Risk carriers and brokers have so far proved equal to a fast moving, complex cyber threat environment, continuing to protect businesses with technical advice and affordable cover. But as the black hats redouble their efforts, diversifying into new areas, can the insurance market stay strong and responsive?
...there’s been a move away from extortion by some groups towards financial crime
At the same time as insurers are grappling with the headline issue of ransomware (for more on this see our article on the changing face of cyber ransom), the wider cyber risk landscape keeps on changing.
Tom Quy, cyber practice leader at reinsurance broker Acrisure Re says: “We have seen data from our clients [indicating] that there’s been a move away from extortion by some groups towards financial crime, such as phishing and business email compromise or manipulation. It is lower value but it provides the cyber criminal with eg 250k in fiat currency as opposed to bitcoin.” One reason for the shift could be sanctions on crypto exchanges making it harder to move crypto currency to hard cash.
Highly evolved hackers are starting to exploit AI and machine learning, according to Shay Simkin, Tel Aviv based global head of cyber at Howden. “Deep fake is one example. Microsoft’s AI program can clone a person’s voice from a three second audio clip. It puts a big question mark on our concept of trust if we don’t know whether we are speaking to the real person! Trust is one of the biggest issues facing insurers in the future.”
Supply chain security and the role of state actors is another emerging problem, Simkin warns: “War exclusions are the most cited defence for insurers, but it’s increasingly apparent that attribution is a problem with such cyber attacks.” Governments in Costa Rica and, more recently, Italy have been attacked.
Trust is one of the biggest issues facing insurers in the future
Jennifer Braney, cyber specialist broker at Gallagher Re, concurs, adding: “In light of the current geopolitical landscape, there has been a lot of discussion in the cyber market about the confluence of political and cyber risks, war exclusions, and risk appetite in terms of writing back elements of state-sponsored attacks. We need to consider the impact of this exposure to non-cyber lines where cover is either affirmed or non-affirmed. The impact of cyber in non-cyber lines also needs to be considered as ‘cyber-as-a-peril’ grows.”
Ingo Trede, European head of cyber underwriting at Alta Signa, thinks the market needs to watch the implementation of EU GDPR into local laws: “As of now, data-breach-based claims do not have the same devastating potential in Europe as they do under US laws, which include redress mechanisms that can see claims quickly escalate. We see incidents with data breaches suffered by clients being transparently reported to the regional authorities, but for now in many cases remaining unsanctioned or without pecuniary effects. And even when sanctions are imposed, they remain mostly an exposure to the primary market.”
The impact of cyber in non-cyber lines also needs to be considered as ‘cyber-as-a-peril’ grows.
In relation to data privacy penalties and claims from insureds, insurers should monitor the ever present risk of data theft, according to Simon Basham, head of cyber broking at WTW: “Due to the nature of such claims, they will not materialise immediately in the wake of a cyber incident in the same way incident response, ransom payments and business interruption costs do, however this does not mean the costs associated with such liabilities should not be taken into account by insurers from an exposure assessment and pricing perspective."
Looking into the future, insurers should start thinking about the introduction of quantum computing (QC) tools, according to Dan Trueman, head of cyber and technology at global insurer AXIS: “In terms of what the defenders are doing while QC is on the distant horizon, companies like Google are applying post quantum cryptography (PQC) to protect data from the long-term risks posed by QC computers – like encrypted data being stolen now and decrypted later.
“NIST [the National Institute of Standards and Technology at the U.S. Department of Commerce] is running a process to identify PQC algorithms, with standards expected in 2024. The private sector isn’t the only mover – a US Government Memorandum published in November 2022 outlined a process for federal agencies to implement PQC.”
Due to the nature of such claims, they will not materialise immediately in the wake of a cyber incident
Enter cyber ILS
The launch of cyber cat bonds earlier this year by Beazley and then Hannover Re look set to tilt the overall capacity supply/demand balance. Hannover Re did a $100m proportional reinsurance deal with Stone Ridge while Beazley’s $45m transaction, brokered by Gallagher Securities, was supported by a panel of investors including Fermat Capital.
Gallagher Re’s Jennifer Braney said: “In simple terms, there is not enough rated reinsurance capacity in the market to support the growth in cyber. It was a matter of when, not if, ILS capacity would become involved in the market. We were involved in bringing the first cyber cat bond to market this year, evidencing our commitment and belief in this. There is increasing interest in this space, and we are bullish on the growth prospects.”
Alta Signa’s Ingo Trede says that under Solvency II, cyber insurance risk related capital requirements remain significant, and as such ILS presents an attractive additional tool to help lighten the load on the balance sheet. “Our judgement would be that if there is a price advantage over traditional reinsurance, ILS would gain in traction - but more detail is needed. Hopefully public placements will follow and help increase available information.
