market and what the opportunity is, in this contributed article.

Stop Waiting for a Cyber Cat Bond

We’ve all heard it. We’ve probably said it a few times, too. The global insurance and reinsurance industry faces a number of significant challenges that have led to a protracted soft market. And even though you’re utterly familiar with the underlying drivers—heard and spoken of so often—let’s take a moment to review them:

• Rates remain under pressure for ‘traditional cyber’ given the influx of new and unsophisticated capacity. The best one can hope for right now is a slowing of price declines.
• Part of the reason for this is the influx of new capacity and (still) the abundance of yet more capacity sitting on the sidelines. If global pension funds have a target allocation of up to 3 per cent to insurance risk, as much as US$1 trillion in dry powder could be waiting to enter the space.
• ILS investors saw property-catastrophe risk as a first stop in their foray into insurance risk—not a destination. And despite some one-off transactions (like Operational Re), the market hasn’t gone far enough in its efforts to address broader investor appetite for risk.
• Mature market property-catastrophe risk alone can drive only diminishing ILS market growth over time. More original risk is necessary, with the caveat that it can be modelled effectively.

We all know what the market needs: more and diversified original risk. And it’s clear the market would accept new and interesting ways to deploy capital, but someone needs to bring those opportunities to market. That isn’t easy. It’s taken 20 years to get to where we are with property catastrophe, largely believed to be ‘easier’ for investors to consume than casualty and specialty risks.

And cyber? Is that really the hardest of them all?

Well, the market seems to believe it’s caught between a hypothetical willingness to assume the risk and legitimate concerns over a perceived inability to understand it. That sets some fairly high barriers to entry, to say the least. Of course, the challenges here are ‘perceived’. Perhaps, with the right capabilities, original risks such as cyber may be easier to assume than many expect. The technology, modelling capability, and data exist; the impediment is the required methodology that few understand and/or accept.

The global reinsurance and insurance-linked securities (ILS) market is evolving, and it seems as though the time and proper conditions for action are upon us. Are you waiting for a cyber catastrophe bond? Stop. Let’s do something about it—rather than waiting—and bring enough original risk to market to make at least a dent in the global capacity overhang.

How hard is cyber?

There’s plenty to suggest that the global insurance and reinsurance industry finds cyber risk a tough nut to crack. Currently, the lines being offered in this class of business are fairly small—but they’re growing. Some of the exclusions in place severely restrict the protection being offered to original insureds and cedants, leaving significant gaps in cover that make retention the only alternative for some of the most vexing threats that risk managers face. A truly powerful solution for cyber would involve wide-ranging, well-modelled covers that draw efficiently on capital markets’ capacity to provide reliability, scale, and global growth up and down the risk and capital supply chain.

The cyber market is attracting capacity, allowing insurers to write more business and cede the more nebulous coverages to the treaty reinsurance markets. While that approach has been sufficient for what historically has been a small sector, it won’t support cyber as lines grow further—to increasingly meaningful sizes.

If cyber insurance and reinsurance are to realise their potential, risk and capital management will have to consist of more than taking high rates on line (ROLs) for small amounts you can afford to lose. We need a global, comprehensive solution that makes a real difference in managing the vast exposures that risk managers face.

To remedy the current state of affairs, we need to start by improving the industry’s understanding of primary cyber risks. With better and more relevant analytical capabilities, two possibilities emerge. First, cyber can evolve from a class of business in which insurers and reinsurers are ‘feeling their way’ to one that has the definitive and determinate triggers of the property-catastrophe class. Also, it opens the door to the ILS community. In addition to being able to marshal significant capacity, the ILS market could demonstrate how to provide effective cover, which would help the rest of the risk-transfer market engage and then evolve. However, the prevailing question in the market is whether that’s possible—and if insurers and reinsurers should even cover the risk at all beyond their current involvement.

Should we lean on governments?

A tangential concern at the end of the last century, technology and cyber risks are now central to enterprise risk management (ERM) considerations for nearly all commercial original insureds, insurers, and reinsurers. Cyber exposures are already massive, and they likely will continue to grow—driven by technology innovation and increased adoption and integration into the operations of original insureds. Technology itself appears to be increasing the convergence of cyber risks on the original insured, leaving many to question whether ERM efforts are keeping pace.

There’s clearly a cyber protection gap. Original insureds are retaining most of their cyber risk—whether they realise it or not. In fact, much of the exposure that original insureds face may be both vast and seemingly difficult to quantify. The Target breach is instructive here. For that event alone, insurance recoveries were well below 50 per cent of economic losses—and that’s just for one type of event. Other cyber exposures could result in more significant losses, with economic implications continuing long after existing cover has been exhausted. It’s for this reason we also have to question whether primary insurers understand the cross-class cyber exposures they’re assuming—willingly, knowingly, or otherwise.

