Cyber: putting the ‘year in the middle’ to good use
Often, as we begin the annual march towards the January 1 reinsurance renewal, the current year—the ‘year in the middle’—is forgotten.
In 2013, we talked about 2012 (Superstorm Sandy) and 2014 (what was to come). For the property-catastrophe folks, 2018 is shaping up in much the same way: there is plenty of 2017 activity to reflect on while we chart a path to 2019. Despite the fact that cyber is a new and emerging risk, it’s following the same pattern.
We saw plenty in 2017 to get us thinking about the 2019 renewal, and maybe this time around, we can make good use of the year in the middle.
The cyber insurance and reinsurance market is still small, and disproportionate loss years may not move the market as they would in more mature classes of business. However, active years do provide important learning opportunities that can help us prepare for major insured losses when cyber has grown a bit more.
Types of losses
In 2017, there were two loss types that could become problematic in the future. First, affirmative cyber risk losses were (relatively) plentiful. PCS Global Cyber recorded more than $400 million in such losses last year. Two companies affected by NotPetya subsequently purchased cyber insurance as well.
Had the cover been in place before the event, 2017’s tally would have topped $1 billion. Had other companies had more affirmative cyber protection in place—or entered the market—the industry’s loss ratio could have approached 100 percent.
At the same time, we caught a glimpse of what ‘silent’ cyber really means. PCS Global Cyber estimates insured losses from NotPetya to be greater than $3 billion, with 90 percent of that attributable to silent cyber. The silent losses mostly hit property programmes, providing an interesting twist to a market that generally expected silent cyber to manifest in the liability space.
As a result, our industry may cast a wider view of the lines that could be hit by a cyber event, while also scaling upwards from the relatively tight pool of insured losses associated with NotPetya—where more than half the insured loss came from one company.
Capital management
The cyber market continues to grow rapidly, while absorbing losses, which naturally leads to questions about risk and capital management. Capacity for conventional programmes appears to be plentiful, but the cyber reinsurance market has begun talking about retrocessional protection, while some of the larger primary insurers continue to seek more reinsurance protection than they can currently find. Even in a market awash in capital, it seems, the risk of a shortfall could be looming.
The problem is one suited for the insurance-linked securities (ILS) market. With target allocations for pension funds worldwide estimated to be between 1 and 3 percent, capital sitting on the sidelines could be several times the size of the existing global reinsurance market. There’s no way for a sector to realistically absorb that much capacity without undergoing a structural change, and cyber may provide that opportunity.
Cyber has been kicked around the market as ‘the next US property-catastrophe’, with the potential to deliver protection for large and significant risks that currently aren’t covered. As a result, cyber could both consume capital waiting to be deployed and provide meaningful diversification from peak-peril property-catastrophe risks. The greatest challenge right now is to figure out how to make cyber easy for the ILS community to digest.
Taking cues from the global property-catastrophe market, industry loss warranty (ILW) trading could offer some support in the early days of ILS adoption. Industry loss index trading is more familiar to ILS funds and reduces the level of effort associated with understanding cyber risk. In the Bermuda market, we’ve already seen capacity offered on an ILW basis, and the London Market is represented too.
Further, other ILS funds and traditional reinsurers have expressed interest in writing ILWs on both affirmative cyber risk losses (usually on an annual aggregate basis) and cyber catastrophes, which could provide swift and relevant relief should fast industry growth result in capital constraints.
So, as we prepare for the annual year-end race to the renewal, it will be crucial to factor the 2017 cyber lessons into 2019 reinsurance protection. For a change, though, perhaps we’ll be able to give a nod to 2018—the oft-forgotten year in the middle. With industry loss index triggers now available to the ILS sector, it should be easier to drive capital into one of the few lines of business that could show more demand than supply.
