Catastrophes: Cyberrisk
Stumbling Blocks

• Kate Smith
• June 2019
• 

Jean-Louis Monnier hesitates to guess when an insurance-linked securities market for cyberrisk will develop.

Monnier, the global co-head of ILS at Swiss Re, did that once already.

“Two years ago I was interviewed and I said we'd see more deals within two years,” Monnier said. “That hasn't happened.”

For years, there's been an expectation that alternative capital would get involved with cyberrisk transfer deals. But despite the rapid growth of cyber as a peril, an ILS market for cyberrisk has been slow to take off.

For all the interest in a cyber ILS market—and there is indeed interest—experts say the market still has too many obstacles. From limited modeling to lack of loss history to its potential for a long tail, cyberrisk poses complex issues for investors.

“A lot of the investors who are active in ILS in whatever form—cat bonds, traditional reinsurance—are interested in trying to find ways to assume cyberrisk,” Bill Dubinsky, managing director and head of ILS for Willis Towers Watson Securities, said. “The challenges for them are finding structures that actually work for them and risk-return profiles that make sense.”

Michael Millette, founder and managing partner of Hudson Structured Capital Management, said cyber ILS transactions are very doable. But they require creativity.

“You have to approach the risk in a different way,” Millette said. “It takes some thought and work to develop a different approach to deal design and risk analysis. You can't just take the existing catastrophe bond chassis, throw a new name on it and declare victory.”

Indeed some work has been done in this space. In October, Singapore launched a cyberrisk pool, with capacity of $1 billion, backed by both traditional reinsurance and insurance-linked securities markets. And in 2016, investment bank Credit Suisse sponsored Operational Re, which used a catastrophe bond structure to transfer the bank's operational risks, including cyber, to the capital markets.

But beyond those, the few transactions that have occurred have been private.

“We're already hearing of transactions in some more granular portfolios, probably relating to [small- and medium-size enterprises] risk, where the individual limits are not that high and where some ILS investors have been able to participate,” Monnier said. “It is good news to hear that it's happening, even though it's not in public form.”

To date, the lack of alternative capital in the cyber market hasn't posed a problem. Experts say additional capacity is on a “nice-to-have” basis rather than a “need-to-have.” Therefore, there has not yet been widespread demand for ILS participation.

“Insurers are trying to grapple with how you manage systemic risk within cyber, and a critical part of that is availability of reinsurance to protect against outsized losses,” Graeme Newman, chief innovation officer of CFC Underwriting, said. “And clearly any solutions that increase the availability of reinsurance, or more competitively priced reinsurance, are a good thing for this market.

“But have insurers been crying out for this? Well, remember, cyber is still an early-stage product in the affirmative market, and a relatively small line. So I'm not sure it's the No. 1 priority for exposure management, but 'silent cyber' might well be.”

Many expect that to change as accumulation risk grows. That's why cyber ILS is such a hot topic, despite the fact that there's been very little ILS activity related to cyber.

“For cyber you have the potential for accumulation of risk, and this is part of the reason I believe the cyber ILS market will develop,” Monnier said. “The reason there's a lot of talk around cyber is that it's not a matter of if it will happen, but a matter of when.

“If you consider nat cats, earthquake risk in the U.S. and Japan, hurricane risk and typhoon risk are not correlated. But when it comes to cyber, there is a point where you could have a bit of systemic risk in the case of a widespread attack. That means the reinsurers will need to syndicate the risk to capital market investors and spread the risk with capital market investors. The market is not there yet. But we know the demand for coverage is going to grow and the need to syndicate it will be there. It's just a matter of time.”

Roadblocks

Monnier attributes the lack of ILS market development to three things—lack of a clearly defined risk, lack of adequate modeling and lack of adequate pricing.

Defining what types of attacks and losses would be covered, and for what duration, can be tricky.

“Typically cat bonds are on a loss occurring basis, which means you need to have an event and a loss during the risk period,” Monnier said. “The issue with cyberrisk is that you could have something arising from an attack that took place some time ago but went unnoticed.

“These are aspects that need to be handled, in terms of defining what is covered and when, and ensuring it's clear with investors and ensuring that it's captured in the modeling.”

For most alternative capital products, you need a contract that speaks for itself and doesn't require negotiations after the fact to deal with unforeseen circumstances, Dubinksy said.

“If you were to talk to lawyers, the fear around the wording in cyber insurance is a pretty significant problem,” he said. “The challenge is, when you can't put two people across the table to say, 'I didn't think of that, but let's work it out,' you really are going to struggle to have a trade that makes sense. So the wording has to be tested and the kinks worked out before you can more or less have an auto pilot contract.”

Another big stumbling block for the development of a cyber ILS market is the peril's tail. Most of the existing ILS participation is in short-tail risks, where losses are fairly quickly known.

“When you're dealing with the collateralized market, you need to have a definite time of coverage and a time at which you hand the collateral back to investors,” Monnier said. “The moment you hand the collateral back to investors, whether it's bond redeeming or on a collateralized re structure, you hand the money back and you effectively commute the cover.”

Such capital efficiency is key for capital market investors, who want to be able to recycle collateral back into new risks.