Since the insurance industry exists to provide a risk-transfer alternative to protection (versus through shareholder funds), it’s safe to say that our industry should come up with a wide range of client-driven solutions to address the need. It not only meets the industry’s social purpose, it also provides an important opportunity for profitable growth and shareholder value creation.

Can we arrive at a truly sufficient understanding of the underlying risk? And have insurers developed the necessary cyber underwriting taxonomy to allow broader growth through diversified sources of capital?

So far, the answer has been ‘no’ for some—well, ‘not enough to write more than we are now’. However, as a first step, many players in the industry grasp that cyber risk needs to be understood before they can accurately measure aggregation. And from there, there’s a subset of the market that certainly does understand the underlying risks and their attendant events well. Further efforts to deliver robust analytics are in progress across the industry, with pockets of innovation showing salient potential to scale as adoption grows. Within this context, risk and capital management—from retention to retro—should become easier, particularly with the involvement of the ILS community and the use of parametric or hybrid triggers (with a parametric component). As a result, this should lead to more risk being written while reducing reliance on stop-loss covers, a warning regulators and rating agencies have been signalling.

The size of the cyber insurance market, though, indicates the current state of play. It remains much smaller than its realistic potential—a situation that naturally leads many to discuss alternatives to commercial solutions, such as government-established (or government-managed) pools.

Whilst pools and other government-related facilities can serve important roles in some classes of business that have lost insurance market support at some point (such as terror or heavily catastrophe-exposed property), the reality is that the collection of approaches for which a government-initiated solution makes the most sense is quite narrow. Even in classes of business where such endeavours have been helpful, they’re best perceived as temporary measures, protecting citizens whilst the commercial market explores new ways to assume the risk. And in fact, they’re successful when the commercial market returns and captures market share from the government-initiated solution.

Let’s take a look at the terror market, following the terror attacks of 11 September 2001. The commercial insurance industry collectively saw the event as a market-changing loss that was perceived to make terror of a certain magnitude so difficult to write that it basically seemed impossible. And the government was expected to assume the risk. As mentioned earlier, time and fresh thinking have brought commercial solutions back to the market.

And then there’s Florida hurricane risk. The number of Florida start-ups focused on taking business previously covered by a government-managed solution—because nobody else would—shows the potential for a commercial solution to provide relief to taxpayers as insurers find ways to write business previously considered challenging to impossible. The government-based solution is, in this scenario, part temporary and part permanent. Some risks can be carved out by private insurers developing innovative solutions, while some may remain in the government facility.

In some regions, there’s talk of government solutions being used to cover cyber risk, although without a market-changing loss occurring (like Hurricane Andrew or the 2001 terror attacks). However, exposures are high, and, as with terror, there’s very little in the way of loss history. Conventional thinking would lead to the conclusion that there isn’t enough data to support effective cyber risk modelling. This is the sort of scenario that can lead to a request for government engagement.

And this is a dangerous assumption to make.

To rush a government solution, for that reason, would be to sacrifice a profound commercial opportunity—of the sort that could contribute meaningfully to higher returns on equity. And it could also cost insureds quality and effectiveness of protection. Plenty of relevant data does exist and could support disciplined risk-modelling activity. And it’s private industry—not government entities—that has the expertise to put it to work.

Government mechanisms for citizen protection and risk transfer are clearly crucial, particularly during certain market cycles and for certain types of risk. However, they should be reserved for cases where the commercial market patently refuses to enter or has tried and withdrawn. And even then, it is best when such mechanisms are eyed as temporary measures, allowing time for insurance innovation to take root and develop a commercially viable solution.

Which takes us back to cyber…

Barriers and opportunities

Cyber is an intimidating class of business, for a number of great reasons. First, the ‘big one’ hasn’t happened yet. We’re still waiting to see what a ‘Cyber Andrew’ would look like, as far as a large insured loss on an industrywide basis is concerned. Thus, for the insurance industry, we have no idea how bad ‘bad’ can be, except to imagine ‘doomsday’ scenarios. If a Fortune 500 manufacturer’s supply chain were to be halted for 72 hours, the implications for shareholder value could be astounding—and not just for the company directly affected. Global, interconnected relationships could result in a cyber catastrophe in which any insurance recovery would seem like a drop in the bucket compared to economic losses.

However, some of this may be an issue of misunderstood risk rather than insurability. In fact, while the overall exposure may seem uninsurable, a better understanding of the risk (in progress), coupled with new sources of capital and coverage triggers, could help marshal and more efficiently disperse capacity from the ILS community and bring the volumes necessary for original insureds to secure the protection they need. With predictable, discrete triggers that are easy to understand and settle, the potential for capacity to enter the cyber insurance and reinsurance market increases profoundly.

Once coverage is in place, additional issues can arise, such as whether a claim could be settled in time to protect the viability of the original commercial insured. Complex claims take time to handle, and in a Cyber Andrew event, the recovery could be seen as just another asset to be fought over in the windup of the original insured. Cyber cover that doesn’t contemplate the original insured’s cash flows may satisfy a line item on a risk management checklist, but it likely won’t provide relevant protection when a truly extreme remote event occurs.

