October 26, 2018
Spreading cyber risk has long posed unique challenges to re/insurers operating in the cyber market space. When cyberattacks occur, they can have far-reaching effects and trigger payouts from policies that are not explicitly written to cover cyber risks—something commonly known as “silent cyber” risk. Naturally, this hard-to-quantify exposure makes it more difficult for re/insurers to absorb losses by spreading the risk, and as a result, there have been tentative steps recently toward leveraging alternative capital in the form of cyber insurance-linked securities (ILS) in order to make the cyber insurance market more sustainable.
In a recent report, S&P Global spoke with Ian Newman, global head of cyber at reinsurance broker Capsicum Re, who told them that his firm has been involved in “a couple” cyber ILS deals. “It is not a big market,” Newman said. A key reason for that, according to the report, is the fact that investors rely heavily on models to help them decide whether to take on insurance-related risks. Furthermore, since cyber insurance is still relatively new and there is a distinct paucity of claims data in comparison to other lines of business, some may distrust current models, and as such, may be reluctant to engage in a cyber ILS transaction. Another important reason for investors’ skittishness about cyber ILS is the fact that a cyberattack—for example, a data breach—may affect the value of other capital market-linked assets in their portfolios, whereas other ILS, like those tied to natural catastrophe risk, often do not.
Nevertheless, there are suggestions that despite investors’ wariness, cyber ILS may play a role in helping the industry take on cyber risk. Jonathan Parry of QBE Re suggested that investors could be first enticed into the market through industry loss warranties (ILWs), where payouts are triggered by an industry-wide loss index pegged to a single event. Additionally, he noted that thanks to the rapid improvement of cyber risk modeling, investors may become willing to assume cyber risk in the near future.