Insurance-linked securities and cyber risk

Insurance-linked securities (ILS) are a way to access additionalfinancial protection outside the traditional insurance andreinsurance providers, typically through capital markets. ILS aremost commonly associated with catastrophe bonds providingreinsurance cover in the event of significant natural catastrophes.

Cyber risk is one of the most discussed new areas of risk forthe insurance industry to address. As a relatively new exposure,the development of cyber insurance solutions presents a range ofchallenges, including specific challenges for those seeking tooffer ILS solutions.

Catastrophe risks and ILS

ILS have made considerable progress within the catastrophe reinsurance market, in part becausethere is a degree of consensus on the way in which the risks can bemodelled. This level of consensus has arisen as data relating topast catastrophes has been analysed and knowledge shared across themarket. Therefore, investors in ILS can have some comfortin the pricing of ILS and the assessment of potential risks andreturns.

While the chance of a natural catastrophe is uncertain, it ispossible to analyse the available data on past claims and events todevelop an informed estimate of that likelihood. The risk of anearthquake or flood is likely to be highly correlated with pastexperience for a specific geographic area.

The nature of losses is also likely to beconsistent, with property damage a prime issue. The risk ofsuch losses will be closely linked to known perils such as floodsor windstorms.

Of course factors such as global warming, or the decision tobuild on flood-prone areas can influence potentialoutcomes. However, such issues are regularly discussedand broadly understood, and investors appear to have becomecomfortable with backing ILS structures based on existingmodels.

Challenges for cyber risk

In contrast, cyber risk poses a number of challenges indeveloping an agreed approach to assessing the risk.

Firstly, cyber risk is not a clearly defined term. It is, infact, a term covering a number of related risks including:

|
- |
  - |
    - |
      - Third party liability for loss or exposure of data;
      - Notification costs (to let those affected know of a databreach);
      - Impact on call centres;
      - Data loss; and
      - Restoration.

This list is not exhaustive, and different insurers may coverdifferent mixtures of risks, requiring a variety of concurrentmodelling approaches.

Secondly, the trigger for cyber claims is very different.The existence of a natural catastrophe is likely to gather muchpublicity so the existence and scope of the event is publicknowledge. Cyber risks are often related to malicious or criminalintent to steal data. Such events may become public but it iswidely believed that many organisations prefer not to go public(and make others aware of their vulnerability) when confrontingcyber incidents.

The risk of an incident is part of an ongoing struggle betweenthose seeking access to systems with criminal intent and theeffectiveness of systems and staff to manage these risks. Suchclaims can become more frequent if new means of hacking becomeavailable or less frequent if system protections are readilyupdated.

Thirdly, insurers need to assess to what extent companies andindividuals should be protected if they have neglected basicprecautions such as (regularly updated) anti-virussoftware. Underwriters currently seek such information onparticular policies but it is difficult to develop an ILS productwhich responds at an aggregate level to risks which may be stronglydependent on the actions and cultures of different organisations.

Cyber breach claims may become more frequent as new means ofhacking become available, or less frequent as system protectionsare readily updated. (Photo: iStock)

Will the ILS industry rise to thechallenge?

As noted above there are significant challenges in developingstandard products suitable for an ILS approach. However, mucheffort is likely to go into trying to develop solutions includingILS because the potential market is very large. Virtually all organisations have some exposure tocyber risk and the costs of claims could be extensive. If mostorganisations can be convinced that appropriate insurance covershould be part of the process for managing this risk, the potentialpremium could be significant.

Education, education, education

A key initial task will be to educate the various partiesinvolved in ILS structures of the nature of cyber risk and thepotential benefits of offering a product.

The potentially large premiums remain likely to compelinterest. One estimate of the market was that pure cyberrisk premiums amounted to $2.5 billion in 2016 (an increase of 35%on the prior year). Some elements of cyber risk are alsolikely to be covered in other policy classes.

Nevertheless, key market participants may be less thanenthusiastic to share details of their experience which they mayview as commercially sensitive. The absence of publiclyavailable data and the non-standard nature of cyber insuranceproducts mean the growth of an ILS market will remainchallenging.

Public claims may drive change

While details of some claims remain confidential there are otherdata breaches that inevitably become well known due to their scale.As such incidents are published the appetite for insurance to coverthe risk may increase.

If large claims emerge then insurers will need to seekreinsurance support. This is likely to drive exchanges ofinformation as reinsurers try to assess their potentialexposures. It is at this stage that opportunities for ILSstructures may be more likely to emerge.

Even if risks remain to some extent non-standard, it may bepossible to analyse risks by exposure to particular hardware orsoftware. The status of third party providers may alsohave an impact, as their own security and risk management practicesmay have downstream implications.

Informally or formally underwriters may start to agree on keyissues that will contribute to the assessment of risk to specificorganisations.

Legislation

The new EU legislation on data protection (GDPR) is alreadyhaving a profound impact on organisations as they seek to ensurecompliance. This will drive an awareness of the risksinherent in holding personal data and consideration of means tomanage those risks, including insurance.

The level of risks will also increase as the costs in potentialfines and compensation have to be factored into businessdecisions.

Outlook

At this stage it remains challenging to develop ILS solutions asthe cyber risk market remains relatively new. Underwriters are likely to have differing views on the potentialfor claims and there are no widely agreed ways to quantify therisks involved. Furthermore, the nature of cyber riskremains diverse and will need more rigorous definition.

However, I am optimistic that these issues can be addressed overtime. The ILS industry has shown its willingness to innovateoutside natural catastrophe risk, including insuring large lotterypay-outs.

As with natural catastrophes, the costs involved in major databreaches can be high and legislation means that the risks areincreasing. Therefore, insurers and reinsurers will need access tocapital to back these risks. I would anticipate thatsolutions will gradually emerge and that ILS will play a role insupporting these solutions.

PE170157.2

Ian Morris is an actuary and a Partner of the BWCI Group andleads their Insurance Services team. He can be reached by sendingemail to [email protected].

Top 10 U.S. reinsurance companies

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
Educational webcasts, resources from industry leaders, and informative newsletters.
Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.

NOT FOR REPRINT