Prickly Peril

Few insurance markets have experienced as much upheaval in the last few years as cyber.

After a decade of soft market pricing, an uptick in high-severity ransomware claims fueled sharp increases in premium in late 2021 and 2022, with premium increases peaking in fourth quarter 2021 at 34.3%, according to The Council’s Commercial Property/Casualty Market Index. The increases appear to be slowing, with the P/C Market Index showing an average increase of 15.0% in fourth quarter 2022, but long-term stability remains a question mark.

Several major carriers providing cyber insurance are increasingly concerned over the possibility of a cyber attack generating systemic losses, defined as having the potential to impact thousands of companies simultaneously, due to commonalities or shared elements of exposure. Such a possibility is an existential crisis in the making for the many insurers and reinsurers that assume cyber risk.

An example of a systemic risk is the successful hacking of a large third-party provider of cloud services, shutting down its operations while concurrently infecting the IT systems of a huge number of insureds that rely on the provider for services. Marsh stated in its fourth-quarter 2021 “Cyber Insurance Market Overview” that, were such a cascading loss to occur, it “could cost multiples of the estimated size of the current insurance market.”

And according to Chubb, the complexity of cyber networks makes understanding and managing the risk worse. “Vulnerabilities and exposures are multiplying due to greater interconnectivity, creating systemic risks that are vast, growing and not easy to detect or control,” the insurer stated in a 2022 report titled “Catastrophic Cyber Risks: A Growing Concern.”

“Combining these systemic risk dimensions with potentially severe and widespread consequences creates the possibility for a cyber catastrophe,” the report states, noting that cyber incidents are not limited by geography.

Chris Storer, head of the Cyber Centre of Excellence at Munich Re, says that “understanding and modeling systemic risk is the biggest challenge we have…a topic on the minds of all leading insurers in the cyber market.”

More Demand, Less Capacity

As more technology is introduced into corporate operations, processes and functions, the risk of cyber attacks disrupting business escalates, along with the need to transfer the exposure. A recent equity research report provided on condition of anonymity to Leader’s Edge (due to restrictions on distribution) projected the cyber insurance market will grow at a 25% compound annual rate to reach an astounding $480 billion in commercial premiums by 2040. By comparison, premium volume across the entire U.S. property and casualty industry in 2021 was $715.9 billion.

Assuming the report is close to the mark, meeting this demand is challenged by available reinsurance capital to spread primary carriers’ catastrophic risks. “The demand for reinsurance capital remains greater than available supply,” Marsh stated in its fourth-quarter 2021 cyber market overview, explaining that the total amount of cyber premium that insurers are collecting “is potentially insufficient to fund for a catastrophic loss.”

Well aware of this possibility, Beazley in January 2023 launched the first cyber catastrophe bond in the global insurance market, a liquid insurance-linked securities (ILS) instrument. The $45 million tradeable bond, which is backed by a panel of investors including Fermat Capital Management, indemnifies Beazley against all perils in excess of a $300 million catastrophe. “The bond is designed to cover remote probability catastrophic and systemic events,” Beazley said in a prepared statement.

“If you look at catastrophic cyber,” says Paul Bantick, Beazley’s head of Global Cyber & Technology, “we run 12 to 20 scenarios where we model catastrophic events happening with cyber, and that’s OK: we’re giving coverage for those, we’re insuring those, we’re comfortable with that. We’re not doing this because we’re not comfortable with how we’re managing the systemic risk we have today.” Bantick says Beazley is introducing its cyber catastrophe bond because the market is “probably going to grow a lot if we want to keep giving clients that coverage going forward, which we want to do.”

While the alternative form of cyber risk-bearing capital is considered an important industry development, the ILS-backed instrument alone won’t meet the market’s needs.

“This is a very, very small placement, especially for a carrier as large as Beazley,” says Roman Itskovich, co-founder and chief risk officer at cyber insurance provider At-Bay. “It’s more of a proof of concept than a capital solution, although it is certainly a step in the right direction, given that the demand for cyber insurance outpaces the supply of capital.”

