Opening the Cyber Door
As ransomware and other cyberattacks proliferate, insurers are managing their exposures by sharing risk with reinsurers. Reinsurers are answering the call.
- Lori Chordas
- August 2018
Setting the Scene: Insurers are using reinsurance to manage the growth of their cyber exposures.
A Growing Market: The rapid growth of cyberthreats has created new challenges for reinsurers. The International Underwriting Association in May formed a new cyber group dedicated to the concerns of reinsurers.
On the Horizon: Alternative capital, such as insurance-linked securities, could soon be used to manage cyber exposures.
The escalating cyberthreat to the global economy is opening the door to new opportunities for reinsurers.
The interconnectedness of devices and the evolution of new threats has helped to make cyberrisk one of the top concerns inside the C-suite as companies count losses in the hundreds of millions of dollars.
The International Monetary Fund, for instance, in June estimated that average annual losses to financial institutions from cyberattacks could reach a few hundred billion dollars a year.
High-profile attacks, such as the WannaCry and Petya ransomware incidents last year, and a multitude of distributed denial-of-service attacks, such as the Dyn attack in 2016, have made companies more aware of the potential for losses, including business interruption and physical damage.
“Three years ago, we didn't see issues—even on a large scale—that we see today with ransomware and other high-profile hacks,” said Devin Page, a specialty reinsurance underwriter at Hiscox Re. “No one really has a complete handle on cyberrisk, but that uncertainty is why there is insurance and reinsurance,” he said.
As insurers write more cyber coverage, they are managing their exposure by ceding more risk to reinsurers.
Didier Parsoire, Scor
Premium and capacity in the cyber reinsurance market may be expanding. “I’m not sure the market understanding and modeling of cyber- risk is growing at the same pace.
Cybersecurity insurance experienced significant growth in 2017, according to an Best's Market Segment Report. Total cyber direct premiums written grew almost 32% and policies in force 24%, according to the report released in May.
In 2017, cyber packaged policies in force increased 28%, some of which was due to the addition of affirmative cyber coverage to packaged policies, according to the report, Cyber Insurance Market Sees Steady Growth, But Still Awaiting a Real Growth Spurt.
While stand-alone cyber insurance grew significantly in 2016, the growth slowed somewhat in 2017. Overall stand-alone direct premiums written grew just 7.9% in 2017, compared to a 91.5% increase in 2016.
Insurers are actively using reinsurance to manage the growth of their cyber exposures, with over 75% of companies transferring risk to reinsurers, according to a PwC global survey of specialist writers active in the cyber market. No respondents indicated using nonproportional reinsurance at the time of the survey.
The majority of respondents are seeking to transfer risk above a predefined retention level, according to the survey, Are Insurers Adequately Balancing Risk & Opportunity? Findings from PwC's Global Cyber Insurance Survey.
The design of nonproportional reinsurance structures requires a robust quantification methodology, an understanding of the exposure accumulations, confidence in pricing, and a clear definition of what constitutes a cyber event.
Accordingly, PwC said, there is greater appetite for proportional reinsurance, where reinsurers can rely on a cedant's underwriting expertise to create an alignment of interest, rather than model results they do not trust.
The use of reinsurance also was noted in the A.M. Best report.
“Reinsurance remains another option for insurers to lower cyber exposure, with treaty reinsurance for cyber being much more widely available than facultative,” according to the A.M. Best report.
“Capacity for treaty, specifically quota shares, is plentiful; however, most agreements include a loss ratio or event cap. Facultative reinsurance agreements may be an expensive and less preferred option.”
Quota share is one of the “easiest” reinsurance structures to put in place, said Catherine Rudow, North American property and casualty senior vice president and senior underwriter of professional lines at Partner Re.
Stop loss is a bit more difficult to price due to lack of historical data and emerging trends. “For now, we've taken a rate-on-line approach, so mid- to larger-sized portfolios can more easily absorb the cost,” she said.
Erica Davis, JLT Re
Carriers and reinsurers need to understand and quantify how much aggregated cyberrisk they actually have on the books.
Over the past five years, the cyber reinsurance community has evolved to meet the needs of their client base, said Ian Newman, partner of international reinsurance broker Capsicum Re's cyber division. “We are going to continue to see this evolution, but not just in the traditional market but also the ILS space as they look to deploy their capital into this expanding class.”
