In order to develop the next generation of cyber insurance – as a widely available, generally affordable mass market product – carriers must first solve long-term structural problems. We have identified three levers to achieve this:
- Mitigate individual risks through improved cyber security
- Right size exposure, in particular to cyber disasters
- Expand access to capital for cyber guarantors
We covered the first of these – risk reduction through improved cyber security – earlier. Today, we are shifting from individual risks to risk portfolios and exploring the other two levers: legal dimensioning of exposures and expansion of insurance capital.
At present, cyber can cause very large losses, both through blown borders and catastrophic events that envelop many policyholders at the same time. But if they can limit the losses and optimize the total capacity ̵1; legal size exposure, so to speak – the insurance companies can dampen this dynamic. This in turn will increase access to the capital the line needs and permanently bring down market prices.
Limit claims costs through decisive incident response
Decisive early action when cyber disasters occur – just as with natural disasters – can help reduce large individual losses. So, how do insurance companies facilitate this?
First and foremost, through efficient payment, funds can be immediately put to work with containment. Some innovators such as Parametrix and Qomplx even take the parametric model to cyber, and bypass the claims / adjustment process completely to provide “bridging” liquidity well in advance of traditional processes.
In addition, insurers (and brokers) should integrate dedicated incident response services into their offering – giving customers access to specialist advice as soon as an incident is discovered.
Since many customers already pay for incident management regardless of any insurance, there is an alternative model that insurers can consider.
Instead of incorporating security offers into insurance policies, they can instead transfer insurance to a security offer. As previously discussed, cyber security and cyber insurance can be cost-effectively integrated into a managed security warehouse – and managed Detection and Response (MDR), or Security Operations Center as a Service (SOCaaS), would be natural extensions to this and create further synergies.
In 2022, the global SOCaaS market is at $ 450 million but will approach $ 700 million by 2025, driven by demand for specialist services in cyberforensics, compliance and crisis communication.
Cyber exposure of the right size through smart capacity allocations
All initiatives to limit cyber claims are welcome. However, large individual losses are not the only difficult dynamics in the game.
In the past, we have characterized cyber as an “unnatural disaster” – which can cause the same devastation over an insurer’s book as a hurricane or earthquake but seemingly less straightforward to diversify.
However, it is easy to overestimate the problem of diversification in cyber.
A useful test item is found in recent discussions about the insurability of pandemics. With Covid-19, governments showed their power to close entire sectors and markets overnight – which could trigger claims for business interruptions (BI) from all policyholders in the book. If Covid-19 represents the boundary case for diversification, where does cyber compare? Something short, of course.
While cyber risk may not share NatCat’s seasonal rhythms, that does not mean that there are no rhythms that carriers can adjust to balance their portfolios.
To begin with, cybercrime is really its own economy, where hackers opportunistically pivot between several attack paths – which means that not all cyber classes are necessarily correlated. A few years ago, the favored cyber-attack was a computer intrusion, but the intrusion has since subsided in the face of a huge ransomware bubble. Now, in another twist, we see cases of “double extortion” combining ransoms with leaks.
Long-term data on the mechanics of the “cyber economy” are still limited – and making this useful for insurance is another bridge yet. But it will certainly benefit insurers to break out cyber into its components – each as different from the next as floods, earthquakes and forest fires within NatCat. Each has a different loss profile, with consequences for pricing, diversification, exclusions and lower limits.
Actuary vs. Hacktuary: faces the challenge of ransomware
Ransomware is much discussed in connection with exceptions and sub-limits. To compare the case with data breaches: here the loss is proportional to the size of the breach (eg the number of customers affected), which means that safe limits can be set based on the maximum breach size. Cyber ransom sums, meanwhile, can be arbitrarily high. Such secure limits for policies that are set to cover data breaches are quickly maximized by ransoms – if ransomware is added to the policy without further thought.
Obviously, it is possible to customize policies for ransomware – with higher premiums and more capital. However, protection is already expensive and capital is already limited. With such limitations on the risk the industry can take, a small reduction in ransomware exposure could potentially go a long way toward expanding other types of coverage and customer volumes as the industry strives for stable returns.
