The demand for cyber insurance has increased rapidly over recent years, and is set to grow further. The cyber insurance market will nearly triple in size by 2027, according to Munich Re. To underwrite more insurance, insurers need to transfer some of their risks to reinsurers. For cyber risks, capacity from reinsurers has not kept up with demand. This has caused sharp price increases and left cedents (insurers buying reinsurance) looking for alternative sources of capacity.
For decades, insurers that have not been able to purchase sufficient reinsurance for natural catastrophes have turned to insurance-linked securities (ILS). These are alternative forms of risk transfer that involve insurers paying capital markets investors, rather than reinsurers, to take on their financial risk. As of 2022, 22% of the capital used by the catastrophe reinsurance market was alternative capital, according to the Swiss Re Institute.
ILS have been considered as a route to bring more capacity into the cyber insurance market since 2015. 2023 has seen key steps forward including the first cyber catastrophe bond (a type of ILS transaction) and other notable recent transactions.
Cyber ILS deals are difficult to achieve. Whilst investors in natural catastrophe ILS benefit from diversification, because the occurrence of disasters in one region does not correlate to losses elsewhere, cyber risks are not limited by geography. The largest cyber catastrophes could cause wider financial market losses, further limiting the diversification effect for investors. Cyber perils also lack the decades of historic data that is used for modelling natural perils.
Although investors are showing caution, early examples of cyber ILS transactions show that the conditions exist in 2023 for insurers to access cyber ILS capacity. Those looking to do so need to understand the key factors that have enabled these transactions to be successful.
Four major transactions in the last year
Beazley catastrophe bonds
The first cyber ILS transaction to make headlines in 2023 was a catastrophe bond sponsored by insurer Beazley in January (the ‘sponsor’ of a catastrophe bond is the company seeking coverage). Beazley has one of the largest cyber insurance portfolios, with Insuramore reporting that it wrote around $800 million USD in direct written premiums in 2021, 9.3% of the global market, equal to Chubb and more than any other insurer.
This catastrophe bond represented the first liquid cyber ILS instrument (catastrophe bonds, unlike other ILS instruments, can be traded by investors on a secondary market, making them more liquid assets). The bond uses an excess-of-loss structure, a type of transaction which covers cedents against losses to their portfolio exceeding a certain threshold. It provides $45 million USD of coverage to Beazley against any cyber peril that causes losses of more than $300 million USD to Beazley’s portfolio.
Risk analytics firm CyberCube was the modelling agent for Beazley’s catastrophe bond, meaning its risk models were used to estimate Beazley’s exposure to cyber catastrophe events and quantify how likely the bond is to pay out. Gallagher Securities was the structuring agent, working with Beazley to design the structure of the bond, present it to investors and finalise pricing.
In May 2023, Beazley sponsored a second cyber catastrophe bond, providing it with $20 million USD of coverage. According to Artemis, this catastrophe bond covers the same type of risks as the first bond over the same time period, effectively topping up its total coverage to $65 million USD.
Hannover Re proportional reinsurance
Later in January 2023, reinsurer Hannover Re announced that it had acquired proportional reinsurance coverage from investor Stone Ridge Asset Management. The quota share reinsurance arrangement means that Stone Ridge will take on a portion of Hannover Re’s cyber risk portfolio, sharing the income and losses from the portfolio, up to a limit of $100 million USD.
Whilst Beazley’s ILS transaction enables it to underwrite more cyber insurance, as a reinsurer Hannover Re has used its ILS transaction to unlock more capacity to underwrite cyber reinsurance. Hannover Re executives have also publicly stated their intent to sponsor a catastrophe bond in the future.
At-Bay aggregate stop loss reinsurance
At-Bay, a cyber MGA, launched a captive reinsurer in 2022. A captive is a (re)insurance company that is wholly owned by a parent company. As an MGA, At-Bay underwrites cyber insurance on behalf of (re)insurers. Owning a captive reinsurer allows it to hold a portion of the risk it underwrites.
At-Bay secured $64 million USD of reinsurance coverage for its captive in an ILS transaction in June 2022. It worked with Vesttoo, a reinsurance marketplace that helps cedents model, structure, price and place ILS transactions. Vesttoo says it has provided around $150 million USD capacity for cyber ILS transactions to date, including the At-Bay transaction.
The transaction used an aggregate stop loss structure, a type of deal that protects cedents against events that negatively impact their loss ratio in a given year. The investors backing the transaction had not been involved in insurance risks before they began working with Vesttoo.
We spoke to four experts in cyber insurance and ILS to learn about the key factors that cedents should consider when looking to transfer cyber risks to the ILS market.
