The alternative risk transfer techniques adopted by the insurance-linked securities (ILS) market, as well as the depth of capacity that can be provided by the capital markets, are both needed to help to tackle the “Too big to insure” world of cyber risk, according to a study.
The potential size of a cyber risk catastrophe event, in terms of economic impact from damage and business interruption, could be so enormous that the traditional insurance and reinsurance market alone cannot supply the solutions or capacity to cover the risk.
A new study published by the Institute of Insurance Economics of the University St. Gallen and reinsurance firm Swiss Re looks at the topic of cyber risk insurance and asks whether cyber exposures are simply too big to insure.
A survey undertaken as part of the study helps to frame the size of the cyber risk exposure and the potential for major catastrophic losses to occur.
The survey of cyber risk experts found the belief that a widespread failure of the internet backbone, in a country, region or even globally, is thought possible within the next 10 years, with the probability of an event of this magnitude occurring estimated at nearly 43%.
A cyber catastrophe event such as this, where internet connectivity was absent for days or even weeks, could result in a crippling of economic activity for the country or region hit, as well as having wide-reaching economic ramifications for businesses around the globe.
The potential for business interruption and contingent business interruption losses would also be significant and currently the cyber risk insurance market does not have the limits available to even begin to think about covering exposures of this size.
As a result the study recommends, and advises for, the use of a wide range of risk transfer tools, structures and mechanisms, including both reinsurance and alternative risk transfer to the capital markets and ILS investors, in order to build capacity to protect against cyber risk threats.
Through the building of significant sums of risk transfer capacity, be that reinsurance or capital market backed, the general insurability of everyday cyber risks can be greatly improved, the study suggests.
Additionally data sharing is key and the study says that an industry-wide access anonymised pool of cyber risk data would help, along with the development of cyber risk insurance standards, such as cover limits, risk assessments and terminology for cyber risk and cyber insurance.
The study authors do believe that cyber risks can be largely insured, to a degree, but certain risks will require, they believe, the assistance of governments on risk pooling and transfer. Beyond governments the capital markets can play their role as providers of capacity depth.
Damage to critical infrastructure is one area where government support for cyber risk insurance and reinsurance is likely required, particularly where a lack of available data, loss experience and the potential for large cumulative exposures exists.
Again, the capital markets and ILS could be a source of retrocession for these cyber risks where government support is required, helping to make the risks more insurable, while also lowering the burden on governments and their taxpayers.
The research undertaken for the study found that an insurer that underwrites cyber risk may find issuance of a cyber ILS or catastrophe bond beneficial, as it can help them to offer larger limits to their clients, however ILS is only truly effective when larger limits are already in place as ILS investors are unlikely to have the appetite to cover smaller insured risk levels.
Similarly the research found that a traditional reinsurer could use a cyber ILS or catastrophe bond in order to augment its own capacity, so to enable it to offer larger limits to its clients more safely.
It’s clear from the report that ILS and instruments such as cat bonds have a similar role to play in cyber risk transfer as they do in property catastrophe risks.
Both reinsurance and the capital markets or ILS can help to increase the size of capacity in the cyber insurance market, the research study concludes. However in the extreme scenarios, even with the augmented capacity of ILS the risk transfer could be insufficient to deal with the potential losses.
The study even goes so far as to suggest that the government could incentivise the introduction of capital markets capacity into cyber risk, through a subsidised SPV for cyber cat bonds.
However, a market survey undertaken by the researchers shows that a back-stop, not subsidy, is the preferred solution for the cyber insurance market in its current state. The survey was undertaken by traditional re/insurance market participants, so no real surprise to see they were not particularly keen to promote the use of ILS or cat bond solutions for cyber risk re/insurance.
And finally, in order to make cyber risks more insurable the researchers recommend; “A broader use of risk transfer mechanisms especially in the reinsurance and alternative risk transfer field.”
Extreme cyber risk scenarios will require the support and depth of the capital markets, at least to augment reinsurance capacity if not to eclipse it due to the potential capacity required.
This is one area where the traditional market may be best off working with the capital markets from the off, else it may develop the capacity too slowly to provide the protection our increasingly digitalised and interconnected world requires.