Bantick agrees this is just one tool for working to build capacity in the growing market and says it was a conscious decision to go for the smaller, $45 million bond versus a larger number. “We now have something that is tangible, that is there that we can build on, and I think that is a very good way to go about it,” he says.

“We want to grow this. I’d love to get it to a quarter billion or more. And if you look at the property market, that is something that is a natural progression that hopefully we’ll get to.”

Widespread Exclusions

According to Chubb, while no cyber attack has produced a lateral-moving catastrophic loss, such an event is “no longer theoretical.”

Longtime industry observers agree with this nightmarish possibility. “There’s no question the potential for truly catastrophic cyber losses will rival the largest natural disasters in history, making it incumbent on insurers to understand the aggregation of cyber risks they have on their books to ensure they are appropriately underwritten,” says Robert Hartwig, associate professor of finance at the University of South Carolina, who leads the school’s Risk and Uncertainty Management Center.

Appropriate underwriting of potential systemic cyber losses is severely challenged by what Storer, from Munich Re, calls “essentially uninsurable risks. I don’t believe it is possible to model such risks at the present time, which is why they need to be clearly excluded and compartmentalized by the carriers. From a reinsurance standpoint, it is important that the carriers address these issues at the original policy level.”

Major cyber insurers like Chubb, Beazley and Lloyd’s are doing just that. Lloyd’s, for example, recently said its syndicates will begin excluding coverage for attacks sponsored by state-backed entities beginning in March. News reports also suggest the insurance and reinsurance marketplace is working on additional approaches to limit syndicates’ cyber-risk aggregations. Although Lloyd’s said last August it remains “strongly supportive” in writing cyber insurance, it also noted that “if not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage.”

Beazley has also added three new endorsements—a revised war exclusion; a revised infrastructure exclusion, clarifying telecommunications infrastructure and replacing the company’s existing exclusion; and a new sublimit endorsement, addressing two catastrophic cyber events: a prolonged outage of a major cloud service provider exceeding 72 hours and contagion malware in a computer operating system causing major detrimental impact to a state’s essential services.

“There are some risks that are too big for us to take on, and we’ve been pretty clear about that—cyber war, for example,” Bantick says. “But there are only a few, small number of scenarios where I think cyber insurance says, ‘This is something that we can’t take on.’”

Chubb has structured a separate endorsement to absorb four types of “widespread events.” The events include software supply-chain exploits, an attack in which hackers enter systems through trusted and certified software (“effectively a Trojan horse,” Chubb states); severe zero-day exploits (“attacks arising from certain software vulnerabilities known by cyber criminals but not yet by anyone else”); severe known vulnerability exploits (“that are not patched”); and “all other widespread events.” The last event appears designed to absorb systemic cyber risks. Chubb said such events include an outage at a large cloud computing firm that “could impact the operations of thousands or even millions of companies.”

Market Reaction

Several brokers and MGAs commented on the ambiguous wording of the coverage endorsements and exclusions. John Farley, managing director of Gallagher’s Global Cyber Liability Practice, says the brokerage is concerned about what the primary cyber insurance marketplace “wants to cover and not cover. Some (insurers) are deciding to sublimit (catastrophic) events, adding time elements like not covering the impact of a cloud outage beyond a certain amount of hours or days. Others are throwing in co-insurance requirements. We and others  are confused over what these actions mean if there truly is a catastrophic event as defined in the policy.”

“We’re seeing carriers pulling all these different levers to retract and reduce their exposures—not only sublimits and co-insurance but also much higher retentions for buyers on top of exclusionary language,” says Steve Robinson, National Cyber Practice leader at Risk Placement Services. “Carriers are seriously beginning to address the possibility of systemic risk in their wordings due to concerns over potential cloud provider outages and operating system failures. In trying to mitigate their exposure to such big mass casualty-type events, some insureds are getting substantially reduced limits for what is probably some of their biggest exposures.”

