In January, specialist insurer Beazley announced the launch of a $45 million cyber catastrophe bond, the first insurance-linked securities (ILS) instrument established in the cyber insurance market. Catastrophe (CAT) bonds allow insurance companies to transfer risk to investors. These bonds pay out to insurance companies if a specific, predetermined event occurs.
CAT bonds are traditionally found in the property and casualty markets, paid to insurance companies in the event of a natural disaster, like a hurricane or tornado, Daniel J. Struck, a partner and litigator at full-service law firm Culhane Meadows, explains. “For the cyber insurance industry, this bond represents an alternate means of spreading coverage risks and a potential new source of capital,” he tells InformationWeek.
What does this new bond mean for the evolving cyber insurance market?
Defining a Cyber Catastrophe
“This cyber catastrophe bond is a novel product, and there is no market-wide standard definition of a cyber catastrophe,” Struck says. The Beazley bond gives it indemnity against catastrophic events that exceed $300 million.
What kind of event could reach that scale? “If you imagine a catastrophe scenario where a number of large global businesses are unable to operate, leading to days of revenue lost and then see years of litigation on top of those losses, in aggregate losses in the hundreds of millions is not out of the question,” says Madhu Tadikonda, CEO of AI-driven commercial insurance company Corvus Insurance.
Peter Hawley, vice president of Insurance at cyber risk management platform Axio, offered an example of the costly potential of a cyber incident. “In 2017, global logistics giant AP Moller-Maersk suffered in the NotPetya attacks to the tune of somewhere between $200 million and $300 million.” The NotPetya cyberattack resulted in $10 billion in damage across the world, according to research group Brookings.
The risk of catastrophic cyber events like that is growing. “As the world becomes more closely networked and the delivery of key goods and services becomes more dependent on the seamless operation of those networks, it is increasingly possible that an adverse event with widespread negative consequences could lead to claim payments that exceed $300 million,” says Struck.
Cyber Insurance Coverage
Cyber insurance companies are faced with calculating this rising risk and offering coverage to their customers. The increase in claim frequency and severity, as well as the growing demand for coverage, has been reflected in climbing premiums, according to a 2022 report from The Council of Insurance Agents & Brokers (CIAB). The report found premiums for cyber insurance increased 27.5% in the first quarter of 2022.
At the end of 2022, Mario Greco, CEO of insurer Zurich, said that cyber will “become uninsurable.” While concern about the burgeoning risk of cyberattacks is certainly valid, Tadikonda argues against the idea that cyber insurance isn’t up to the task.
“Using terms like ‘uninsurable’ promotes the idea that the industry simply can’t handle one of today’s biggest business issues, ceding the ground to solutions from other, more progressive industries. It comes down to advancements in insurance modeling and data science to keep underwriting and pricing models updated at the needed pace,” he asserts.
Roselle Safran, CEO and founder of risk-informed asset management platform KeyCaliber, points out that the cyber insurance industry is just getting started. “The cyber insurance industry is still in its nascent stages. This bond is a sign of the industry maturing and evolving to handle the current state of cybersecurity and cyberattacks,” she says.
Beazley’s bond was structured by Gallagher securities, the ILS arm of Gallagher RE, and it is also backed by ILS investors like Fermat Capital Management, according to the company’s press release. The facility has the ability to scale over time as the company grows in the cyber sector.
Could other insurance companies follow in Beazley’s footsteps and introduce their own CAT bonds? Dan Palardy, lead actuary at cyber insurance company Cowbell, considers the bond to be an overdue step. “It also indicates a growing appetite and comfort with respect to the underlying risk,” he says.
Palardy also notes, “The overall cyber insurance penetration is still quite low, and there is an enormously underserved market. Other industry players likely will, and should, explore any innovative ways to meet that demand.”
Whether industry players seek to replicate Beazley’s CAT bond will likely hinge on several factors. “Much will depend on the availability of backers to get behind insurance carriers in the way that Beazley has secured theirs. This hinges greatly on capital markets seeing the value in these types of arrangements, which is ultimately linked to trust in the underwriters making the decisions on the front lines of risk transfer,” Hawley reckons.
Cyber Insurance Industry Outlook
Risk assessment, both by cyber insurance companies and their customers, will be essential as the industry, and cyber threats, continue to evolve. “Companies need to start by understanding what cyber assets they have in their environment, then distinguish which assets are critical to operations and then compute the risk to the critical cyber assets. These capabilities need to be automated and continuous because today's IT environments are too complex and dynamic for static, manual processes,” says Safran.
Demand for cyber insurance is unlikely to wane as threats continue to grow. But cyber insurance companies, like Beazley, could change the way they approach offering coverage.
“This innovative way of viewing, financing, and insuring against cybercrime may signal a systemic shift in how corporates and insurers assess cyber threats; with increased funding for relevant solutions may come succeeding reductions in premiums for cybersecurity coverage,” says John Espenschied, owner of insurance agency Insurance Brokers Group.