ILS on the horizon as cyber market becomes too big for reinsurers

The cyber insurance market is becoming too big for traditional (re)insurers and will be forced to look for alternative sources of capital, according to participants in an exclusive roundtable discussion hosted by CyberInsurer.com in Monte Carlo in collaboration with Guy Carpenter.

After two years of breakneck growth, demand for insurance remains strong but a scarcity of supply has driven triple-digit price increases and left some customers unable to find cover at any cost.

Panellists see a potential solution in Insurance-Linked Securities (ILS), a way of tapping capital markets for additional funds in return for taking on the risk normally covered by insurers.

"Reinsurers need to grow by twenty, thirty per cent every year just to meet demand," said Anthony Cordonnier, Global Co-Head of Cyber at reinsurance broker Guy Carpenter. "Perhaps they're not growing enough, so we need new entrants. ILS has a strong role to play because it brings in different forms of capital or different types of efficiencies, and will support the growth of the class going forward."

Despite much anticipation, there has yet to be a single cyber transaction in the public ILS market, though a handful of private collateralised reinsurance deals have been done between reinsurers and large investors. But panellists believe that the market is nearing a tipping point as it simply becomes too big for traditional reinsurers to handle by themselves.

"Something has to be done, because there's been a lot of growth in the market and a lot of insurers and reinsurers are up against their capacity limits," said John Coletti, Head of Cyber Reinsurance at Swiss Re. "We're at a bit of a logjam right now with capacity and I think it's frustrating, probably, on the buyer's side. The market at large really does need more capital to support the overall growth that we know is there. I don't think it's a risk that is going to be dominated by one or two or three reinsurers."

Munich Re has already said it expects its market share to shrink as the industry continues to boom.

All the same, panellists were unanimous in expecting a cautious reception from capital markets.

"There's an element of being in uncharted territory," said Cordonnier. We need to see buyers that are comfortable with what they're buying. It doesn't happen overnight. And there's a reason why it's not happened yet."

But he pointed to the conventional catastrophe bond market as an example of how the asset class could develop. Pioneered in the 1990s as a way to spread the risk caused by natural disasters and initially seen as highly experimental, cat bonds are now widely accepted.

Even so, a string of cat losses has hit investors in recent years and could make them more cautious about cyber.

"Talking to some of the managers and funds, there's a general weariness about the amount of cat that they've absorbed in other lines over the last five years," said Chris Methven, Chief Growth Officer at CyberCube, a cyber risk modelling firm. "But whilst cyber is going to be a small piece of the overall market for the foreseeable future, I think it's a really interesting one."

Part of the benefit of cat bonds is that they are largely uncorrelated to the performance of other asset classes. It remains unclear whether the same can be said of cyber.

"We would argue strongly that the correlation to other investment risks is overstated," said Methven. "But we can't prove it because there haven't been sufficient catastrophic incidents in the past."

In spite of these reservations, after triple-digit year-on-year increases in insurance prices, the returns on offer are starting to look very tempting to investors.

"The current price of reinsurance for the cyber line is such that it attracts alternatives," said Rotem Iram, CEO and co-founder of At-Bay, a young tech-focused insurance company. "Once you're starting to hit the mid teens in expected returns, this is where alternative capital providers start getting interested."

The process is bound to take time. There are many details to iron out in defining the triggers that would prompt a payout.

"It's not going to be perfect the first time it comes out," said Coletti. "But you're going to have to work on it and build out the details."

Once the first few transactions have gone through, investors will likely start to become more comfortable with the asset class.

"There's obviously a nervousness around the unknown," said Daniel Carr, Head of Cyber at Ariel Re. "Cyber is complex, it's uncertain. There's still a lot of skepticism, but equally, there's more willingness to lean into that and see if we can try to find a way to participate in the risk. ILS investors are very data-driven and very model-driven. There still remains uncertainty, but uncertainty isn't something that can't be priced or can't be managed."

At the same time, price rises are finally moderating.

"There wasn't going to be an opportunity for the market to continue to add triple digit rate increases year on year on year," said Erica Davis, Global Co-Head of Cyber at Guy Carpenter.

That will be a relief to customers, who were stung by unprecedented price hikes last year. But the market may now have found its level, after a repricing which reflected a new appreciation of the level of cyber risk.

"What we've got to guard against going forward is not necessarily the price but the volatility of the price," said Carr. "What we don't want to happen is in three years time you have the next wave of ransomware and all of a sudden you've got to triple rates again."

Much of the uncertainty is a function of the sheer newness of the sector.

"These loss/cost models are getting better, but they're not built on years of actuarially sound data," noted Coletti.

As insurers become more sophisticated in their approach to cyber, they are beginning to distinguish between everyday attacks and the risk of a much bigger disaster, such as a state-backed assault that takes out critical infrastructure.

Lloyd's of London sought to head off uncertainty last month by clarifying that state-backed attacks above a certain threshold should be excluded from insurance as acts of war.

"We hear cedants bifurcating the concept of non-catastrophic underwriting versus catastrophic underwriting," said Davis. "I think that was prompting some of the changes now being introduced to the market around systemic risk wordings, and that's a natural progression of the market - it shows maturity."

Still, the Lloyd's approach is controversial. Some insurers feel that their job is precisely to cover extreme scenarios.

"Can we exclude wars?" asked Iram. "Can we sublimate the risk? We would lose relevance, probably. We would just leave companies hanging."

If a true catastrophe did strike and insurers made good on their promises to clients, it would strengthen their credibility.

"I think a cyber catastrophe would prove the market more than anything else," said Carr. "If we're not covering that, I don't know what we're doing."

At the same time, insurers can work with customers to improve their security, heading off the worst losses.

"There's what I would call a misguided helplessness around cyber," said Iram. "There are things that we can do."

He points to aggressive measures to minimize exposure to notorious weak points in a system like Microsoft's Remote Desktop Protocol, which accounts for half of all ransomware attacks in the US. By focusing on these tractable problems, Iram said, At-Bay has cut ransomware attacks among its insureds to a fifth of the level in the rest of the market.

Complex and intimidating as it is, there is no doubt that cyber will only grow in importance.

"If you're not investing in cyber," said Coletti. "It will hurt you in the long run."