As carriers move beyond commercial lines cyber, into areas such as personal lines cyber, reinsurers are responding with new solutions to allocate some of insurers' capacity into personal lines, said Eric Cernak, cyber and privacy risk practice leader at Hartford Steam Boiler, part of Munich Re.
In a sign of the reinsurance industry's growing interest in cyber, the International Underwriting Association in May said it had established a new cyber group dedicated specifically to considering the concerns of reinsurers. The committee is run for underwriters offering stand-alone cyber policies and is made up largely of carriers providing direct cover. Already 14 member companies are represented on the new committee.
Topics for discussion, the IUA said, are likely to include the impact of cyber war and terrorism risk; accumulation and aggregation of risk; the provision of cyber cover written within traditional classes of business; and natural perils as potential triggers for cyber events.
Consideration also will be given to areas of potential overlap or gaps between product liability and errors and omissions policies.
“The rapid growth and fast-changing nature of cyberthreats have created many challenges for reinsurers,” said Chris Jones, IUA director of legal and market services.
“Companies are keen to support the development of dedicated cyber products in the London market and our new reinsurance group aims to encourage this through discussion of both underwriting and claims issues,” he said. “It will also be looking to represent members' interest on any regulatory developments relevant to the sector and may consider new market policy wordings.”
Even so, the upside may be somewhat limited.
“There are some pockets of opportunity with cyber insurance and mortgage reinsurance, but these do not come without risk and by themselves aren't enough to buoy the market in a meaningful way,” according to a Best's Special Report, Down But Not Out: Reinsurers Look to Reposition Amid Market Disruption.
Premium and capacity in the cyber reinsurance market may be expanding.
“However, I'm not sure the market understanding and modeling of cyberrisk is growing at the same pace,” said Didier Parsoire, chief underwriting officer for Scor global P&C's cyber solutions practice.
Some of the challenge stems from the difficulty in quantifying the risk. “Carriers and reinsurers need to understand and quantify how much aggregated cyberrisk they actually have on the books,” said Erica Davis, senior vice president at reinsurance broker JLT Re.
Cyber liability remains uncharted territory, said Berkshire Hathaway CEO Warren Buffett, speaking at this year's annual shareholder's meeting. Berkshire Hathaway is the parent of two major reinsurers, National Indemnity and General Re.
Buffett said he expects cyberrisks to get “worse, not better,” and the risks are still not well understood. “I don't think we or anyone else really knows what they're doing when writing cyber,” Buffett said.
Just like insurers, reinsurers are challenged by nonaffirmative, or “silent,” cyber.
Reinsurers are closely examining policies to determine if cyber is included and how it's priced. Reinsurers are managing their exposures by sharing some of the risk as well.
“We're now starting to see a few reinsurers cede some cyberrisk into the retrocession market,” said Jeremy Platt, head of U.S. cyber specialty at Guy Carpenter.
ILS has positioned itself well to take on what is the driver of volatility and capital: property catastrophe, Newman said.
“In the future, as cyber also becomes the driver of both volatility and capital the ILS market will position itself to take this risk on,” he said.
But it will take some time before capital market investors become comfortable with cyber-related products and exposures, Guy Carpenter's Platt said.
“There's definitely interest in providing reinsurance solutions for cyberrisk and certainly there's a lot of capital to deploy in the capital markets. But investors need to continue to be educated and convinced that cyber is a product that can perform as profitably as it has in the past and can be modeled to aid in understanding tail exposure and pricing,” he said.
The Road Ahead
An expected rise in cyberattacks will deepen the dialogue between reinsurers and their clients and increase penetration in the market, said Davis of JLT Re.
“But that largely depends on the nature of those losses,” she said. “A large-scale data breach no longer moves the dial. But something like we had last year with NotPetya could certainly pique interest in areas like manufacturing.”
Insurers and reinsurers have yet to see a black swan event that could rattle the industry and change the cyber market, PartnerRe's Rudow said. But once one occurs, “people are really going to sit up and take notice.”
Hartford Steam Boiler Group (A.M. Best # 003961)
Scor Global P/C SE (A.M. Best # 078344)
Partner Reinsurance Company Ltd. (A.M. Best # 084424)
For ratings and other financial strength information visit www.ambest.com
Lori Chordas is a senior associate editor. She can be reached at firstname.lastname@example.org.