An additional challenge is hackers’ opportunities for smarter pricing, as “hacktuaries” are looking for the sweet spot for depositing ransoms. Especially as the coverage of ransomware becomes more widespread, average demands for redemption can creep towards borders, demanding higher premiums and still higher limits – a vicious circle that only serves to fund hackers.
In response, some insurance companies have gone so far as to suspend payments of ransomware. But any attempt to completely rule out ransomware is likely to meet with opposition from policyholders: in a recent survey by cyber insurers and brokers, coverage for “cyber blackmail / ransom” saw the largest appetite for higher limits and the lowest appetite for restrictions.
Select cyber aggregations through AI-driven portfolio analysis
Ultimately, there are no quick fixes to cyber diversification problems. Although you can play with the balance of cyber classes you have, the risks within each class will remain strongly correlated.
For example, successful ransomware attacks will always hit a high percentage of policyholders because of the ease with which hackers can copy and paste the same attack template. But over time, attack replicability may decrease as companies’ operating and security environments become increasingly adaptable – meaning that risks within the same class, such as ransomware, will eventually be deaggregated.
Much of this is speculative, so extensive portfolio analysis – probably AI-driven – will be required to truly understand where aggregation is taking place and what factors are really useful for achieving better diversification. Currently, about three quarters of cyber guarantees handle active cyber aggregation:
Time will lead to greater use and sophistication of portfolio analyzes – as well as its tighter integration in risk selection and pricing. In this way, insurance companies can optimize capacity allocation, reduce capital costs and thereby reduce prices for end customers.
We started this series by noting that the cyber insurance as we know it is broken – with high prices that stifle the scale and improvements in the line. The portfolio-level efforts described here – separation of individual cyber risks plus data-driven strategies for diversification – will do much to “break up” the line, especially if combined with improved cyber security to mitigate individual risks. This brings us to the last piece of the puzzle: insurance capital.
If you build it, the insurance capital will
At the heart of the tough cyber market is a lack of capital to write cyber risk – which represents a final frontier for market growth. So, how will this be resolved?
The bad news is that there is no quick fix to increase capacity: as long as cyber risk is seen as a speculative investment, insurers will struggle to grow their capital base. As with any prospect, the sector must prove that it really is of investment quality; only then will capital providers move cyber to the bread-and-butter part of their portfolios, with the larger and more regular allocations it entails.
The good news is that cyber will not remain a speculative investment indefinitely.
Everything we have discussed in this series – best practices cyber security, rapid incident response, catastrophic exposure limits, aggregation management – brings us closer to a product that can deliver stable returns on a large scale. As with a jigsaw, loosen the rest and the last bit by itself; fix cyber guarantees and capital will flow in.
Capital comes from many sources. Existing cyber (re) insurance companies, which have “cracked” the line, will write more deals. Similarly, carriers currently waiting on the wings – those with limited appetite for speculation, we might say – will feel better able to make their debut.
Given the potentially large amount of cyber risks awaiting writing, alternative capital is likely to play a role in meeting future demand. Transactions involving insurance-related securities (ILS) have so far been rare in cyber, which largely reflects the speculative nature of the risk. But many things recommend cyber risks for external investors in the long run:
- Given low interest rates, cyber returns offer – decoupled from the broader money markets and potentially existing Cat investments as well
- While traditional Cat risks can capture investors’ capital for many years as claims develop, cyber is shorter – allowing investors to move in and out with relative ease
The hard market returns offered today will continue to spur financial invention. In the coming years, we may even see Cyber Cat Bonds – provided the market can develop acceptable ways to rate them. At the same time, sidecar-like structures are already being experimented with by a handful of large conveyors.
In the short term, carriers must take a pragmatic approach to scale the line. It’s not just about milking today’s harsh conditions; Nor is it about getting to the bottom of solving all the world’s cyber problems. By pulling the levers discussed here, insurance companies can build a functioning cyber market from the ground up: increase the number of customers with some cyber protection, scale up underlines and eventually arrive at a series of mass market products.
We hope you enjoyed this series – for more information, download our cyber insurance report. Contact us if you want to discuss any of the ideas we have covered further.
Get the latest insurance industry insights, news and research delivered straight to your inbox.
Disclaimer: This content is provided for general information purposes only and is not intended to be used in consultation with our professional advisors.