Key 1: Risk modelling investors can trust
Once a cedent has decided what coverage it needs and what the trigger mechanism will be, a risk modelling firm runs calculations to model the risk being transferred. This includes the probability the instrument will pay out to the cedent at all, the probability it will pay out in full and a detailed analysis of different scenarios. Investors use this information to decide whether to provide coverage and at what price.
Cyber risks are challenging to model. Cyber threats have emerged relatively recently compared to natural peril risks, for example. Vesttoo, whose risk models were used in At-Bay’s cyber ILS transaction, told InsTech that cyber is currently the focus of a huge amount of effort and energy, within Vesttoo and across the market.
“The insurance market will solve cyber risk because it must do so – there is a very real commercial need for this type of cover, and we have faith that the market will find the solutions businesses need. What’s encouraging is today we are seeing a much more sophisticated debate happening around both how the insurance market handles such risks, as well as vastly improved mitigation measures being put in place by larger insureds.
We expect the convergence of these two trends – one from within the insurance market, one from the wider business community – to transform cyber into an increasing routine risk in the years ahead.” – Brian Kirwan, Global Head of P&C and Specialty, Vesttoo
Overcoming the challenges of cyber risk modelling for ILS is “realistically achievable with the right partners, the right type of risk and a data-driven approach,” according to Vesttoo.
“The challenge the whole market is trying to crack is delineating what cyber risk is currently modellable from what is unknown and unknowable at present. For example, to forecast the frequency and severity of malware attacks, data breaches or technology errors & omissions is a challenge, but we do have the data and the tools to model these risks, and Vesttoo have completed several transactions covering such risks.
On the other hand, a mass cloud outage or other large-scale events which could conceivably affect modern communications infrastructure, are extremely difficult to attach meaningful probabilities to and would cause losses that correlate across policies.
However, we are making progress on expanding the zone of presently insurable risks and shrinking the unknowable. Our models constantly continue to improve, as well as the ability of the risk transfer structures we’re designing to build in ‘circuit breakers’ to clarify the divide between what risks we can and can’t model and transfer.” – Brian Kirwan, Global Head of P&C and Specialty, Vesttoo.
Vesttoo has seen particular demand for excess-of-loss structures in cyber ILS. As a result, it has developed a risk and pricing model specifically designed for cyber excess-of-loss transactions.
“Wherever possible, cedents should be looking to partner with ILS providers who have done at least a few cyber deals already. Every deal that is successfully modelled, structured, priced and placed represents a relatively large new tranche of experience and additional data available given the emergent nature of the risk.” – Brian Kirwan, Global Head of P&C and Specialty, Vesttoo
Key 2: Sharing high-quality data
Whilst insurers and reinsurers have underwritten cyber risks for 15-20 years, ILS investors have only started taking on cyber risk in the last five years, and few transactions have occurred to date. As a result, ILS investors have less data available to price cyber risk than the insurance market.
“There are three ways to bring the ILS sector up to speed with cyber as a new asset class,” says Juan Marcano, Principal Alternative Risk Transfer at CyberCube. “One way is participating in transactions with them. Another is sharing information to help investors familiarise themselves with cyber as an asset class. The third is to sponsor a catastrophe bond, because this requires a level of disclosure that will enable ILS funds to get comfortable with the risk.”
CyberCube’s models were used for Beazley’s cyber catastrophe bonds. The company counts among its clients large cyber insurers including Chubb and Tokio Marine and ILS funds such as Fermat Capital. ILS specialist Hudson Structured Capital Management is an investor in CyberCube.
Juan Marcano explained that investors in cyber ILS transactions need to be comfortable both with cedents’ data and how it is being used. As well as information about the volume of policies an insurer is underwriting and the claims paid out, they want to know how the insurer uses its claims data to make improved underwriting decisions and advise clients to be better prepared to avoid cyber claims.
Many insurers do not cover all cyber risks in the same way; they distinguish between different cyber perils and apply coverage sub-limits. This enables cedents to share more information with investors about their exposure to individual cyber perils.
“Transparency and trust are paramount. If you want to approach capital markets, the level of disclosure required to get investors comfortable with the proposal will be significant. You will not simply be able to send them a distribution of the portfolio, a few characteristics and an exceedance probability curve [information about how likely differently sized losses are]. Investors are looking for a forensic understanding of how your cyber insurance operation works.” – Juan Marcano, Principal Alternative Risk Transfer, CyberCube
Increased transparency can help all players in the cyber ILS market, according to Juan Marcano. “The market should be more open with sharing data. As a model vendor, CyberCube relies on feedback from our clients to improve our products. If our clients share more information, we can provide better products to help them grow their business successfully. More data sharing can also help regulators, investors and other entities that can grow the cyber ILS market.”
