On the future of cyber modelling - A Q&A with Gallagher Re’s head of cyber analytics

To what extent have cyber models improved over recent years, and can they be relied upon? Do they obviate the need for in-house expertise? And will recent improvements be enough to tempt insurance-linked securities (ILS) investors to participate? CyberInsurer.com caught up with Justyna Pikinska, head of cyber analytics at Gallagher Re, to explore all these questions, and more. An edited transcript of the conversation is below: 

Lorenzo Spoerry:
At the reinsurance rendez-vous in Monte Carlo I saw a tremendous amount of scepticism among the carriers there about their own understanding of cyber risk. How long until we get to a point where the industry feels it is getting to grips with the peril?

Justyna Pikinska:  
Right now, the industry is growing at an exponential rate and in order to facilitate that growth, we need stable models and stable tools to help us with pricing risk aggregation and capital-setting. But, like you say, there is some scepticism around model output. There are many differences between models, especially how they approach modelling and how they define an event, how they define a systemic risk. There are lots of industry initiatives, led for example by Lloyd’s or by the Prudential Regulatory Authority, to bring more consistency to the market, but in a fast-paced environment like cyber, it’s extremely challenging.

CyberInsurer.com: 
Given the ever-changing nature of the risk, does that not mean that cyber modelling is always significantly lagging behind the curve, or is that the wrong way of thinking about it?

Justyna Pikinska:
To some extent, we will always be looking in the rearview mirror. But that applies to any class of business. In cyber, definitely, it i's more relevant than in any other class. Yet if you think about terrorism, it's also looking in the rear-view mirror. If you look at offshore energy, it's also a very volatile class, which is difficult to quantify. 

Even in property-cat, where we've had models for 30 years, every single time there's been a big event like the 2005 Hurricanes Katrina, Rita, Wilma (KRW) the models had to be re-parameterised and new versions released that were very different from the old version. 

However, because the insurance industry in general has learned from the last 30 years of property-cat modelling we are to some extent ahead of the curve. We have cloud computing now. When property-cat models were built, we had to rely on very crude tools. So, to some extent, we need to strike the balance between changing landscape and model stability. The industry is trying to be extremely proactive in its assessment of future threats – and looking to respond to trends very quickly even before things become material.

CyberInsurer.com:
How much in-house expertise will be needed to successfully underwrite this risk in the future? Is it possible for a small Lloyd’s syndicate to use a model and just take it from there? Or is it always going to be about the big carriers who can invest huge amounts of money into developing their in house expertise that win out?

Justyna Pikinska:  
My answer is twofold. I would say that in the last year or the year before that, it was probably the latter case because it was the re/insurance giants who could afford to have expertise and talent in-house. They've also been writing cyber for 10 years, which obviously gives them a competitive advantage by having historical data and claims, plus established talent on board. However, we're seeing a lots of new entrants in this class, especially smaller syndicates, who are very keen to take advantage of market changes. 

You can start with a £10m, £20m or £50m book of business and go from there. Lloyd’s is encouraging growth as long as it's done correctly. The market is very keen on syndicates being able to prove that they have expertise in-house. Talent is extremely scarce, however, so it's quite prohibitive for people to enter this class because finding a cybersecurity expert or an experienced underwriter is extremely difficult.

CyberInsurer.com:
Is the shift towards smaller syndicates playing in this space also because of the maturity of the models?

Justyna Pikinska:
Modelling maturity brings a lot of appetite. Models five or six years ago were completely black boxes. It was very difficult to get a proper output. These days, we don't only have one model like previously. We have three models, but those models give you different answers. 

To some extent, that’s a good thing because we want to encourage people to think differently while we're in a rapid growth phase. It is beneficial for people to see different views. So on the one hand there is market concern or scepticism around the models because the answers are different. But, for model users who understand the model use cases and the model capabilities, those tools are useful. 

CyberInsurer.com: 
But if you’re a very small syndicate you might not have the capacity and the capability, right?

Justyna Pikinska:
If you’re a small syndicate, it becomes significantly more difficult for you but this space is very competitive, not only for modelling companies, but also for brokers. So lots of smaller syndicates are actually relying on brokers to provide that capability.

CyberInsurer.com:
In the next two or three years, how is the cyber market going to develop? 

Justyna Pikinska:
The next two years are going to be extremely exciting. We're going to see a lot of competitive pressures between the old school traditional insurance and reinsurance companies versus new entrants to the market. Munich Re expects the market to double in size by 2025, and I believe modelling is critical to unlock this capacity. Like you said, Monte Carlo is a great example. There is still scepticism because every month we see that there was a cyber big loss. But that doesn't mean that cyber is scary if you write this business in a disciplined and strict manner. 

CyberInsurer.com:  
How are ILS funds feeling about this space?

Justyna Pikinska:
There is a huge interest for one specific reason, which is diversification. If you think about ILS funds, they've suffered significant property-cat losses over the last five years. Cyber is a natural diversifier. Everyone in the industry says that there is going to be a cat deal soon in cyber.

CyberInsurer.com:
I've heard that every year for the past five years.

Justyna Pikinska:
Me too! But I think we're getting closer. It's getting more and more realistic. Obviously, timing is everything. Hurricane Ian at the moment is bad timing. But with model maturity the ILS space is going to become significantly more open minded to cyber. I think up until now, divergence of models has been keeping ILS funds a little bit away from cyber.