As of now, data-breach-based claims do not have the same devastating potential in Europe as they do under US laws
“Ultimately, ILS markets help to increase the aggregate insurance capacity available for cyber insurance and help insurance provide a more valuable solution to cover cyber risk… However, it is also worth noting that ILS capacity impacts competitive dynamics. For instance, it helps the traditional cyber market leaders to increase their line size, and squeeze out potential competition, without putting at risk their own capital base. Another potential downside is the short-term nature of ILS capacity. It can re-allocate its capital commitment elsewhere very easily, if returns fail to materialise - something a traditional (re-)insurance company can't do.”
Acrisure Re’s Tom Quy is more optimistic: “Beazley have defined their specific areas of loss and picked events that are really ‘out in the tail’ – such as a very long cloud provider outage. They’ve introduced the idea of quantifying and ringfencing cat coverage to help develop the market in the ILS sector.” He acknowledges that there are proposals to produce an industry wide definition of cyber catastrophe, but the success of the ILS deals is an encouraging start.
“For the ILS part, we believe investors will welcome the diversifying effect (in relation to property cat) of short tail cyber risk in their portfolios,” Quy adds.
AXIS’ cyber head Dan Trueman says access to capital is a necessary fuel for growing cyber insurance, especially in light of systemic risk exposure concerns. “The ILS market is a logical development in how cyber insurers may wish to access additional capital and diversify their capital support away from the traditional reinsurance marketplace. It is highly likely that this will continue to ‘scale’ over the medium term.”
The ILS market is a logical development in how cyber insurers may wish to access additional capital and diversify their capital support away from the traditional reinsurance marketplace.
Matt Harrison, director of cyber product management at RMS, says that cyber is viewed as a catastrophe exposed class in need of substantial reinsurance and, while the market is growing, demand far outstrips supply: “It’s been argued that if cyber grows to its full potential, there may not be enough reinsurance capacity to meet demand, necessitating capital from alternative sources.
“This gap presents an opportunity for cyber ILS, but it’s still in its nascent stages. We expect it to grow, but understanding of cyber ILS is relatively limited at this stage. As the market grows, cyber ILS will most likely become a better and cheaper product, but it requires increased understanding to be able to get the solutions right.”
Meanwhile, cedants are adapting their traditional reinsurance arrangements, Tom Quy says: “Broadly speaking, cedants are looking at, or moving more towards, excess of loss placements, as the cyber class matures. The stop loss market has become quite expensive and benefitted from the underlying remediation of cedants’ books. As a result, there is a lot of work going into better defining event specific covers as a potential solution to both pricing levels and limited availability of limits”.
Systemic cyber spectre
With big attacks like Notpetya and Wannacry still fresh in their memories and the growing role of states in cyber attacks, reinsurers’ minds are inevitably concentrated on the potential for a systemic event.
RMS’s Matt Harrison says fear around cyber catastrophe has hindered its progress since the market began: “Is the industry prepared? The answer is complicated. Most decisions are being made assuming that there is a systemic risk, but as such an event hasn’t occurred before, the industry may not be fully prepared. However, reinsurance penetration for cyber is larger than almost any other class of business because of that assumption that a systemic risk is there, so in a way it is prepared.”
Acrisure Re’s Tom Quy says people tend to draw comparisons between cyber catastrophe and property catastrophe: “But it’s important to remember that cyber risk is fundamentally a manmade peril and so it’s within our gift to develop strategies, software and controls to reduce the potential impact of these events. And when they do happen, remediation efforts can be deployed at speed and often at low cost. You can’t do that as easily with natural disasters.”
The market is making ready, according to Jennifer Braney, Gallagher Re: “For the cyber affirmative side, there is extensive investment into modelling by third parties, intermediaries and (re)insurers and the models certainly evidence the potential tail risk. The market is making an effort on coverage and underwriting and governments are working with the industry to consider state-backed solutions.”
Dan Trueman, AXIS, says that a crucial step is to give customers greater contract certainty within policy wordings where there is no intention to cover cyber risk and to therefore ensure it has been affirmatively excluded from these policies: “This moves what was potentially non-affirmative, silent or even hidden cyber exposures off these policies and potentially offers them up to the affirmative cyber market where pricing and underwriting expertise is more aligned.
“Major carriers in the affirmative specialist cyber market have thus been further refining models to more clearly understand the exposures being taken on. This is a material journey and will continue for as long as there is cyber risk.”
A big investment from insurers and reinsurers to achieve clarity of coverage concerning systemic events led to model clauses being provided to Lloyds syndicates that write cyber insurance, says WTW’s Simon Basham. “If insureds’ desire is that the cyber insurance market remains here for the longterm it is critical that they engage in constructive discussions with their cyber insurance brokers to understand the options available to them concerning systemic risk clauses, so they can make informed decisions regarding the cyber insurance placement.”
