Could the capital markets solve the $1B cyber insurance policy gap?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.artemis.bm/blog/2015/03/23/could-the-capital-markets-solve-the-1b-cyber-insurance-policy-gap/


Lately the press is awash with stories about cyber risk, cyber insurance
and the threat posed to companies by hackers, malware and exploits. The
need for cyber insurance and reinsurance protection is clear, but with some
suggesting $1 billion policies are required would the capacity be available?

The Financial Times reported that insurance industry experts suggest that
companies may need cyber insurance policies providing coverage of up to $1
billion, a number that while high is actually very understandable for
large, global companies with significant quantities of proprietary,
customer and sensitive data or with electronic access to cash that could be
compromised.

Losing your customer data base along with sensitive financial details, or
your intellectual property, finding you cannot access core systems or that
the software that your corporation runs on has been completely wiped, all
of these are risks that big business is terrified of and the potential
costs and resulting liabilities are high.

However, that FT article suggests that currently you cannot buy cyber
insurance policies that provide any more than $500m of cover and in fact it
is more common to see a maximum of $300m or lower of capacity available per
policy.

With the potential costs so high, imagine you lost a million customers
credit card details and the costs needed to respond to the issues and the
potential liabilities associated with that, the size of these cyber risk
insurance policies is clearly not sufficient for the largest companies in
the world.

“The costs are becoming so great that we really need $1bn policies in light
of the threats we are facing,” Ben Beeson, a partner at insurance brokerage
Lockton, is quoted as saying.

Stephen Catlin, CEO of insurance and reinsurance firm Catlin Group, said
recently that cyber risks are too big for the insurance industry and that
government support may be required to step in and provide the financial
backstop that companies need. In fact Catlin said that cyber was the
biggest systemic risk he had witnessed in his long insurance and
reinsurance industry career.

Catlin said that insurers balance sheets aren’t large enough to support the
magnitude of claims that could result from serious cyber attacks, so
government funds would be required. The key is in transferring the risks,
by whatever mechanism is the most efficient and cost-effective, and perhaps
in this case the insurance industry is just not cost-effective enough for
the peak cyber exposures.

Given this is where the reinsurance market arrived at with respect to
catastrophe risks in the 1990’s, finding that it was desirable to tap the
capital markets and institutional investor financing for the most impactful
risks. Perhaps a similar approach could be taken to provide peak-cyber risk
transfer and protection, in order to boost the amounts of capacity
available?

Naturally this is where you’d expect Artemis to suggest the catastrophe
bond as one possible avenue of exploration. We do know of people in the
reinsurance market already making tentative enquiries as to how cyber risks
could be securitised to be transferred to capital market investors. There’s
definitely a recognition that the exposures are so high that the
traditional reinsurance market alone may not be able to carry them.

A cyber risk catastrophe bond could be structured on an indemnity basis or
using an industry loss trigger approach, but the problem is the upfront
modelling of the probabilities and expected loss, as cyber risk exposures
have so many moving parts and the potential to be so volatile.

The lack of available historical loss data remains an issue, with sources
of cyber breach information small in number and the real impacts behind
each recorded breach often shrouded in mystery, as companies often don’t
want the bad PR associated with full-disclosure of a breach.

Perhaps a parametric solution could be designed? Distributed denial of
service attacks, where your network or computer systems are jammed by huge
volumes of inbound traffic and data, could perhaps be a risk that a
parametric trigger could be constructed for. A trigger based on inbound
data volume and how long it persists could be a simple way to approximate
the impact of a DDOS attack.

Could capital market investors ever be made comfortable with a view of
cyber risk in order to allocate capital to cyber risk cat bonds? It’s
possible, as the risk models and historical data is augmented over time.

One thing is certain, opportunity. Demand for cyber risk insurance is set
to be extremely high as corporations increasingly learn how they are
exposed and how attacks could affect their core business and supply chains.

Cyber risk cat bonds could be sold to corporates directly as well, meaning
the opportunity for capacity providers could be even higher, in the same
way that’s being proven with natural catastrophe bonds. A billion dollars
of capacity per policy might be a bit hopeful, but capital markets backed
cyber risk solutions could provide a useful layer of additional protection
for the peak cyber exposure, if the modelling can gain the necessary level
of trust.

Or maybe other capital market solutions could be looked at, such as a
sidecar that could be used to pool risks for corporates, or funded captive
type vehicles allowing the capital markets to take on the peak cyber
exposures.

Maybe Lloyd’s of London could set up a syndicate that accepts capacity from
many members and investors, provide the best cyber underwriting talent in
the world and get the market focused on London? Again possible, but likely
hindered by the modelling and the inherent uncertainty (in fact the clear
unknowns) in cyber exposures for the moment.

Which brings us on to contingent capital as another potential solution to
finance cyber risks. Given the way these transactions are structured,
providing just-in-time capital to corporates at the time they need it,
based on pre-defined trigger factors or conditions being met, a cyber risk
contingent capital facility could do the necessary job of making capital
available when the worst happened.

The reason that contingent capital could be an answer is the way these
transactions provide their protection. They do not have to be fully-funded
or collateralized in the same way as a catastrophe bond, meaning that
investors can buy into the deals but only have to outlay the full capital
when they are triggered.

