The cyber re/insurance protection gap provides an opportunity for insurance-linked securities (ILS) investors, which historically have filled the gaps where traditional capital has either retrenched or is unavailable, according to a report published by S&P Global Ratings.
“The demand for protection from cyber risk is increasing, but the capacity offered by the re/insurance sector is not growing at the same pace, leading to significant policy rate rises and a protection gap,” said the report titled “Cyber Risk in a New Era: The Future For Insurance-Linked Securities In The Cyber Market Looks Uncertain.”
This protection gap could provide an opening for ILS investors to gain a foothold with cyber risks, in the same way they did with natural catastrophe risks after Hurricane Andrew in 1992, said the report, noting, however, that cyber risks, to date, disincentivize more than incentivize ILS investors.
Indeed, most investors have no appetite for cyber risks, which S&P attributed “to the substantial accumulation risk, the potential positive correlation between cyber attacks and the financial markets, and the complexity and heterogeneity of cyber risks.”
In addition, cyber modeling is still in its infancy and is many years behind natural catastrophe modeling, said S&P, noting that, as a result, cyber models are less reliable.
The report said that natural catastrophe risks continue to dominate ILS with natural catastrophe risks representing 94.03 percent of the deals, health care at 2.10 percent, operational risk at 1.21 percent, life embedded value at 1.08 percent, financial guarantee risks at 0.66 percent, extreme mortality at 0.58 percent and terrorism risk at 0.34 percent. (S&P provided these figures which were sourced from Artemis.)
Cyber ILS Accumulation Risks
Discussing the problem of accumulation risks for cyber ILS, S&P said non-affirmative, or silent cyber, risk exposures already exist in ILS transactions, as cyber events can lead to claims in other lines of business, such as property and liability insurance.
Around 90 percent of ILS fund managers are concerned about the potential for silent cyber exposure within their funds, said S&P, quoting PCS, a Verisk business and provider of catastrophe data.
“Since silent cyber claims can have a detrimental impact on other insurance lines of business, ILS funds with exposure to operational or property risk already carry the costs of silent cyber risk,” the report went on to say.
“Currently, there are no affirmative (explicit) cyber catastrophe bonds or sidecars outstanding, but there have been some small cyber-related ILS transactions in the form of collateralized reinsurance from some of the Bermuda-based ILS carriers,” S&P said.
How to Increase Investor Appetite
“One way of attracting more ILS investors to the cyber insurance space could be to offer simplified transactions with only one clearly defined cyber peril, to help them better understand the underlying risk and quantify their exposure to it,” the report said.
ILS structures that focus on clearly defined cyber events would help to separate cyber from property risks, S&P explained. While a clear separation would not directly solve the issue of silent cyber, it would “highlight the need for clear and robust cyber risk exclusions further down the re/insurance value chain to prevent silent cyber claims,” the report said.
“Furthermore, it could encourage clearer inclusions and exclusions of perils within cyber insurance contracts, thereby improving transparency, potentially for ILS investors as well.”
Another way to incentivize ILS investors would be “to focus on simplified and affirmative cyber transactions with clear peril definitions and establish ILW [industry loss warranties] products that have a cyber industry loss index trigger,” the report explained. (See textbox.)
“This more cautious approach would help investors improve their understanding of cyber tail risk. Having more entry points for investors and opportunities for re/insurers to transfer specific and clearly defined risks to the capital market could help to sustain the cyber insurance value chain.”
The report can be accessed via S&P’s website.