Hiscox Re’s Devin Page – Head of Specialty Reinsurance, on the growing likelihood of the (re)insurance industry’s first significant cyber catastrophe.
Risks like windstorms, earthquakes, floods, wildfires and terrorist attacks are usually the first to come to mind when one thinks of catastrophes. But, given the increasing levels of global digital connectivity, greater penetration of cyber insurance, inadequate contract wordings, and the silent cyber threat, the risk of a devastating cyber catastrophe is now capable of inflicting similar levels of losses. Despite the growing risk it is clear that the reinsurance market has work to do if it is to deliver a more suitable, sustainable, and scalable response to meet the challenge of a cyber catastrophe.
A cyber catastrophe hitting the insurance and reinsurance market can be defined in a similar way to the definition of a more traditional property catastrophe; a high number of individual claims, all from the same cause, occurring in a relatively short amount of time, and inflicting a large shock loss to the (re)insurance market. Such an event hasn’t happened yet but 2017’s WannaCry and NotPetya ransomware incident dished up a preview of what a cyber-attack can do by hitting multiple industry sectors, in multiple geographies, and organisations of all sizes. On both occasions, the low penetration of cyber insurance in the areas and businesses they hit meant insured losses were low. However, there are several factors at work that could result in a market changing Hurricane Andrew or Katrina level event for cyber.
A rapidly evolving risk
The most obvious change is how the cyber risk itself is rapidly evolving. The world now relies on digital infrastructure and resources are becoming increasingly interconnected, which means the potential for a large systemic disruption is also growing.
In insurance, the cyber market is expanding quickly as more businesses respond to the risk and buy cyber insurance. The Hiscox Cyber Readiness Report 2019 shows that the uptake of dedicated cyber insurance is on the rise with 41% of [respondents] saying their firm has cyber insurance – up from 33% a year ago – and a further 30% saying they are planning to buy cyber insurance in the next 12 months.
In addition, higher limits and the widening of terms and conditions in areas like contingent business interruption and supply chain failure means the overall amount of systemic cyber risk shouldered by the insurance market is growing at a rapid rate.
There is also the ‘known unknown’ issue of non-affirmative cyber – or silent cyber – sitting on insurers’ and reinsurers’ books as a result of inadequately worded contracts in traditional property and casualty insurance products. While some insurers have begun the process of updating their policies, many contract wordings in circulation have not yet caught up with the risk despite the efforts of regulators and ratings agencies mandating carriers to quantify and qualify their non-affirmative cyber risk.
Given the cyber threat, how then should the (re)insurance market respond to ensure it can deal with a cyber catastrophe in the same way that it deals so effectively with more traditional catastrophe events?
The first area to look at is product development. It's the reinsurer’s job to help insurers efficiently manage and transfer their cyber risk but, in many cases, program structures are not fit for purpose. For example, many cedants only protect themselves with proportional reinsurance. These structures work well for lines where loss ratios stay relatively stable but for cat lines where there is significant volatility, they are less effective. In these scenarios, the insurers end up ceding away huge amounts of profit in years where the loss ratio is very low but their net loss ratio will not be capped in the bad years. Encouraging insurers to purchase their cyber reinsurance on a non-proportional basis allows the cedant to retain their profit in good years while protecting them against tail risk in the bad.
For classes of business that are volatile and catastrophic in nature – as with cyber – a normal attritional year should deliver quite a low loss ratio, but the reverse in a bad year. By using a proportional structure, in a good year the insurer will end up ceding away a lot of profit and will have no cap to its net loss in a bad year. Additionally, proportional structures are ill-suited to effectively deal with non-affirmative cyber as there is not a stand-alone subject portfolio to cede to reinsurers. Just the prevalence of proportional versus non-proportional reinsurance covers alone shows there is a lag in the structuring of reinsurance to match the evolving needs of the insurer.
Get the product right
There are signs though that the reinsurance industry is beginning to recognise the catastrophic nature of cyber following a recent uptick in the number of standalone non-proportional structures it is offering, and cyber being carved out of composite professional liability or general casualty covers. There is also the emergence of tailor-made structures for the immediate and evolving needs of cedants, including cyber stop loss, risk excess, and cyber industry loss warranties (ILW). Hiscox launched the industry’s first cyber ILW product last year which responds to an aggregation of cyber losses throughout the year and helps address the uncertainty around cyber tail risk for (re)insurers.
On the non-affirmative side, insurers are also engaging with brokers and reinsurers to develop non-affirmative cyber solutions. It’s an iterative process that demands more collaboration than traditional reinsurance placements. First, the exposure needs to be to identified, qualified and quantified. Then a plan to ‘affirmatise’ the exposure (adding specific cyber wording to policies or specifically excluding it) needs to be drawn up. Following this step, bespoke reinsurance treaties need to be created to support the insurer through this transition.
All this extra risk needs more capacity in the reinsurance market and a big challenge will be how reinsurers scale up to meet the demand, particularly given the constraints on capital efficiency. On the property side for example, a reinsurer can underwrite more limit relative to the amount of capital it holds thanks to risk diversification. For example, since Florida wind exposure will not clash with Japanese earthquake, a reinsurer can leverage its capital within its portfolio. On the cyber side, it is much more difficult at the moment to diversify the portfolio in that way because the zones of aggregation are less clear.
In the near-term, creating more capital efficient products is essential to keep up with capacity demands. Having a suite of differentiated products available that don’t clash is prerequisite for continued sustainable growth of the market. This ability to diversify within a cyber-portfolio not only paves the way for growth, it helps ensure coverage remains affordable for clients. Crucially, this also creates a market able to catering to different risk appetites which in turn attracts more participants to the class, which in turn enable further growth.
This need for capital provides an obvious opportunity for ILS investors. Although it's a new horizon for ILS, as modelling capabilities increase and the structural elements fall into place, cyber risk is beginning to align more closely with ILS investors’ risk appetite. It is still early days though and, amongst some ILS capital providers, there is still an aversion to the unknown nature of cyber and the potential correlation it may have with other capital markets. Despite that, cyber is gaining traction within the ILS market and is likely to be an attractive area for investors in the longer term.
Sooner rather than later
The imperative however is that the market responds quickly. If a major cyber event occurs in the near future, before silent cyber has been dealt with appropriately, and with reinsurance structures being structured without the appropriate appreciation of cyber cat risk, the severity or quantum of size of the loss potential will catch people off guard.
This is a collective issue that will require the entire market to address. This begins with a deeper understanding of the evolving cyber risk present in the world, addressing the shortcomings of wording currently used in the market, structuring reinsurance programs that will ensure resilience against catastrophic events, and creating products that foster a sustainable and scalable market in the long run.
Find out more about cyber reinsurance here.