It’s easy to see how the capital markets, securitisation and
insurance-linked securities (ILS) structures could be put to work in cyber
risk, but the issues around data and the ability to accurately price these
exposures remains a problem.

Beeson hits on this key issue when quoted; “The question is how do we get
there and price risk, especially when the risks are changing every day.”

Pricing cyber risk is notoriously difficult. It’s possible to estimate the
potential financial loss impacts of specific scenarios, but how do you
estimate the likelihood of this happening accurately, when hackers are
breaking new systems on a daily basis and the threat profile is constantly
being adjusted.

Models can approximate exposures based on data inputs about the corporation
that is seeking coverage, but how do you price reinsurance capacity that
covers multiple insureds, with so many moving parts involved that could
increase the risk of a cyber attack pricing cyber reinsurance seems even
more difficult.

A central and independent collector and reporter of cyber risk exposure and
loss information would be a useful start, it would make data available in a
structured format and give re/insurance markets and third-party investors
confidence in the exposures they may take on.

A report published today by broker Marsh in conjunction with the UK
government looks at cyber risk and found that an estimated 81% of large UK
businesses and 60% of small companies suffered some kind of cyber security
breach in the last year.

The UK government is keen to establish London as a global centre for cyber
risk management, which could result in initiatives to collect data more
thoroughly and to make it available in forms that are useful to insurance
and reinsurance underwriters and risk modellers.

The report highlights the issues around supply chain risks, when it comes
to cyber exposures, that when a companies suppliers come under attack or
suffer a breach it can impact many of their customers due to supply chain
impacts. That suggests a contingent business interruption product focused
on cyber risk is required, again something that a parametric structure is
often better to approximate the impacts for, than an indemnity structure.

Cyber attacks are estimated to cost the UK economy billions of pounds each
year, with the cost of cyber attacks nearly doubling between 2013 -2014,
according to the report. The report concludes that the risks associated
with cyber attacks are not nearly well enough defined within the insurance
industry and suggests that there is much work to do.

Francis Maude, Minister for the Cabinet Office and Paymaster General in the
UK government, commented; “It is part of this Government’s long-term
economic plan to make the UK one of the safest places in the world to do
business online. The UK’s insurance market is world renowned and we want it
to be the same in relation to cyber risks. The market has extensive
knowledge and experience of more established risks to help businesses
manage and mitigate relatively new cyber risks.

“Insurance is not a substitute for good cyber security but is an important
addition to a company’s overall risk management. Insurers can help guide
and incentivise significant improvements in cyber security practice across
industry by asking the right questions of their customers on how they
handle cyber threats.”

Mark Weil, CEO of Marsh UK & Ireland, added; “While critical infrastructure
in regulated sectors, such as banks and utility firms, are used to this
kind of risk, most firms are not and their risk management practices are
geared around lower-level, slower moving risks. Companies will need to
upgrade their risk management substantially to cope with the growing threat
of cyber attack, including introducing disciplines such as stress-testing,
and creating a joined-up recovery plan that brings together financial,
operational, and reputational responses.”

Will this government backed initiative position the UK as a leading cyber
insurance hub and will the insurance and reinsurance industry be able to
provide the necessary capacity to back it?

If policy limits of $1 billion and upwards are required, while currently
insurers seem to be pulling back on offering large limits, it seems other
sources of capital may be required to augment the available insurance
capacity.

Which would suggest that insurers and reinsurers should work with the
capital markets to bring much larger limits to bear, making the coverage
required easier to get hold of and the risks more broadly distributed among
counterparties and capital providers.

Fitch Ratings discussed the lack of cyber reinsurance capacity in a recent
report, saying that many policies continue to exclude cyber risks. However,
cyber risks have become more prevalent in global reinsurance circles as
some underwriters have begun to include coverage as a way to attract more
business in the challenging market.

This expansion of terms and conditions to include cyber catastrophe
coverage, alongside property covers for example, is seen as an accident
waiting to happen by many. Questions abound as to whether the reinsurers
bundling cyber with renewals have any idea of the exposure they have taken
on.

Fitch also highlights the risks of aggregation from cyber exposures, making
it a difficult risk to diversify within a reinsurance portfolio. Cyber
exposures can spread and have knock-on effects that are very difficult to
predict. The interconnected nature of networks, as well as the network
effect of cyber culture, can make the exposures multiply significantly.

Fitch has hopes that cyber will become more widely underwritten in
reinsurance markets; “Fitch believes that insurance companies’ increasing
knowledge about aggregations and overall exposures to cyber risks will give
reinsurers more comfort in writing this business. Increasing demand coupled
with difficult market conditions in most reinsurance lines could also make
cyber risk an attractive line to write.”

Gradually capacity for risks like cyber will grow and given the extent of
the exposure it stands to reason that third-party capital providers will
ultimately participate in this market as well. Competition in the cyber
reinsurance market could be fierce, as the pricing will likely be
attractive and it could provide a welcome source of new premiums for
incumbents suffering from declining pricing in catastrophe markets.

There’s no easy answer to exposures as complex as cyber risk. There remains
a need for more knowledge and understanding of cyber risks in the
re/insurance industry, as well as a lack of data on historical events and
risk transfer capacity. These issues need addressing before we will see a
fully functioning cyber risk insurance market emerge, let alone a
functioning cyber reinsurance, or cyber capital markets (ILS & cat bond),
option.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!