The risk transfer industry has a duty to help society better manage cyber risks. One possibility is that cyber re/insurance can be opened up to ILS investors, but the underlying risks must be properly understood before they can be modelled, as Sciemus CEO Rick Welsh tells Bermuda:Re+ILS.
When asked what is the single biggest opportunity for growth in the world of risk transfer right now, most re/insurers say a single word: cyber.
As the pace of digitisation has increased exponentially, this has become the single biggest threat many companies face. Naturally, they look to their insurance partners to help them manage and insure that risk.
The extent to which this is possible is a work in progress, to say the least. But the market is growing rapidly and companies are keen to benefit from this demand.
Now some, including Rick Welsh, the CEO of Sciemus, a risk modelling and analytics company, believe that it might not be long before the capital markets will be willing and able to take on such risks—but he stresses understanding them is key.
A duty to help
Welsh believes that minimising and mitigating cyber attacks by criminal and terrorist groups seeking to steal, disrupt and damage is one of the most serious challenges faced by governments, businesses and the re/insurance industry.
To put things in context, according to a UK government report published in May 2016, two-thirds of large businesses experienced some sort of cyber breach or attack during the previous 12 months.
"Cyber risk is increasingly central to enterprise risk management, so a more centralised and fluid approach to cyber risk transfer is required."
Similar figures are not available for Bermuda but the threat of a large-scale attack to vital national infrastructure poses a particular threat to all governments and the people they are charged to protect, from accessing security data to causing loss of life through an attack on a power plant, public utility, hospital or airport.
Welsh notes that frequent attempts to hack into the UK’s national grid are understood to have been thwarted, but in Ukraine thousands of people were left without electricity supply for a few hours in the middle of winter when hackers were more successful.
According to a cyber espionage expert quoted in the Financial Times, John Hultquist, this was the first example of a cyber attack leading to a power shutdown.
Welsh also cites then UK chancellor George Osborne’s speech last November at GCHQ, the government’s communications headquarters, highlighting the threat of cyber terrorism to national security, which would have chimed with the concerns of the re/insurance industry.
Welsh believes that the industry has what amounts to a duty to get to grips with these risks. “For the industry to fulfil its obligations it needs the capital and expertise to manage and transfer risk for complex threats which are not universally well understood,” he says.
“The potential threat is such that the capital markets have a role to play in supporting traditional re/insurance operators in developing risk models that properly and more effectively synthesise cyber exposures that can be distributed more efficiently around capital markets.
A daunting challenge
Welsh says that while the challenges and complexity of cybercrime are clearly daunting, they also present extraordinary opportunities for the industry—as well as the third party capital investors who are increasingly providing capital to these markets.
As an April 2016 report published by BNY Mellon, Insurance-linked Securities—Cyber Risk and the Capital Markets, points out, London is well placed to take a lead on this given its long history in understanding complex, specialist risks.
Among its findings, BNY Mellon found that cyber-risk is “one of the fastest-growing exposures faced by the corporate world” and predicted the market could grow to $25 billion by 2025.
“We already know that US and Japanese companies are looking to London for leadership in securitisation of cyber risk for transfer into alternative structures. It is clear that the capital markets are needed to meet demand that cannot be met by re/insurers alone,” Welsh says.
“It is not just a question of the concentration of risk within the insurance industry, but that alternative capital insists upon a more visible, comprehensive approach to underwriting risk; simple arbitrage will not suffice.”
While BNY Mellon described the capital markets as the “logical place for catastrophic emerging risks”, it noted its dependence on more work being done by the re/insurance markets to aggregate and model risk.
The challenge, Welsh says, facing third party investors who want to begin underwriting or investing in cyber insurance is to understand true cyber risk and probabilistic threat.
“The barriers confronting capital markets securitising and investing in cyber risk have been an incomplete understanding of cybersecurity and the unadorned threat environment, together with an indeterminate method of modelling cyber risk.
“The threats can be better understood by deploying threat intelligence and a technical understanding of technology—and then modelling them appropriately in a way that capital markets understand,” he says.
“Progress has been made here: aggregation and severity of cyber risk can already be modelled, and re/insurers in the London Market are working with alternative capital providers to bring to market the first generation of cyber insurance-linked securities (ILS) products.
“This lack of real understanding of cyber is particularly evident for vital national infrastructure where insurers in the main do not adequately understand motive, opportunity and means in the context of cybersecurity. Cyber risk, especially in national infrastructure, lends itself to be transferred via ILS structures as it is typically not correlated on an intra-industry basis.”
Lack of supply
Welsh says that it is clear that reinsurers and the capital markets are aware that the demand to insure cyber is not presently being met by supply. It is becoming more viable to model and package cyber risk into ILS that can therefore transfer the risk to the capital markets.
“It follows that the ability for reinsurers to model cyber risk will create a secondary market for cyber that is currently not modelled, underwritten or priced by insurers of non-cyber classes such as property, energy, nuclear, marine and aviation,” he says.
“As current modelling techniques enable parameterisation of cyber risk, there is clear alignment of interest between investors and sponsors. Cyber risk avoids the risk arbitrage associated with some other classes of insurance because it is increasingly central to reputational loss, shareholder approbation, regulatory censure and enterprise risk management generally.”
He points out that cyber insurers understand event-based relativity that allows for cyber terrorism causing property damage and bodily injury to be properly addressed under a cyber policy. With this understanding, a clear approach to parameterised risk and risk analytics that addresses attribution, alternative capital structures are well placed to drive the cyber insurance market forward.
“Traditional insurance structures represent a very constrained approach to addressing cyber risk and will continue to do so for the foreseeable future. Cyber risk is increasingly central to enterprise risk management, so a more centralised and fluid approach to cyber risk transfer is required.
“The cybersecurity industry has been adept at helping insurers understand risk correlation, event-based methodology and predictive analytics. In this regard, interdependencies of systems must be properly understood, mapped then modelled—and this cannot be done by actuarial data regression alone.
“In the UK and US in particular, government has been supportive of efforts to understand and transfer cyber risk. However, government support is required in this market, but only for access and data rather than as insurer of last resort on cyber risk,” Welsh concludes.
Sciemus, London, UK, Rick Welsh, Insurance, Reinsurance, Risk transfer, Cyber risks, Bermuda, North America