A lack of historical and contextual data continues to hinder the entry of the insurance-linked securities (ILS) market into the cyber re/insurance space, and with ‘silent’ cyber exposures adding further uncertainty, it might be easiest for the ILS sector to focus on affirmative cyber, at least to begin with.
This is according to Co-Head of Property Claim Services (PCS), Tom Johansmeyer, who recently spoke with Artemis about the ongoing and developing NotPetya cyber-attack and the potential for ILS to participate in the expanding cyber risk market.
With an economic impact of at least $10 billion, according to the White House, and insured losses of at least $3 billion, according to PCS, the NotPetya cyber catastrophe event remained mostly a property event for the first two years of development.
However, The D&O Diary has revealed that a shareholder class action lawsuit has arisen from the impact of NotPetya on FedEx subsidiary, TNT Express. It took two years for this to develop, and according to Johansmeyer, has the potential to increase the insured loss by as much as 30%.
The evolution of the NotPetya event highlights the inherent complexity of understanding and analysing cyber risk. For the ILS space, which is very used to property catastrophe business which is well modelled and well understood, the uncertainty surrounding cyber catastrophe events has made it a difficult market to enter.
“For ILS funds, part of the challenge of entering cyber re/insurance has been understanding what a cyber catastrophe could look like, given that there hasn’t been much history to evaluate. There’s been a belief that cyber catastrophes would have long tails, particularly as a result of professional lines claims that could take years to sort out.
“This, in addition to the general risk of interrelated losses hitting a balance sheet at the same time, has made it hard for capacity providers to allocate to cyber, which in turn has constrained the sector’s growth,” said Johansmeyer.
Insurers, reinsurers, and ILS participants commonly look to the past and at historical losses when trying to understand potential future losses. However, with new and emerging risks it’s often the case that historical loss data simply doesn’t exist and ultimately will take time to become available as more and more loss events occur and the industry-wide understanding of the peril improves.
“The mixed blessing associated with new lines of business is that, while there’s plenty of upside and potential significant top and bottom line growth, blazing a new trail necessarily means that historical and contextual data may be thin to non-existent. This can make it hard to enter a sector, particularly for the ILS market, which has focused for so long on property-catastrophe risk. Cyber may look and smell a lot different to them,” said Johansmeyer.
NotPetya is the first cyber catastrophe event covered by PCS Global Cyber, and Johansmeyer explained that this, combined with the fact that it now includes professional lines alongside the previously reported affirmative cyber, property, kidnap and ransom insured losses, makes it the best reference point when trying to understand what a cyber catastrophe might look like.
“What’s most interesting right now is to what the development process in regards to how new classes of business work their way into the catastrophe. It took nearly two years for professional lines to begin to appear, by which point the property losses already showed a certain amount of stability (although still with some issues).
“There have been some other events as well, which provide insight without fitting the PCS cyber catastrophe definition exactly. LockerGoga’s impact on the heavy industrial space provides a new area for concern, as it’s not the sort of trophy target sector many would expect,” he added.
He continued to explain that while broad coverage for protection buyers is always viewed as something of an ideal, for the ILS sector, this might make it a challenge to provide coverage for non-affirmative, or silent cyber exposures.
“In the early days, it might be easiest for the ILS space to focus on affirmative cyber ILWs (both per event and annual aggregate), as well as similar structures that could meet specific cedent needs. For example, second event risk loss ILWs (like any single insured loss of at least US$500 million following a first loss of at least that amount) could help the market significantly.
“Also, there’s room for frequency covers for large losses, such as a US$1 billion annual aggregate with a franchise deductible of US$200 million – among other aggregate and FD levels.
“For buyers where true cyber catastrophe coverage is crucial, some exclusions could help, such as keeping the instrument focused on underlying losses that are either affirmative cyber or property, or using a final PCS estimate as of a certain end date (perhaps a year after the ILW’s stated risk period),” said Johansmeyer.
In time, as more and more cyber catastrophe events happen and in turn datasets and information surrounding the peril becomes more comprehensive and more widely available, the ILS market will likely look to play an increasingly important role in the cyber space.
The table below, provided by PCS, details the economic losses of historical cyber events from 1999 to 2017.