Lately the press is awash with stories about cyber risk, cyber insurance and the threat posed to companies by hackers, malware and exploits. The need for cyber insurance and reinsurance protection is clear, but with some suggesting $1 billion policies are required would the capacity be available?
The Financial Times reported that insurance industry experts suggest that companies may need cyber insurance policies providing coverage of up to $1 billion, a number that while high is actually very understandable for large, global companies with significant quantities of proprietary, customer and sensitive data or with electronic access to cash that could be compromised.
Losing your customer data base along with sensitive financial details, or your intellectual property, finding you cannot access core systems or that the software that your corporation runs on has been completely wiped, all of these are risks that big business is terrified of and the potential costs and resulting liabilities are high.
However, that FT article suggests that currently you cannot buy cyber insurance policies that provide any more than $500m of cover and in fact it is more common to see a maximum of $300m or lower of capacity available per policy.
With the potential costs so high, imagine you lost a million customers credit card details and the costs needed to respond to the issues and the potential liabilities associated with that, the size of these cyber risk insurance policies is clearly not sufficient for the largest companies in the world.
“The costs are becoming so great that we really need $1bn policies in light of the threats we are facing,” Ben Beeson, a partner at insurance brokerage Lockton, is quoted as saying.
Stephen Catlin, CEO of insurance and reinsurance firm Catlin Group, said recently that cyber risks are too big for the insurance industry and that government support may be required to step in and provide the financial backstop that companies need. In fact Catlin said that cyber was the biggest systemic risk he had witnessed in his long insurance and reinsurance industry career.
Catlin said that insurers balance sheets aren’t large enough to support the magnitude of claims that could result from serious cyber attacks, so government funds would be required. The key is in transferring the risks, by whatever mechanism is the most efficient and cost-effective, and perhaps in this case the insurance industry is just not cost-effective enough for the peak cyber exposures.
Given this is where the reinsurance market arrived at with respect to catastrophe risks in the 1990’s, finding that it was desirable to tap the capital markets and institutional investor financing for the most impactful risks. Perhaps a similar approach could be taken to provide peak-cyber risk transfer and protection, in order to boost the amounts of capacity available?
Naturally this is where you’d expect Artemis to suggest the catastrophe bond as one possible avenue of exploration. We do know of people in the reinsurance market already making tentative enquiries as to how cyber risks could be securitised to be transferred to capital market investors. There’s definitely a recognition that the exposures are so high that the traditional reinsurance market alone may not be able to carry them.
A cyber risk catastrophe bond could be structured on an indemnity basis or using an industry loss trigger approach, but the problem is the upfront modelling of the probabilities and expected loss, as cyber risk exposures have so many moving parts and the potential to be so volatile.
The lack of available historical loss data remains an issue, with sources of cyber breach information small in number and the real impacts behind each recorded breach often shrouded in mystery, as companies often don’t want the bad PR associated with full-disclosure of a breach.
Perhaps a parametric solution could be designed? Distributed denial of service attacks, where your network or computer systems are jammed by huge volumes of inbound traffic and data, could perhaps be a risk that a parametric trigger could be constructed for. A trigger based on inbound data volume and how long it persists could be a simple way to approximate the impact of a DDOS attack.
Could capital market investors ever be made comfortable with a view of cyber risk in order to allocate capital to cyber risk cat bonds? It’s possible, as the risk models and historical data is augmented over time.
One thing is certain, opportunity. Demand for cyber risk insurance is set to be extremely high as corporations increasingly learn how they are exposed and how attacks could affect their core business and supply chains.
Cyber risk cat bonds could be sold to corporates directly as well, meaning the opportunity for capacity providers could be even higher, in the same way that’s being proven with natural catastrophe bonds. A billion dollars of capacity per policy might be a bit hopeful, but capital markets backed cyber risk solutions could provide a useful layer of additional protection for the peak cyber exposure, if the modelling can gain the necessary level of trust.
Or maybe other capital market solutions could be looked at, such as a sidecar that could be used to pool risks for corporates, or funded captive type vehicles allowing the capital markets to take on the peak cyber exposures.
Maybe Lloyd’s of London could set up a syndicate that accepts capacity from many members and investors, provide the best cyber underwriting talent in the world and get the market focused on London? Again possible, but likely hindered by the modelling and the inherent uncertainty (in fact the clear unknowns) in cyber exposures for the moment.
Which brings us on to contingent capital as another potential solution to finance cyber risks. Given the way these transactions are structured, providing just-in-time capital to corporates at the time they need it, based on pre-defined trigger factors or conditions being met, a cyber risk contingent capital facility could do the necessary job of making capital available when the worst happened.
The reason that contingent capital could be an answer is the way these transactions provide their protection. They do not have to be fully-funded or collateralized in the same way as a catastrophe bond, meaning that investors can buy into the deals but only have to outlay the full capital when they are triggered.
It’s easy to see how the capital markets, securitisation and insurance-linked securities (ILS) structures could be put to work in cyber risk, but the issues around data and the ability to accurately price these exposures remains a problem.
