Given the enormous economic loss potential associated with cyber risks, rating agency Standard & Poor’s feels it inevitable that insurance and reinsurance firms will look to both the government and capital markets to help in boosting available cyber risk capacity.
In a new report on the reinsurance market’s approach to cyber risk, S&P Global Ratings points out that the potential for cyber losses to cripple the re/insurance industry is clear, if a prudent approach to underwriting and accumulation management isn’t followed.
S&P also questions the ability of the traditional insurance and reinsurance market to deploy sufficient capacity to meet the market opportunity of cyber risk on its own, or whether that would be sensible, leading the rating agency to liken the growth of the cyber market to the catastrophe risk underwriting market after hurricane Andrew.
“We believe the lack of global standards, including a homogenous definition of cyber events, liberal exclusions, and relatively low sums at risk offered by (re)insurers for now are keeping the market in its infancy,” S&P explained.
The rating agency also notes that global cyber insurance has been very profitable, for those willing to venture into it.
But S&P believes that there is an uncertainty premium that providers benefit from currently, which should go away as cyber risk models and the understanding of cyber exposure improves.
The economic and insurance market losses from cyber risks are on the rise, S&P notes, while at the same time there is a significant amount of so-called silent cyber risk embedded in other lines of business across the re/insurance market, that threatens to boost any major cyber catastrophe into a market impacting loss.
Here, S&P urges caution, saying that re/insurers need to analsye their portfolios to find out if they carry non- affirmative cyber exposures (silent cyber) and learn to manage them.
“We believe considerable silent cyber exposure is embedded in traditional insurance and reinsurance products,” explained S&P Global Ratings credit analyst Johannes Bender.
Without this, “losses could become significant and create volatility in capital and earnings in the near future,” S&P warns.
The cyber insurance market is expected to outpace the growth of most lines of insurance business over the coming years, rising to around $8 billion in gross written premium by 2022, compared with about $5 billion in 2018, S&P says.
But even this growth is not covering the true scale of the cyber exposure in the insurance and reinsurance market, or sufficient to reach its potential.
Hence, S&P suggests that government and the capital markets combined may be able to deliver the capacity required for the cyber market to meet its potential and become a more sustainable marketplace as well.
Here S&P draws similarities between the cyber insurance market and the catastrophe reinsurance market after hurricane Andrew in 1992, saying that while traditional reinsurance capital will be essential to support the cyber underwriting market’s growth, so too are new sources of capital, including cyber insurance-linked securities (ILS) capacity.
“Due to the enormous potential size of economic cyber losses, combined with the limitations on traditional (re)insurance capacity, we believe (re)insurers will partner with governments and the capital markets to increase capacity in the global market,” S&P says.
They liken it to 1992, when “state funds for catastrophe risks and catastrophe bonds for capital market investors brought more capacity to the sector,” providing much needed property catastrophe reinsurance capacity to the market.
S&P points to the Singapore government’s cyber risk pool initiative, which is slated to be backed by cyber catastrophe bonds or ILS, as a prime example of an initiative that could bring much-needed capacity to cyber risks.
However, “before ILS investors will accept cyberrisk as a potential investment opportunity, the market will need to enhance its ability to model this risk as well as have a longer track record,” S&P rightly notes.
The rating agency also notes that the correlation between cyber risks and global financial markets is much greater than seen in catastrophe risks, so ILS inevstors may take some encouragement to deploy significant capital into cyber risks to begin.
In addition, “losses from cyber incidents can be physical, similar to losses from fires, which shows another correlation of cyberrisk to catastrophes of human origin,” which is another factor ILS investors will want to consider before deploying capital to cyber lines of insurance or reinsurance.
But overall the cyber underwriting market remains immature and the time for cyber ILS, while not far away, is not yet with us to any significant degree.
In time though, as the risk models and understanding of accumulation exposure improves, the capital markets will begin to back cyber re/insurance deals though.
Especially where indices or parametric triggers can abstract the loss away from the unknown indemnity exposure, put some parameters around the potential for losses and deliver something more understandable to the ILS investor base.
“We think reinsurers are well placed to harness this business potential if they can develop cyber ecosystems and improve cyber modeling, while managing accumulation risk and silent cyber exposure,” Bender said.
S&P further explained, “If reinsurers are able to improve quantitative modeling and data quality, this may allow for more capacity in the fast-growing business of cyberrisk.”