“ILS invests in insurance for differentiation and diversification. I think cyber can offer that on both sides,” Devin Page, underwriter for Hiscox, said. “But a big necessity for ILS to enter the space is around capital efficiency. What works for ILS is, for the most part, a short-tail risk because it gives them the ability to know if they have or have not had a loss relatively quickly after the contract is done.”

Investors know immediately if a hurricane hits Florida. With cyberrisk, incidents aren't always known in real time. That can be an issue.

“When you compare the traditional and the collateralized re markets on this product, the longer tail risks associated with a risk that may surface a few years after the cover had been purchased, may prove more problematic to hedge in collateralized form,” Monnier said. “What would happen if you realized there was an event after the bond had matured?”

The loss history for more extreme tail events also is limited.

“That's a significant issue,” Dubinsky said. “The events so far, which have not been small at all but have been smaller than what people fear could happen, most of the money that's been paid out has been for first-party expenses. That is relatively short tail. The question will be: Do you have a situation that's maybe not as bad as asbestos but where instead of the tail being months or a year or two, it becomes a much longer tail of liability? And what would that mean? That's unclear too.”

Making Progress

Progress is being made in the areas of modeling and loss estimates. PCS, a Verisk company, has started compiling cyberrisk loss estimates and cyber catastrophe loss estimates. The goal, according to Verisk Assistant Vice President Tom Johansmeyer, was to create a mechanism to improve how insurers manage risk to capital.

“When you look at risk and capital management in the face of a cyberthreat, there are a number of things going on that are interesting,” Johansmeyer said. “First, you have the progression of how risk is managed in affirmative cyber over the last couple of years. It went from companies keeping their lines small and keeping their aggregates small, not betting more than they could afford to lose, to advancing to quota shares, where you're participating in the expertise of the underwriter you're supporting.

“Now we're seeing in affirmative cyber that some people are starting to realize how much premium is passing through their hands for quota shares, and they want to start looking at nonproportional covers so they can retain more of the premium rather than ship it out the door for a quota share. Industry loss index tools can help you understand the cyberrisk better and manage your risk to capital more effectively, rather than sticking strictly to a quota share structure.”

Newman said loss estimates theoretically allow clients to buy event-based reinsurance.

“If your fear is a significant event—say, one piece of malware that causes a disproportionately large loss—you can buy reinsurance against that, knowing you have a trigger,” Newman said. “That trigger is an estimate produced by a third party, which is essentially what they built in the property world. It facilitates risk transfer.”

For its loss estimates, PCS has looked at incidents as far back as 2013. So far, it has identified only one cyber catastrophe—the NotPetya attacks of 2017.

Though it may seem that seven years of events wouldn't provide a large enough data set to create models and triggers, Johansmeyer said it's enough to create some sort of cat bond.

“In terms of industry loss for cyber cat, we've got the one,” he said. “It's not a big data set, but based on that and things that we and other insurance industry stakeholders know about insurance, I actually do think there's enough out there to put some good triggers together. Absolutely.

“In my opinion, there's certainly enough cyber insurance experience out there. We're starting to form a picture as an industry that has a pretty good view of the risk related to cyber insurance.”

While PCS would love for its tools to become the foundation for ILS instruments, Johansmeyer said the company is keeping those ambitions contained at this point.

“I would love to see people going out and doing cat bonds right now,” Johansmeyer said. “And if somebody wants to, I'd help them make it happen. No question. But we've not been terribly aggressive in pushing that agenda. We want to make sure people can see the index, kick the tires and trust it. But more importantly, we want to help provide a common language for the industry to understand and talk about cyber losses.

“We're more concerned with getting people to talk consistently than we are with seeing money fly around. We believe that, as the conversation begins to progress on this basis, companies will be in a position to trade more effectively. That's what we're looking forward to.”

Future Market

Monnier sees the development of a cyber ILS market as inevitable.

“The market will develop. The models will develop. The question is: What will be securitized first?” he said. “We feel there is a greater chance of some affirmative cyber coverage to be developed, because that's where the definition is likely to be clearer regarding what is covered and what is not. Modeling is also likely to be easier to do, because you also have a grasp on what your exposures could be. Then it would become a question of price.

“The form is irrelevant. The size typically drives the form. To the extent that you have adequate modeling and the size is large enough, the benefit of doing a cat bond is that you can have a broader distribution and better price execution. But then you have higher costs. So I think the form will follow the need and the appetite from investors. And if we get indeed to a sizable market, it's likely that a good chunk of it would be in cat bond form.”

While it will take time to develop a cyber ILS market, Johansmeyer said new capacity is needed to facilitate meaningful growth of cyber insurance.

“Everybody is on everything now in the reinsurance space and retro space. If I were a reinsurer out looking for retro protection, the biggest challenge I'm going to find is getting capacity that's not already on the same risks I am,” Johansmeyer said. “So you need new sources to come in. That's what the ILS space was made for—to transfer risk out of the traditional insurance system.

“The difficulty is, you need the data, the modeling capabilities, the understanding and the experience to make it easy to adopt these tools. All are in varying states of progress, and it's all positive. But it's going to take some time. I think the biggest issue right now is experience. There's a lot of really interesting and innovative modeling activity going on. There's a lot of desire to trade on this basis, both for traditional players and the ILS community. But I think losses define a market, and we're still having the sorts of losses that will define this market.”