Beeson hits on this key issue when quoted; “The question is how do we get there and price risk, especially when the risks are changing every day.”
Pricing cyber risk is notoriously difficult. It’s possible to estimate the potential financial loss impacts of specific scenarios, but how do you estimate the likelihood of this happening accurately, when hackers are breaking new systems on a daily basis and the threat profile is constantly being adjusted.
Models can approximate exposures based on data inputs about the corporation that is seeking coverage, but how do you price reinsurance capacity that covers multiple insureds, with so many moving parts involved that could increase the risk of a cyber attack pricing cyber reinsurance seems even more difficult.
A central and independent collector and reporter of cyber risk exposure and loss information would be a useful start, it would make data available in a structured format and give re/insurance markets and third-party investors confidence in the exposures they may take on.
A report published today by broker Marsh in conjunction with the UK government looks at cyber risk and found that an estimated 81% of large UK businesses and 60% of small companies suffered some kind of cyber security breach in the last year.
The UK government is keen to establish London as a global centre for cyber risk management, which could result in initiatives to collect data more thoroughly and to make it available in forms that are useful to insurance and reinsurance underwriters and risk modellers.
The report highlights the issues around supply chain risks, when it comes to cyber exposures, that when a companies suppliers come under attack or suffer a breach it can impact many of their customers due to supply chain impacts. That suggests a contingent business interruption product focused on cyber risk is required, again something that a parametric structure is often better to approximate the impacts for, than an indemnity structure.
Cyber attacks are estimated to cost the UK economy billions of pounds each year, with the cost of cyber attacks nearly doubling between 2013 -2014, according to the report. The report concludes that the risks associated with cyber attacks are not nearly well enough defined within the insurance industry and suggests that there is much work to do.
Francis Maude, Minister for the Cabinet Office and Paymaster General in the UK government, commented; “It is part of this Government’s long-term economic plan to make the UK one of the safest places in the world to do business online. The UK’s insurance market is world renowned and we want it to be the same in relation to cyber risks. The market has extensive knowledge and experience of more established risks to help businesses manage and mitigate relatively new cyber risks.
“Insurance is not a substitute for good cyber security but is an important addition to a company’s overall risk management. Insurers can help guide and incentivise significant improvements in cyber security practice across industry by asking the right questions of their customers on how they handle cyber threats.”
Mark Weil, CEO of Marsh UK & Ireland, added; “While critical infrastructure in regulated sectors, such as banks and utility firms, are used to this kind of risk, most firms are not and their risk management practices are geared around lower-level, slower moving risks. Companies will need to upgrade their risk management substantially to cope with the growing threat of cyber attack, including introducing disciplines such as stress-testing, and creating a joined-up recovery plan that brings together financial, operational, and reputational responses.”
Will this government backed initiative position the UK as a leading cyber insurance hub and will the insurance and reinsurance industry be able to provide the necessary capacity to back it?
If policy limits of $1 billion and upwards are required, while currently insurers seem to be pulling back on offering large limits, it seems other sources of capital may be required to augment the available insurance capacity.
Which would suggest that insurers and reinsurers should work with the capital markets to bring much larger limits to bear, making the coverage required easier to get hold of and the risks more broadly distributed among counterparties and capital providers.
Fitch Ratings discussed the lack of cyber reinsurance capacity in a recent report, saying that many policies continue to exclude cyber risks. However, cyber risks have become more prevalent in global reinsurance circles as some underwriters have begun to include coverage as a way to attract more business in the challenging market.
This expansion of terms and conditions to include cyber catastrophe coverage, alongside property covers for example, is seen as an accident waiting to happen by many. Questions abound as to whether the reinsurers bundling cyber with renewals have any idea of the exposure they have taken on.
Fitch also highlights the risks of aggregation from cyber exposures, making it a difficult risk to diversify within a reinsurance portfolio. Cyber exposures can spread and have knock-on effects that are very difficult to predict. The interconnected nature of networks, as well as the network effect of cyber culture, can make the exposures multiply significantly.
Fitch has hopes that cyber will become more widely underwritten in reinsurance markets; “Fitch believes that insurance companies’ increasing knowledge about aggregations and overall exposures to cyber risks will give reinsurers more comfort in writing this business. Increasing demand coupled with difficult market conditions in most reinsurance lines could also make cyber risk an attractive line to write.”
Gradually capacity for risks like cyber will grow and given the extent of the exposure it stands to reason that third-party capital providers will ultimately participate in this market as well. Competition in the cyber reinsurance market could be fierce, as the pricing will likely be attractive and it could provide a welcome source of new premiums for incumbents suffering from declining pricing in catastrophe markets.
There’s no easy answer to exposures as complex as cyber risk. There remains a need for more knowledge and understanding of cyber risks in the re/insurance industry, as well as a lack of data on historical events and risk transfer capacity. These issues need addressing before we will see a fully functioning cyber risk insurance market emerge, let alone a functioning cyber reinsurance, or cyber capital markets (ILS & cat bond), option.