There’s an opportunity right now to trade industry loss warranties (ILW’s) linked to cyber reinsurance risks, as a unique set of circumstances make ILW instruments a good fit for transferring cyber exposure, according to Tom Johansmeyer, Assistant Vice President, PCS Strategy & Development at ISO.
When I think of the cyber reinsurance market these days, the advertiser buried within me takes over. My brain gets crammed with calls to action—that line in an advert that tells you to do something. Think of ‘take a bite’ from our #OriginalRisk campaign. Well, for cyber, the calls to action that come to mind are:
- Don’t wait!
- Act now!
- Don’t miss this rare opportunity!
And I have to fight the urge to add, ‘Something like this only comes along once in a lifetime.’ Seriously. The cyber insurance market makes me remember every infomercial I watched at 1:00 a.m. in my youth. There’s a reason for this.
Cyber really does offer a rare opportunity right now, and the urgency is real. Quite simply, there’s a window open in the cyber market right now—but not for long. It could stay open for several years, but it won’t stay open forever. A handful of circumstances has made industry loss warranties (ILWs) uniquely effective in risk transfer and capital management for cyber risk. The underlying formula involves programme limits, the magnitude of economic losses being seen, and claim settlement speed.
Let’s start with limits. The Heartland Payment Systems breach of 2009 resulted in insured losses of just over US$30 million and exhausted the original insured’s cover. That’s just the beginning of the event’s impact, though. Following the breach, the company’s share price stayed at least 33 per cent below its last pre-breach level for more than six months. Even the Equifax event didn’t have that profound an effect on shareholder value!
Of course, the Heartland event happened almost a decade ago, and the cyber insurance sector has come a long way since then. Insurers have made more protection available, and corporates have been receptive, as later losses demonstrate. Target had US$90 million in cover when it got breached in 2013. Home Depot had US$100 million. Of course, both events were total losses, but insurance was able to make a bigger difference.
And progress has continued. Today, it’s not unusual to see limits of US$500 million or more. Such covers still aren’t as common as they should be, but it’s still a lot better than a recovery that pays for little more than a few months of crisis PR.
Despite the growth of cyber insurance worldwide, gaps in protection remain. Too many companies still don’t have cyber cover. And those that have protection don’t seem to have enough. Recent losses are instructive here.
PCS Global Cyber produced loss estimates for four cyber risk loss events in 2017. Only one seems likely to stay below program limits. Two had significant cyber towers, but they weren’t nearly high enough, as economic losses are expected to exceed US$1 billion. Equifax had US$125 million in protection, which several market sources said ‘might cover costs, but that’s about it’. Merck, the largest affirmative cyber loss we’ve seen so far, had US$275 million in cyber protection. The lesson here is that the cover is still far short of the full economic risk they faced. Even if both companies had programmes consistent with the largest we’ve seen placed, the economic loss would still have been high.
So far, all seven finalised PCS Global Cyber events have had economic losses that were much larger than insured losses. Of the two events open, one is expected to take a while to close. The Southwest Airlines event, in a sense, shows what the future holds. When there’s sufficient insurance in place, cyber becomes a long-tail class of business. The mitigating factor today is that large cyber risk losses (above US$20 million) tend to come with disproportionate economic impact.
For now at least, that means there’s a way to trade cyber as a short-tail class of business, particularly in the ILW market. The key here is settlement time.
When a claim falls below policy limits, the settlement process tends to look like a casualty claim. Even in a total loss, it can take a while. But when you use a cyber ILW, the process for dealing with total losses can be accelerated. In the event of a total loss, PCS Global Cyber can designate the event, produce the preliminary loss estimate, and close the event quickly. We designated Equifax on 13th of September and published our final estimate on 6th of November. We designated Merck on 28th of September and closed it on 6th of November. That speed simply isn’t available in the traditional market.
Let’s take a look at two hypothetical ILW trades in this context: a per-event trigger and an aggregate trigger.
Consider a per-event ILW triggering at US$1 billion. An event occurs with economic losses of at least US$1.5 billion forecasted. PCS Global Cyber issues an event designation bulletin. Given the magnitude of the loss and feedback from our network of data contributors, we’re able to publish our first estimate within two weeks. A month later, as the loss evolves, it becomes clear that the tower is blown. We issue our final loss estimate. The entire process takes six weeks, and the ILW is concluded with clarity, even if the underlying loss is ongoing.
Aggregate ILWs are a bit more complex but still have plenty of speed and clarity relative to traditional cover. Assume a US$2.5 billion aggregate with a franchise deductible of US$20 million. Five companies with cover of up to US$500 million sustain losses of at least US$1 billion. This isn’t beyond the realm of possibility—we saw at least two in 2017. In each case, following the conditions described in the per-event scenario, PCS Global Cyber is able to finalise each loss in six weeks. While the underlying losses drag on, the ILW is settled, and the parties can move on.
The unique set of circumstances that favour ILW trading won’t last too long. And early entrants will be rewarded with cost-effective and highly efficient cover, especially for large primary insurers and reinsurers. ILWs tend to make the most sense for large and diverse books of business. Otherwise, basis risk could become a problem.
Someday, the cyber sector will catch up with the risk that insureds face. As towers go higher and more corporates purchase protection—an important development we should encourage—more losses will fall below coverage limits, turning cyber into the long-tail business it really is. That’ll result in longer claim settlement times and consequently longer development periods for PCS Global Cyber loss estimates. ILWs will remain important at that stage in the maturity cycle, but the unusual opportunity we see today will fade away.
So, as the adverts say, ‘Act now!’ For a limited time only, cyber won’t smell like marine.
Article by Tom Johansmeyer, with research by Alex Mican.
Tom Johansmeyer is assistant vice president, PCS Strategy and Development, at ISO Claims Analytics, a division of Verisk Insurance Solutions. He leads all client- and market-facing activities at PCS, including new market entry, new solution development, and reinsurance/ILS activity. Previously, Tom held insurance industry roles at Guy Carpenter and Deloitte. He’s a veteran of the U.S. Army, where he proudly pushed paper in a personnel position in the late 1990s.
Alex Mican is product development manager, PCS, at ISO Claims Analytics, a division of Verisk Insurance Solutions. He focuses on helping PCS develop new solutions for the global specialty market – including marine and energy, cyber, and terror. Alex joined Verisk Insurance Solutions in 2014 and PCS in 2016. Originally from Romania, he came to the United States to study for his Master of Business Administration degree, which he completed at Plymouth State University in 2011.
This article was contributed by a sponsor.