The risk of cyber attacks is one of the few risks where the demand for insurance exceeds the supply. Despite the apparent opportunity, many traditional and alternative reinsurers have been reluctant to embrace this line of business. In this interview with PCS's Tom Johansmeyer, he explains how their new cyber index could enable a new class of transparent cyber transactions.
Does appetite for cyber risk exist among capital market investors?
Yes, although that appetite is still evolving. Some ILS funds are ready to trade now. Others just don’t want to go first—but do want access to cyber risk. And then you have the folks taking a ‘watch and wait’ strategy, along with a handful who’ve decided they’ll avoid cyber like the plague. Of this last group, I believe they’ll eventually change their minds—when cyber becomes a massive and unavoidable reality. That’s still pretty far off, though.
In the near term, the funds interested in cyber have indicated a preference for ILWs, as you saw recently with Hiscox’s announcement of cyber ILW capacity using the PCS® Global Cyber loss index. It provides an easier way to access what’s still an emerging risk.
What needs to be in place to structure products that would transfer cyber risk?
The lack of an independent, credible industry loss index was probably the greatest barrier to market development—and we’ve addressed that issue. Additionally, there are plenty of modelling tools now available, in addition to the proprietary models that risk bearers have developed. To make progress now, it’s a matter of putting the pieces together and trading. And that’s starting to happen. The rest, frankly, will come from market need. As demand for capacity increases at every link in the risk and capital supply chain, risk bearers will find a way to make it all work.
How does an index help this process?
The use of an industry loss index could help the ILS market consume cyber risk in several ways. First, it makes the process of analysis and administration far easier. An underwriter just needs to understand how PCS Global Cyber works. He or she needn’t delve into the complexity of the underlying book of business. And if triggered, the claim process is smooth and, again, not tied to the underlying loss events (since PCS can publish a final estimate long before the underlying claims are settled).
Potentially more important, though, is the fact that an industry loss index trading can help cedants protect their proprietary information. For retrocessional trades, a reinsurer would have to reveal its positions to competitors, which is particularly challenging in a market as small as cyber is these days.
Using an ILW, the cedant’s risk doesn’t factor into the discussion. The protection seller simply has to understand the PCS Global Cyber process and analyse the likelihood of triggering based on the structure of the ILW. The cedant can protect its proprietary information. The ability to provide some degree of opacity could help drive early trading, which will be crucial to the evolution of what should become a robust market.
Why does cyber have the potential to be a catastrophe class of business?
Cyber is interesting because it has risk loss characteristics and catastrophe loss characteristics. Right now, PCS Global Cyber focuses on risk losses of at least $20 million. You’ll find industry loss estimates for the likes of Merck and Equifax (along with Primera and Nuance Communications) in there.
But we’re working on expanding that to include cyber catastrophe loss estimates—with a catastrophe being several insurers and insureds affected by a single event (more event definition context is currently in development). That’s because we’ve seen the potential for catastrophe scenarios with significant insured loss potential, even if that potential hasn’t been actualised yet.
Even when you include silent cyber, though, there isn’t much loss history to examine for cyber catastrophe events. The PCS team is evaluating Petya/NotPetya right now and developing a cyber catastrophe loss estimate that accounts for both affirmative and silent cyber.
Going forward, cyber catastrophe risk will become increasingly important, particularly as the industry wraps its collective head around silent cyber, along with an increase in market adoption for affirmative cyber. We’re keeping an eye on cyber attacks on centralised service providers, which could wind up resulting in insured losses for their clients. The Dyn event from 2016 is of this ilk, as was the recent 7.ai event that affected Delta Air Lines, Sears, and Best Buy, among others.
What’s the potential for an insured to go to the capital markets directly—versus insurers looking to offset their peak risk?
For the past few years especially, there’s been plenty of discussion about original insureds going straight to the capital markets for protection in the catastrophe space. We’ve seen some experimentation, but serious traction has been elusive. From what I’ve seen, at least, pricing is usually the problem. Conceptually, it could work—for property-catastrophe risk and cyber. Execution will simply come down to whether the pricing works out.
What does set cyber apart from property-catastrophe risks (and other risks) for original insureds is that pressure could be coming on the entire cyber risk and capital supply chain. From retrocession straight down to the programme for the original insured, a capacity crunch is not an unrealistic expectation. That could have implications for corporates, which could cause them to hunt around for direct capacity. Whether that’s consistent with the objectives of capital markets capacity providers, though, remains to be seen.
Right now, the future is yet to be defined. The cyber insurance sector is still very new, and there’s plenty of potential. The needs of cedants and original insureds will decide the course we ultimately take.
Posted: Monday, August 6th, 2018