Itskovich agrees. “If a single cyber event happens to many companies and you are one of them, my interpretation of the ambiguous policy language is that your coverage will be limited,” Itskovich says. “You will have half the limits you think you have.”

Carriers that provide cyber insurance, such as Liberty Mutual, argue that the industry’s actions are necessary. “Any insurance company that is not thinking about systemic cyber risks is not thinking properly,” says Dan Frusciano, Liberty Mutual’s North America head of cyber underwriting. “The systemic nature of cyber is on everyone’s mind.”

Although Frusciano acknowledged that brokers and MGAs want more clarity and consistency in cyber insurance policy “wordings and approaches,” he says the market is immature when compared to other lines of insurance. “The more data the industry generates over time will help organizations model the potential for systemic risks,” Frusciano says. “Once carriers have a better sense of what these risk scenarios look like, we can reflect this enhanced knowledge in how we each underwrite the product.”

It is extremely difficult to quantify systemic cyber risks. Since such losses have yet to occur, the data are limited to “what might have occurred” scenarios. Like other industry participants, Shawn Ram, head of insurance at Coalition, agrees that the difficulty of modeling systemic risk is the key factor in the cyber insurance market’s recent actions.

“The models on systemic risk are highly divergent insofar as the cat load, given the lack of knowledge about a third-party cloud provider’s cyber security,” Ram says. “Consequently, there are high deviations on the potential for an aggregating event to occur. … This uncertainty is causing reinsurers to be cautious in deploying capital.”

This caution is evident in reinsurers’ quota share treaties with cyber insurers. “Many quota share reinsurance treaties during the 2022 renewal period included loss ratio caps excluding reinsured losses above a specified percentage of earned premiums, a way of reducing a reinsurer’s exposure to catastrophic loss,” says Itskovich.

While the loss ratio caps remained in place during the recent treaty renewal season, Storer from Munich Re says, they are “not unusual, as more than 50% of carriers’ cyber exposures are assumed by reinsurers, materially more than any other line of business.”

Nevertheless, Itskovich projects that over time, less capacity for cyber risks will be borne by reinsurers than is assumed at present, with “much more of the capacity taken net on primary carriers’ balance sheets,” he says. “Obviously, to support a much bigger cyber insurance market in the future to meet demand, risk-bearing capacity will need to grow substantially. This could occur directly by tapping the ILS markets, like Beazley did, or indirectly in the form of cyber insurers’ and reinsurers’ raising [investor] capital to deploy towards cyber risk.”

Farley agrees, saying, “While capacity has loosened up, it is nowhere near where it was. I don’t believe we have the capacity we truly need.”

When asked how Beazley has been able to make investors comfortable with its underwriting, Bantick says it was a two-year process of showing investors the scenarios Beazley had been building over 15 years of writing cyber. “They’ve evolved over 15 years,” Bantick says. “We have some brand new ones, we have some older ones, we have some ones we’re thinking about. I think giving them the insight into those scenarios, how we create them, the third parties we work with, that’s what built that confidence.”

In addition to using modeling provided by Cyber Cube, Beazley ran its own deterministic scenarios of the risk, working through many possibilities and modeling what they look like in the present and future as the portfolio grows.

The importance of the cyber insurance market’s response to systemic risks cannot be overstated. A 2022 survey of 1,200 business leaders by Travelers Insurance listed cyber threats as the top overall business concern, ahead of broad economic uncertainty, energy cost fluctuations, and the ability to retain and attract talent. “I don’t think that CEOs and CFOs believe their companies can manage cyber risks well enough, which explains why the cyber insurance market is so crucial and has grown so much in such a short time,” Itskovich says.

The business leaders surveyed were upbeat that insureds will continue to do their part, fortifying their networks and systems against attack and responding forcefully when an intruder is discovered. “The insurance industry has done such a great job moving the needle of cyber-security preparedness across businesses in diverse sectors,” says Robinson, of Risk Placement Services. “To qualify for coverage now and in the future, you have to be secure. That will continue to be a catalyst for good.”