16 October 2019News

Why Bermuda can lead on cyber

Cyber re/insurance has changed a great deal over the past decade, as the threat from cyber attacks has become more clearly defined—but with significantly greater loss potential.

One of the reasons is that companies have started to share more information about the attacks and losses they have experienced, instead of remaining silent due to fears of appearing vulnerable. This trend, combined with regulatory pressures, has moved cyber insurance from a relatively small area of the market to a much larger one, with the true scale of the problem finally being reported.

As the re/insurance industry wrestles with the nature of the problem, is this, therefore, an area that Bermuda can take advantage of?

Dan Carr, head of cyber at Occam, agrees that the sector remains a growth opportunity for the market as a whole—as a standalone product line and more generally.

“Cyber continues to be an ever-growing risk exposure for insureds, prospective insureds, and re/insurers themselves,” Carr says. “Consequently, there will continue to be a need for additional capacity to enter the market.

“Bermuda’s heritage and proximity to alternative capacity sources means it is well placed to support this growing class of business and also explore varied and novel capital structures to meet the growing demand to transfer cyber risk.”

The rise of a new market

Ian Newman, global head of cyber at Capsicum Re, says that cyber continues to grow as a peril, and in fact it will give rise to an entirely separate market: property, casualty & cyber (PC&C).

Newman thinks Bermuda is in a unique position to take advantage, as it has proved its ability to grasp complex risk and move capital into risk-taking positions.

“Capsicum Re regards cyber as a key focus due to its sheer volatility. The unique characteristics of cyber risk mean the threat transcends geography, industry and traditional business classes,” he says.

This demands an exceptional mix of cross-class underwriting expertise and huge volumes of capital. Bermuda can channel its experience and expertise in the ILS market, and in catastrophe protection, towards the volatile nature of large cyber exposures, becoming the home for cyber catastrophe coverage.

Asked how Bermuda might benefit from this increase in cyber insurance, Newman says: “Bermuda as a market is inherently lean and nimble so one of its strengths is its ability to evolve in response to challenges facing the global markets.

“As cyber insurance premium grows and the peril is refined, the inherent design of Bermudian re/insurers means they are well placed to react and respond to the challenges presented from this new expansive peril.”

Newman adds that without getting into specifics around insurance vs reinsurance or proportional vs non-proportional, Bermuda is writing hundreds of millions of dollars in cyber premiums and deploying substantial limits to this growing business.

The Bermuda Monetary Authority’s 2018 Cyber Report included statistics from the previous year which showed that Bermuda commercial insurers reported gross written premiums in the cyber risk field of approximately $845 million. This shows that Bermuda is already positioning itself as a go-to market against a challenging environment within Lloyd’s and a well-established US/European market.

A positional advantage

Looking at the issue of whether Bermuda’s mid-Atlantic position, between the US and Europe, provides any benefit when it comes to cyber insurance, Carr says the Island’s geographic location will enable it to assume more of a globally diversified position in sourcing cyber risk. In his view, US and European-centric carriers will be predisposed to the cyber threats and risks stemming from those regions, which are often a consequence of broader and more complex geopolitical factors.

Newman agrees on Bermuda’s location. He points out that its position is increasingly important in the wake of the EU General Data Protection Regulation legislation and the fines meted out by the US Federal Trade Commission.

As a market situated between regulatory zones, this independence will be a benefit. However, he adds, any regulatory decision will have to be reacted to, and won’t be consultative—a significant potential headwind.

John Huff, president of the Association of Bermuda Insurers and Reinsurers (ABIR), is convinced that while Bermuda remains a leader in national catastrophe coverage, it is also establishing leadership in certain specialty lines—including cyber.

Huff says that the Island has been at the forefront of the market for some time, and that it continues to provide the thought leadership and impetus to help lead the shift to standalone cyber insurance products and cyber reinsurance.

“I’m very energised about cyber,” says Huff. “Bermuda will take a leadership role in this area because cyber is going to evolve. No-one knows yet what the magic formula is for coverage and for cyber terms and conditions, or what will be the exact value proposition for cyber coverage.

“But one thing is certain: it will require flexibility and adaptation.”

Leading the charge

According to Huff, the Bermuda market is proving itself as a hub for the most agile, innovative and entrepreneurial market talent, and cyber coverage will require all of this expertise. He believes that cyber is the beginning of insurance companies’ move beyond pure indemnification of loss costs and beyond pure risk transfer, where the policyholder pays a loss and re/insurers reimburse them for it.

What cyber is highlighting—and Huff says that ABIR’s members are very strong in delivering—is that cyber starts with policyholders asking the insurers and the reinsurers to tell them how to protect themselves, purely through the underwriting process.

“That’s the public service that ABIR’s member companies are providing before a risk is even being bound,” says Huff.

“Insurers are improving their cyber hygiene by telling potential customers, who are merely applying for cyber coverage, that no, they’re not interested in them because they don’t have the software patches, or hardware enhancements, or a protocol or a culture for cyber resilience.”

Huff thinks that bringing on board policyholders, particularly small and medium-sized businesses, is an area where Bermuda will really shine. They will be better able to guide clients through the process of what it means to be cyber resilient, and then to help them prepare for the fallout from a cyber attack.

Unlike large firms, which might merely throw money at the issue, smaller firms can help by bringing in a cadre of experts who can talk about how to contact and talk to customers, explain how to repair the damage and mitigate losses.

“Right now, the industry is going from silent cyber, that may or may not be in D&O and other policies, to a true standalone affirmative cyber product,” Huff concludes. “Regulators are pushing for it and the industry is responding. It will be an exciting time.”

The shadow of ‘silent’ cyber

The issue of just how much ‘silent’ cyber—potential cyber-related losses stemming from flaws in traditional policies—is out there is interesting. Silent cyber, by its very nature, is broad and all-encompassing.

Carr feels it represents a significant opportunity for Bermuda, because silent cyber would include the most extreme and systemic forms of cyber exposures facing the market.

The Bermudian marketplace has a long history of supporting catastrophe-based events, and its capital providers—as well as the appropriate capital structures—are familiar with taking on large-scale shock events. By working closely and partnering with specialists, as well as those familiar with the specifics of cyber risk as an exposure, Bermuda is well-positioned to lead the market in finding solutions to the complex issues posed through silent cyber.

Newman feels that silent cyber, or more aptly the lack of clarity on existing cyber exposures, will have an immense impact on the overall P&C market. In a low-rate environment and with razor-thin underwriting profits, losses from cyber in non-cyber lines are unsustainable.

“The NotPetya ransomware attack in 2017 was a turning point, demonstrating the systemic nature of the cyber peril,” Newman explains.

“We have been highlighting the issues around non-affirmative cyber since 2015 and working with clients to help identify, quantify and mitigate their exposure. Reinsurance is the main backstop of this exposure as it can remove substantial silent cyber risk by affirming protection.

“In September we launched Decrypt, a new, holistic cyber reinsurance solution that we created with Swiss Re. It provides a single, flexible, end-to-end solution to insurers’ cyber exposure challenges, including embedded, silent and affirmative cyber risks.”

As a consequence of this, Newman concludes, the market needs cyber to be clearly defined and priced correctly to aid the development of the risk transfer and re/insurance market as a whole, and to prove its efficacy and relevance to clients.