Will cyber bonds help reinsurers transfer risk?

Woman lamenting as two computer screens show her system has been hacked.

Can reinsurers transfer cyber risk to the capital markets? We may be close to finding out.

Recently, two announcements about the issuing of insurance-linked securities (ILS) show there’s a potential to create a broader reinsurance source for cyber risk, said a new report from Fitch Ratings.

“Capital markets solutions for cyber reinsurers present the potential for counterparty diversification and an opportunity to lessen ‘tail risk’ for a rapidly growing product line of property/casualty insurance,” Fitch said.

“Wider development of the cyber risk transfer market requires further maturation of the product, including greater standardization of coverage terms and policy language, price discovery and risk modelling applications.”

Gauging cyber risk is difficult because cybercriminals’ methods and ransom demands change frequently. “Challenges include a lack of widely accepted modelling tools and a limited data set of historical claims where past events are not necessarily indicative of future risks,” the report said.

And those uncertain risks have led to capacity issues and a hard market that’s lasted several years. During a recent Gallagher Talks session, Paige Cheasley, team leader and account executive of the knowledge-based economy division at Gallagher GPL, noted most insurers are capping coverage between $3-million and $5-million.

“We’re seeing exclusions for known [software] vulnerabilities [and] capacity restrictions as well,” she said. “We used to be able to get maybe a $10-million option, and those are very hard to come by now. Most insurers have kept their appetite at about $5 million, some even as low as $3 million, and they don’t want to quote any higher than that.”

The environment makes it harder for high-hazard industries to get quotes, Cheasley said. “It’s not that they’re not insurable….It’s just more challenging. The insurers have less of a broad appetite.”

See also  Project 190E: My Poor Choices Leave Me With A (Hopefully Temporarily) Dead Car

For example, breach costs at healthcare providers were around US$10 million in 2022; for cyber insurers, this has been the most expensive industry segment for 12 years running, according to Ponemon’s 2022 Cost of a Data Breach Report.

Financial services, meanwhile, are averaging US$5.97 million in cyber claims costs, followed by pharmaceuticals (US$5.01 million), technology (US$4.97 million) and energy (US$4.72 million).

While there have, in the past, been private deals to transfer cyber risk to investors, Fitch noted the new public securities issues are different. As such, they “may represent a stepping stone to broader market acceptance that provides insurance companies additional capital, lessens counterparty risk, and a future vehicle for cyber catastrophe coverage,” the ratings agency said.

The two deals (one bond and one quota share collateralized reinsurance deal) from Fermat Capital Management and Stone Ridge Asset Management, respectively, total US$145 million. Fitch noted that’s far smaller than the US$10 billion in cat bonds issued during 2022.

While cyber coverage accounted for less than 1% of almost US$800 billion in direct premium written (DPW) last year, report added it’s also the fastest growing product line (DPW jumped 73% to $4.8 billion in 2021).

“Significant rate increases by insurers in reaction to rising loss frequency and associated claims costs across the market fueled the increase in DPW,” said Fitch. “While rate increases are moderating, global broker Marsh reports cyber renewal rates increased by an average of 48% in 3Q22.”

With files from Alyssa DiSabatino

 

Feature image by iStock.com/AndreyPopov