Deals to transfer cyberrisk to the capital markets through insurance-linked securities, or ILS, have been done, and more are in the pipeline. But the cyber ILS market remains in its infancy, and some market practitioners doubt that the capital markets are yet ready to take a bigger share of the risk.
Because a cyberattack could affect multiple industries and geographies rapidly, it has the potential to trigger payment in many lines of insurance business at the same time. As well as potential payouts from the roughly $4 billion of gross written premium for specific cyber cover, the insurance industry also has a far greater exposure through traditional policies that do not explicitly include or exclude cyberrisks, known as non-affirmative or silent cyberrisk.
Insurers and reinsurers would normally look to each other to share such a burden, but are reluctant to add to their already large and difficult-to-quantify exposures by taking on another company's risk. In that context, capital markets investors, which have already proven adept in helping traditional companies smooth out volatility in their catastrophe portfolios, and which do not have an existing portfolio of cyberrisks to contend with, are an obvious place to turn.
This has begun happening already, albeit at low levels thus far. While declining to name the parties involved, Ian Newman, global head of cyber at reinsurance broker Capsicum Re, said in an interview that his firm has placed a cyber ILS transaction that has "been around for a number of years and has renewed a couple of times."
Said Newman, "It has worked well, is something that continues to grow, and we anticipate growing to an even more meaningful line size this year." But he also noted that Capsicum Re is to date the only broker to have done ILS deals, and "we have only done a couple."
He added: "It is not a big market."
And obstacles exist to its becoming significantly larger. A key one is that investors rely heavily on risk models when taking on insurance liabilities, but because cyber insurance is in its relative infancy, and there is little claims data to go on, some distrust the models.
Risk modelers RMS and AIR Worldwide both have cyber models, and AIR announced Sept. 4 that it had teamed up with Capsicum Re to develop silent cyber modeling capabilities. Yet many remain skeptical, like Dirk Lohmann, CEO of ILS investment adviser Secquaero.
Lohmann placed Hannover Re's Kover catastrophe bond in 1994, widely considered the first. He said in an interview: "I wouldn't put a lot of credence into anything that's out there calling itself a model. From that standpoint we are not as a market prepared yet to consider this as a risk."
A further problem is risk correlation. Capital markets investors find natural catastrophe risk attractive in part because it is not closely linked to the other, mostly financial risks in their portfolios and so offers diversification. However, a big cyber event could affect the value of other assets such as stocks and bonds.
Lohmann said that in order to recommend a cyber deal, "we would have to be convinced that either we are looking at something that has got a low correlation or we can get comfortable that the correlation is not going to be that great."
A further attraction of catastrophe risk is that claims are typically assessed and paid relatively quickly. Cyberrisks, however, contain elements of liability and business interruption, where ultimate claims costs could take several years to determine, tying up investors' money for longer.
The time it could take to settle cyber claims "doesn't really work with non-traditional capital's appetite," said Jonathan Parry, chief underwriting officer at QBE Re. "That is why [alternative capital sources] have never been that strong in the casualty space either."
There are signs, however, that ILS will play a growing role in assuming cyberrisk.
"I'm sure [cyber ILS] will happen," even given capital markets' general reluctance to take on long-tail risk, said Parry. He suggested that a palatable way into the market could be industry loss warranties, or ILWs — a simpler version of ILS in which payouts are triggered by industry-wide losses for a specific event, determined by a loss index.
Property Claim Services, or PCS, which compiles property loss indexes used in ILW and ILS transactions, has developed a cyber loss index for events costing the industry over $20 million. In September, it expanded the service to include events costing over $250 million involving multiple insureds for both affirmative and silent cyber.
Newman at Capsicum Re agreed that ILWs are a good way for capital markets investors to assume cyberrisk, saying a colleague had developed a cyber ILW alongside PCS, although it has yet to be traded.
He is also sanguine about the growth in use of more fully fledged ILS for taking on cyberrisk, both through simpler "cat bond lite" deals and via larger, more complex transactions carried out under the U.S. Securities and Exchange Commission's 144A rules, which facilitate the trading of privately placed bonds.
"We are not at the point yet where there is total confidence, but we are already speaking to major cat bond markets who would be very comfortable doing a cat bond lite and I don't think we're a million miles off being able to do a 144A [cyber] cat bond in the near future," he said. "The models are developing at such a rapid pace and improving that the level of confidence is growing all the time."