In an interview with Artemis, specialist provider of software for cyber risk quantification for large industrial and critical infrastructure corporates, DeNexus, argues that a more granular approach to assessing cyber risk is needed to remove some of the guess work, which in turn will make investors more comfortable allocating capital.
“With the growth of digitalization, risk professionals are opining on how to manage cyber risk in general and, more specifically, how to cope with a cyber catastrophe event,” said Jose Seara, Founder and Chief Executive Officer (CEO) of DeNexus.
“Within the risk transfer community, the dialogue seems concentrated around the need for capacity building in the same way as seen in other catastrophe risks; namely, involvement of the reinsurers and insurance-linked security (ILS) investors supporting the cyber insurers.”
Even prior to the launch of the market’s first cyber ILS bond, the potential and need for capital markets investors to play a larger role in the cyber risk transfer space had been a hot topic for some time.
The cyber insurance market continues to expand, although the demand for cover outpacing risk capital availability has hindered this growth in recent times, fuelling discussions around the need for more capital, including from the ILS space, to support expansion.
“Discussions have focused on the need to develop a cyber ILS product in much the same way as that for natural catastrophes (NatCat). ILS investors understand the nuances of NatCat risk but have shown reticence on cyber ILS that have prompted debate on how they are analyzing the risk.
“As an example, there have been arguments made that ILS investors are not placing enough emphasis on the interconnectivity with loss mitigation and prevention and more than necessary emphasis on the potential for loss itself. Certainly, there are differences between NatCat and cyber in this respect. However, we would argue the solution to enable the engagement of ILS investors is more granular and structural than generally perceived,” said Seara.
Absent that, he continued, writing cyber risk “will remain guess work, and investors can’t be asked to deploy their capital based on this.”
Seara went on to explain that fortunately, the solution has been in the works for numerous years, and while there’s still more work to be done, much has already been solved.
Expanding on this, Jeffrey Sirr, Senior Advisor of Insurance, DeNexus, told Artemis that the main factors to the solution are dependency, data, quantification, contextualisation / influences, and predictability and visibility.
On the first point, Sirr explained that “The effectiveness, resilience, and potency of any risk transfer market is based on a building block infrastructure whereby each level of protection has a dependency on the work of those situated closer to the original risk.
“Based on this, it is important to appreciate the positioning of the ILS market and how far it is removed from the original risk insured. Where property insurance has a rich history and dataset for ILS investors to call upon for NatCat ILS, cyber does not. This translates to an increased dependency on the insurance markets to ensure the original insured’s cyber risk management capabilities are of an acceptable standard. Therefore, there is a need to demonstrate to the ILS market that the original risk has been assessed appropriately to instil enough confidence to apply its capital.”
Discussing data, Sirr explained that the challenge is determining what data is meaningful when you have a dynamic risk impacted by external and the insured’s internal factors.
“The data being presented to the risk transfer market has so far been heavily weighted towards what is termed “outside-in” data, information mainly gleaned from outside the insured’s network. The outside-in data is supplemented with static questionnaires that become lengthier each year,” said Sirr. “While this data is relevant in the overall assessment of cyber risk, it still leaves a significant void in understanding what is a dynamic risk that can only be filled by information regularly drawn from within the insured’s network – the so-called “inside-out” data.
“Furthermore, industrial risks have internal aggregation exposures in addition to the aggregation between insureds. Modelling this internal aggregation requires a bottom-up approach only feasible if there is access to the inside-out data.”
According to Seara, this inside-out data provides the visibility of the individual risk being insured by the insurer and, “if collected automatically, continuously and in real time, the permutation of this dynamic risk will be observable.”
“ILS markets need to understand that all this data is utilized in the same way they believe property risks are comprehensively assessed with both inside (e.g., sprinklers, firewalls) and outside (e.g., flood zones) data – by risk owners, their Managed Security Service Providers (MSSP) and Security Operations Centers (SOC), and Second Generation Cyber Risk Quantification and Management (CRQM) platforms that deliver high quality evidence-based risk-data,” he added.
Quantification is also one of the main factors to the solution, and with any risk, explained Seara, is the essence of a risk assumer’s modelling of price and portfolio management, amongst other things.
“While a quality score on an insured’s cyber defence is useful, ILS markets would have greater confidence in knowing the probability of loss impact with quantitative results and how these numbers may be changing during the duration of the ILS.
“It enhances insurers and reinsurers by strengthening confidence in the underwriting of cyber risks from the standpoint of their various stakeholders and fortifies the building block market infrastructure,” he said.
Contextualisation, which relates to factors such as the industry and geography within which the risk resides, is also important to understanding the risk factors. When it comes to NatCat and cyber, explained Sirr, arguments have been made around the anthropogenic or human peril, with the latter being more influenced by this than the former.
“On the surface, this is true, although arguments can be made that NatCat has anthropogenic influences such as regulatory and political and may give the impression that almost all cyber threats and incentives to attack can be deduced with greater precision than NatCat. However, there is a greater layer of depth required in that one needs to assess the influences on both the peril and its impact,” said Sirr.
Ultimately, he feels that the complexity and relative newness of cyber risk requires deeper assessment and education to enhance ILS market confidence to participate.
On predictability and visibility, Sirr stressed that “meaningful data, quantification and contextualization will determine the predictability of risk and probability of loss. Both are determined at the foundation building block levels of the risk transfer infrastructure (i.e., the insured and insurer levels) and dependency on them permeates throughout the infrastructure.”
“For ILS investors” he added, “this is where confidence in the successful and profitable underwriting of cyber risks is gained.”
Expanding on the visibility angle, Sirr noted how visibility on cyber events as they happen also comes from the combination of outside-in and inside-out data, and that visibility is further required for post event learnings to maintain the confidence level of ILS markets, which reiterates the significance of the inside-out data.
“Regardless of whether ILS markets are not fully appreciating the differences between NatCat and cyber, a demonstration that the original risk is being assessed with appropriate granularity is essential for confidence in capital application and price for required returns. Otherwise, there is still too large an element of guess work, which would actually impact the whole risk value chain and not just the ILS investors’ appetite.
“Evidence-based data-driven Second Generation Cyber Risk Quantification platforms will eliminate the guess work, and empower ILS investors to pilot cyber-ILS instruments and deploy capital,” concluded Seara.