A newly launched cyber risk exposure data standard could put in place the groundwork for the development of parameters and metrics to be used for future triggers for cyber risk ILS or reinsurance transactions.
Importantly, the newly launched cyber risk exposure data standard could provide industry participants with the capacity to establish the parameters for use in future triggers, providing the insurance-linked securities (ILS), and re/insurance sector with a valuable tool to help develop the cyber risk insurance markets’ capacity.
“A central and independent collector and reporter of cyber risk exposure and loss information would be a useful start, it would make data available in a structured format and give re/insurance markets and third-party investors confidence in the exposures they may take on,” Artemis published previously.
The above quote was taken from an article published by Artemis in March 2015, highlighting the potential for the capital markets to solve some of the cyber insurance and reinsurance protection gap, underlining the need for a robust, uniform method for collecting relevant exposure information and to improve the management of cyber risk accumulations.
And now, almost 12 months after we wrote that such an initiative would be a worthwhile effort, it appears that’s exactly what the industry has done, with the launch of a new cyber threat exposure data standard.
The collection of comprehensive and structured exposure data in a standardized manner provides greater transparency for cyber risks, and could see re/insurers and ILS players begin to develop triggers for future cyber risk transactions, whether this be catastrophe bonds, a derivative structure like an industry loss warranty (ILW) or more traditional reinsurance contracts.
A framework for capturing the wealth of cyber exposure information that’s currently out there in a uniform manner, offers insurers, reinsurers, and ILS funds the chance to start thinking about the possible parameters that could be used for such triggers, ultimately assisting the development of adequate cyber attack insurance products.
Of course the collection of exposure data in standard format also helps the industry to better understand aggregations and accumulation risks, allowing insurers to underwrite more sustainably and providing reinsurers and risk capital providers with the ability to understand where their capacity can be best used.
An industry-wide data standard for cyber exposures also enables the establishment of improved cyber risk models, something that a lack of historical data and the inherent complexity of collecting and analysing cyber attack data, and uncertainty over the scale of exposures, has limited in the past.
The newly launched cyber venture should reduce confusion and increase transparency, by highlighting the key reporting elements companies should keep track of when a cyber attack occurs.
Furthermore, the establishment of parameters at an early stage means they can be incorporated into any existing, or future cyber risk models, which in turn should help to create a consistent cyber insurance value chain, from the initial collection of the exposure data, through the model, to the end solution.
Developed parameters could also pave the way for the ILS sector to have a meaningful influence on the cyber risk market in future, which could include the use of parametric structured cyber catastrophe bonds, for example.
Similarly, an industry loss warranty (ILW) product could also be used to transfer cyber risk to capital markets and ILS investors. It’s important to stress, however, that in order for ILS structures, insurance, and reinsurance products to properly tackle the issue, an index or accurate metrics are vital in parameterising and better understanding the exposures, something this recently launched venture could provide.
And it’s likely that the ILS sector, insurance, reinsurance, and public sector entities will all be required to establish a cyber market big enough to cover the potential costs, which appear to be growing year-by-year. The potential for massive economic losses from a major cyber attack will require huge amounts of re/insurance capacity, hence the capital markets seem a likely provider.
The new cyber risk exposure data standard is a result of a concerted effort by a range of risk transfer industry players, including collaboration between Verisk Analytics’ risk modelling firm AIR Worldwide and RMS, and with assistance from the Centre for Risk Studies at Cambridge University.
Other supporters of the new scheme include the Lloyd’s of London market, Amlin, Aon Benfield, AXIS Capital, Barbican Insurance Group, Canopius Managing Agents, RenRe, Talbot Underwriting, and XL Catlin.
Senior Vice President of RMS, Andrew Coburn, said; “Having a standardized way to capture cyber insurance exposures will provide a much-needed framework for the market to grow its cyber capacity safely.”
Cyber attacks are a growing concern across the insurance, reinsurance, ILS, and wider risk transfer sector, as the increased digitalisation and interconnectedness of businesses and economies means the potential impact, and resulting costs of a cyber attack are significant, and growing. It’s also a growing concern for re/insurance players as increasing numbers of contracts have bundled some cyber coverage with them in the last few years of softening.
“The cyber insurance industry is showing real innovation and demonstrates the ability of insurers to develop policies to cover modern, complex risks. Due to the growing importance of this risk class, quality standardised exposure data is critical for increased levels of insurance coverage and better risk modelling,” said Lloyd’s Director of Performance Management, Tom Bolt.
For traditional reinsurance entities and primary insurers cyber is seen as an attractive, if not risky, business line, as the growing cyber insurance protection gap provides opportunities to access a new risk in a diversifying geography, especially at times of stiff competition and with mounting pressure on rates.
Furthermore, cyber is already finding its way into certain reinsurance contracts, as it’s been an included peril within other agreements.
This can be a dangerous game to play however, and is something that is perhaps more prominent at challenging operating times when terms and conditions relax and prices soften. While you may be getting greater coverage for your money, the market’s inability currently to adequately price cyber risks, owing to a lack of modelling capabilities, means that any cyber coverage currently included in reinsurance agreements, could well result in overexposure or a lack of coverage, if a major event occurred.
The new cyber exposure data standard is certainly a step in the right direction, as it should lead to a greater, industry-wide understanding of cyber risks and the potential costs. The more data that is collected and analysed in a uniform method, especially if it is collected with the eventual use in risk transfer kept front of mind, should enable the establishment of parameters that can be used in cyber models, and ultimately in the structure of ILS, reinsurance, and insurance cyber solutions.