Key 3: Clear definitions of cyber events
James Burns, Head of Cyber Strategy at CFC, an MGA and insurer specialising in cyber and emerging risk, explained his perspective on triggers and event definitions for cyber and its relevance to the ILS market. He discusses the challenge of differentiating systemic risk (the risk of events that are so large in scale and global in effect that insurance may not be suitable to cover them) from attritional losses (losses that are not related to catastrophic events).
“Triggers and event definitions are of critical importance to the prospects of a functioning ILS market for cyber. Cyber (re)insurers are still grappling with the challenge of systemic risk and how to define it. This is relevant because ILS instruments – such as cyber catastrophe bonds – have a clear, primary use case for cedents in risk transferring some of the impact of extreme scenarios.
But if the market is unable to unambiguously agree on what it means by an “event”, then we could be stunting prospects for growth. This is a challenge that cyber (re)insurers have been trying to overcome for some time and we’re not there yet.
The primary challenge with cyber catastrophes is that it is not always easy to delineate between attritional claims and systemic events. In the property world, we identify, define and classify weather events using a predetermined, objective set of criteria. Trusted third parties, such as the National Hurricane Centre in Miami, use these criteria to measure and declare extreme weather events, such as hurricanes. This model provides a mechanism useful to all stakeholders in the transfer of catastrophe risk.
There is currently no equivalent of this in the digital world. This leads to a lack of consensus on what a ‘cyber hurricane’ might look like. Or at least a fear that there might be a dispute after the event, which can damage confidence in the solution. Cyber (re)insurers have tried tackling this by getting specific with event definitions but there is still a lot of uncertainty.
To maximise the potential of cyber ILS we need absolute clarity and consistency in triggers and event definitions. The development of an independent event classification system would be a huge step forward in this respect. It could give cedents, reinsurers and alternative capital providers alike, the sort of confidence required to commit to many more transactions than we’ve seen to date.”
Key 4: Compromising on collateral release
ILS transactions usually involve the capital of investors being held as collateral, available to pay the cedent if a claim is triggered. If a loss occurs during the coverage period, the ultimate value of the pay-out from the ILS transaction may not be determined when the coverage period ends. Cedents want to ensure the collateral remains available for as long as possible, so their claims can be paid in full, whilst investors want to release the collateral quickly, so they can redeploy their capital.
It can be challenging for cedents and investors to reach a compromise on how and when collateral is released, according to Envelop Risk, a cyber reinsurance MGA.
“ILS transactions in non-cyber lines of business have occurred because protection buyers and investors have managed to reach a compromise on how the collateral release mechanics should operate. Market participants must now start to evaluate what fair compromise looks like in the world of cyber ILS.” – David Ross, Executive Vice President of ILS & Capital, Envelop Risk
Many natural catastrophe ILS transactions use what are known as buffer loss mechanisms to govern collateral release. Essentially, cedents estimate the eventual value of their loss, with a margin of uncertainty (‘buffer’). The collateral required to pay anything within that range is held, the rest is released to investors. The estimate is revised over time and the buffer decreases as the ultimate loss value becomes clearer.
This approach can also be used for cyber ILS transactions, David Ross told InsTech. Cedents should consider what types of losses they have been able to estimate accurately in the past when determining which risks to transfer to the ILS market and the timeline for the buffer decreasing.
“Most market participants would agree that third party claims are usually more difficult to reserve accurately in the immediate aftermath of a loss. However, first party claims have dominated cyber loss experience in recent years. The protection buyer may seek to carve out third party claims and cede them as part of traditional reinsurance placements, while seeking cyber ILS protection just for the first party component… Structured in this way, both sides of the trade may embrace mechanisms for speedier collateral release. Alternatively, third party losses could be accommodated via an elongated buffer loss schedule.” – David Ross, Executive Vice President of ILS & Capital, Envelop Risk
David Ross also mentioned some other ways in which cedents can improve investors’ confidence in collateral release mechanisms. “Investors would be more willing to enter into ILS transactions if buyers were obligated to set ultimate loss estimates in line with their own audited financial statements, with no added conservatism… We could adopt a feature where the protection buyer is required to pay interest on outstanding collateral balances after expiry of the contract… [Another] example would be to include a no claims bonus which becomes payable if the buyer elects commutation at the end of the reinsurance term, thereby releasing all collateral immediately.”
Find out more
If you would like to connect with Vesttoo, CyberCube, CFC or Envelop Risk, you can reach out to Henry Gale on LinkedIn for an introduction or contact them directly on their websites.
To learn more about how insurance companies are tackling exposure to SME cyber risk, you can watch our webinar with KPMG, Beazley and Cowbell from earlier this year, or read our article about closing the SME cyber insurance protection gap.