With cyber risk capital currently constrained, the insurance sector will ultimately need to look to the alternative capital markets if it is going to address the significant peak risks in this class of business.
More clarity around cyber exposures is the key to unlocking ILS capacity and tackling peak risks in this volatile class of business, writes Jose Seara, CEO and Founder of DeNexus, a provider of cyber risk modeling for industrial organizations, global insurers and reinsurers and insurance-linked securities investors.
In order to attract more capital into the primary market, and to leverage growing investor interest in ILS market support for cyber insurance and reinsurance, there will need to be much greater clarity around client exposures and industry loss data.
Cyber volatility driving capacity crunch
Cyber loss activity has dramatically exceeded market expectations over the past few years, largely driven by ransomware losses, and this loss volatility has dissuaded new capital from entering the market.
Insurers urgently need to estimate loss costs more accurately to stabilize the pricing of cyber insurance. With insufficient new capital entering the marketplace, and a finite amount of existing capacity to address current risk levels, there is little prospect for insureds of a softening market in the near future.
As a consequence of these dynamics, cyber reinsurance renewals at January 1 proved difficult, as insurers were already wrestling with concerns about the short-term underwriting profitability of the class and their potential exposure to systemic risk. Indications are that a hard market for cyber insurance will endure throughout 2022 and probably into next year.
Potential investors are reluctant to commit capital to the cyber market until the current level of data on insureds’ risk profiles is improved. While carriers continue to issue detailed underwriting questionnaires to clients, these only give a point-in-time, “outside-in” indication of the maturity of insured’s cybersecurity. In such a rapidly evolving class, even the most resilient client’s exposure can change very quickly as the cyber-attack surface shifts.
If underwriters feel they don’t have sufficient knowledge about cyber risk to be able to price it properly, it understandably makes them reluctant to accept the risk. However, given that insureds hold the data about their exposures, and carriers have the knowledge to assess, manage and underwrite the risks, as well as offering crisis management services, there is clear potential for evolving current cyber solutions to address the problems of both parties to the risk.
In order to get a clearer picture of an insured’s cyber exposures carriers really need to get inside the firewall, to get a real-time view of the risk. Inside-out evidence-based data is key to understand vulnerabilities and control systems in place.
As business becomes increasingly digitalized, underwriters face a challenge in getting close enough to the risk to be able to price it in a meaningful way, and to allocate their limited capacity to the most attractive risks.
Greater visibility of an insureds’ cyber exposures means being able to see the nature of the risks in their processes and to quantify the issues those processes generate. With the growth of the Internet of Things and data-rich devices in Edge-based cloud environments, underwriters need to know the configuration state of those devices to understand the quality of the risk and get a level of assurance about how control frameworks are being applied. This raises important questions about how technology could be used take on some of that burden, through innovations such as zero trust architectures.
Zero Trust Architectureshifts the emphasis of cyber defense from static network perimeters to focus upon users, assets and compute resources. It is an essential evolution for security in cloud-enabled environments. Particularly relevant to industrial and synthesized IT (Information Technology, common in corporate environments) and OT (Operational Technology, common in industrial environments) environments, it assumes no implicit trust for resources, devices or identities or user accounts based solely on their network location or on who owns the asset. Instead authentication and authorization are performed on both a device or subject before a connection is permitted.
In short, the idea is to prove compliance before connection. This is particularly important when relying on third-party cloud services.
Appetite tempered by downside risks
Despite the current constraints in cyber insurance and reinsurance capacity, there is still a strong appetite across the industry to continue providing solutions for this class of business, albeit tempered by caution about the downside risks.
According to confidential sources, more than half of all cyber market premium is currently ceded to reinsurers. This indicates the direct market is still on a learning curve, and is wary of large systemic events and aggregation of losses.
Understanding and modeling those peak scenarios is the key to unlocking more cyber insurance capacity. Both insurers and reinsurers need to better understand how losses correlate, in order to develop a higher level of sophistication in their modelling.
In the meantime, there has been significant remediation action by cyber insurers to realign portfolios and create conditions for sustainable growth in the class, including the purging of suboptimal risks. This is viewed as a highly positive development by reinsurers, who now have an increased level of confidence that their clients’ portfolios contain better quality risks with reduced volatility.
However, the likely development of ransomware trends is difficult to gauge, as the industry’s understanding of probable maximum losses from ransomware can take two or three years to develop.
A role for alternative capital
While the insurance market has continued to innovate with cyber solutions, taking the product beyond straightforward risk transfer to encompass breach response services and risk mitigation, the traditional model still isn’t working for peak risk scenarios.
In the property market, risks are routinely transferred to the ILS markets and it seems likely that a parallel role for alternative capital could develop for cyber risks. However, any alternative market solution needs to be at sufficient scale to fill the risk gap, with greater retrocession capacity required by reinsurers to expand their own risk appetite and share risks with the ILS marketplace around peak accumulation scenarios.
There is an accompanying desire in the alternative capital markets to find instruments with better returns, and with potential returns on cyber risks having improved in the past 18 months from a rate-on-line of around 3 percent to 10 percent and above, the class has become a more meaningful prospect for ILS investors.
However, before that prospect can be translated into meaningful capacity, a much greater level of formality around the provision of industry loss data is needed to bring alternative capital providers into the market, possibly through the use of industry loss warranties (ILWs).
That would involve having credible industry loss data with meaningful parameters that can trigger those instruments, with ILWs giving access through structured information and data to retrocession capital.
Lessons from InsurTech?
The ongoing monitoring of risks that InsurTechs offer is a good example of how underwriters can improve their understanding of cyber exposures and the risk management practices of insureds, but could also provide greater visibility of the risk to prospective capital providers.
However, while this approach may work well for smaller insureds who outsource their cybersecurity, it may prove more challenging to persuade mid-market and large corporate clients to allow insurers high-level access to their security protocols and controls.
The cyber underwriting community needs to develop a way of understanding the changing risks for these clients throughout the course of a policy year, to improve their modelling of the risks and give greater comfort to alternative capital providers.
If the insurance industry is able to evolve the cyber product beyond “outside-in” scanning technology, to obtaining a real-time, “inside-out” perspective of cyber risks, that could revolutionize how carriers look at the risk, moving from a qualitative approach to a more evidence-based, data-driven approach.