Complicating a large, scalable entry into cyber is the fact that understanding the loss history in conventional insurance terms (the way you’d look at property catastrophe, for example) isn’t possible and requires a view beyond the insured loss itself. Take a look again at the Target breach, for example. According to the company’s financial statements, its insurance recovery was $90 million (on a $236 million economic loss). To give you a sense of this, one of the most significant cyber events of the past few years wouldn’t even have qualified to be resurveyed under the PCS® property-catastrophe loss aggregation methodology. Research conducted jointly by PCS and Sciemus found only two cyber incidents in the past five years have resulted in insured losses of around US$100 million or more, although recent event losses could still be developing.

It’s hard to blame insurers and reinsurers for assuming only what they can lose in total without adversely affecting shareholders. Of course, while the logic in this statement is utterly flawless, it also virtually guarantees that we’ll never make progress in a market where shareholders are currently stuck carrying the risk burden. That’s not what the insurance industry is here for.

Unlike the terror and natural catastrophe examples above, with terror, there’s really no need to rush to the arms of the taxpayer. In today’s market—characterised by suffocating overcapacity—reinsurers are increasingly seeking new revenue from uncorrelated risks. However, unlike some cedants, they may not yet understand the interdependencies around business and technology, as well as the correlation risk unseen in portfolio underwriting. With increased regulatory scrutiny, simplification homogeneity will test capital returns and corporate governance.

With this in mind, it’s time to ask, To what extent are cyber attacks covered across multiple insurance lines? ‘Silent cyber’ remains a significant concern for insurers and reinsurers—namely, the risk that a cyber event will trigger a non-cyber policy based on loose or nonexistent policy wordings. Some of the cyber disaster gap may be addressed by the silent cyber dynamic, but it would merely push the exposure up the capital supply chain, because realistically, when there’s an event, someone always winds up bearing the loss. A disciplined approach to cyber risk coverage would reduce the likelihood of a silent cyber loss, bringing more certainty and predictability to cyber risk from the original insured through the retrocessional markets.

In working with specialist ILS funds, specialist primary cedants such as Sciemus understand that connectivity, technology interdependencies, threat intelligence, vulnerability assessment, and commonality nodes across industry must all combine to affect a trade-off between model complexity and computational efficiency that may not presently exist in the property-catastrophe market. Triggers need to be determinate — with risks modelled by event and correlation, not just aggregation. Primary insurers must address this wider context, fusing and deploying appropriate underwriting expertise, data science, and cybersecurity. In this way, companies such as Sciemus must truly understand contagion to simulate, for example, what may cause the liquidation of a major hardware supplier, determine the potential capability of a cyber attack against the U.S. electric grid, or complete the technical analysis of the recent Dyn DDoS attack and ascertain the probability of the next attack wreaking more damage.

Moving forward

It’s time to take control of your risk. Realistically, rather than wait for a cyber catastrophe bond to happen, we need to work together as an industry to bring one to market—and not because of the novelty of the solution. As our collective understanding of cyber risk continues to improve, the need for capacity should increase sharply, potentially revealing limitations within the existing global insurance and reinsurance structure. The ILS market is positioned to provide crucial support to risk bearers of all types in the cyber market, ultimately bringing capacity to help both primary insurers and reinsurers write more business and generate the financial results their shareholders seek.

The cyber disaster gap is much different from the one that exists in lines of business like property catastrophe. The latter is more mature and has reached a barrier where a greater investment in innovation is necessary to achieve incremental results. Cyber, on the other hand, is in its infancy. The ability to understand the risk has evolved to the point where scalable growth can be supported. Now, we’re ready for the next step: action. The first cyber catastrophe bond should be right around the corner!

Tom Johansmeyer:

Tom Johansmeyer is assistant vice president, PCS Strategy and Development, at ISO Claims Analytics, a division of Verisk Insurance Solutions. He leads all client- and market-facing activities at PCS, including new market entry, new solution development, and reinsurance/ILS activity. Currently, Tom is spearheading initiatives in global terror, global energy and marine, and regional property-catastrophe loss aggregation. Previously, Tom held insurance industry roles at Guy Carpenter (where he launched the first corporate blog in the reinsurance sector) and Deloitte. He’s a veteran of the U.S. Army, where he proudly pushed paper in a personnel position in the late 1990s.

Rick Welsh:

Rick Welsh joined Sciemus Cyber Limited in 2015 as Chief Executive Officer. He has over 25 years experience in the insurance industry and 16 years’ experience in cyber insurance, having built technology and cyber insurance practices in both Sydney and London. Prior to Sciemus, he established one of the first London cyber insurance practices at ACE Global Markets in 2000 and latterly, the global cyber practice at AEGIS in 2012.

Johansmeyer (left) and Welsh (right) on arriving in Monte Carlo after the Tokio Millenium Re cycle ride