
Reinsurance’s vital role in the digital age
Reinsurance’s different structures can be valuable tools in protecting their clients from the risks posed by cyber threats and artificial intelligence, says lawyer Ian Guthoff (pictured).
Reinsurance and artificial intelligence (AI) have quite a bit in common. Both industries are based on data aggregation, statistical analysis, and understanding risk. As governments seek to grapple with the introduction of advanced AI systems into the marketplace and regulating the rest of the activities constituting the digital age, the reinsurance industry offers a free-market mechanism to stabilize the international economy and mitigate emerging and novel risks.
Both the EU AI Act (the “Act”) and the US-based National Institute of Standards and Technology Artificial Intelligence Risk Management Framework (NIST AI RMF) focus on defining the risks created by AI to serve as the basis for the imposition of government oversight. The Act defines risk as “the combination of the probability of an occurrence of harm and the severity of that harm”.
NIST AI RMF similarly defines risk as "the composite measure of an event's probability of occurring and the magnitude or degree of the consequences of the corresponding event.”
Reinsurance is in the exact business of measuring events’ probabilities and the severity of potential harms. It protects investors and insulates markets against losses stemming from catastrophic risks.
The longevity and fortitude of reinsurance results from three principal factors: the sophistication of its participants, its ability to leverage data, and its operational autonomy.
Through data analysis and complex modelling, reinsurers have protected global markets from both man-made and natural disasters. Simultaneously, reinsurers infuse hundreds of billions of dollars into financial markets and circulate capital by supporting direct insurers’ ability to pay claims.
As we close out the first quarter of the 21st century, the digital age has matured, while artificial intelligence (AI) is in its nascency. In addition to augmenting and amplifying known risks, the transition to a digital landscape introduces new forms of catastrophic risks. Code deployment errors can cause outages that undermine business continuity and disrupt critical infrastructure. Data processors face sophisticated cyber threats from criminal actors aiming to access sensitive databases or monitor high-value network traffic. Generative AI can facilitate identity theft or enable synthetic fraud schemes.
These new risks present potential losses at various levels, from small scale damages to global destabilising occurrences that could disrupt the supply chain or capital markets. The portfolio of reinsurance products and practices can serve both public and business interests alike, while generating significant gross written premiums for reinsurers. Through pricing risk, reinsurers can compel better cybersecurity and data management practices. By entering into reinsurance contracts, reinsurers can ensure appropriate circulation of capital in the event of catastrophic losses, such as the consequences of a major data breach, affording data subjects monetary compensation and business ventures solvency in the wake of a covered occurrence.
This article seeks to introduce the features that constitute the modern digital landscape, identify the exposures and risks spread throughout this new environment, and demonstrate how reinsurance practices, such as facultative reinsurance contracts, treaty programmes and CAT bonds, can be employed to generate significant growth and appropriately distribute risk across the insurance and reinsurance sector.
“The vulnerabilities, threats, and catastrophic risks that exist in this new digital age are as awesome as the possibilities it presents.”
The Digital Landscape
Today, many jobs, recreational activities, and business ventures can be performed with only a laptop and an internet connection. Some entire industries and technologies only exist in the digital environment. Further, more and more real and physical world dependencies rely on digital infrastructure to support essential services.
Cloud computing, digital property rights, network infrastructure and AI represent the core components of the modern digital landscape. Understanding each is crucial in appreciating the exposures and risks each presents and the capabilities of the reinsurance sector to support business ventures and insulate enterprises and markets against catastrophic exposures.
Cloud computing is the practice of delivering on-demand computing services, such as storage, processing, and software applications, over the internet, rather than relying on local servers or personal devices. These services are typically provided by third-party data centres, allowing users to access resources securely, and at scale, without substantial upfront capital investments in hardware. By replacing localised, capital-intensive server infrastructures with on-demand, remote services, cloud computing relieves businesses of the high costs and complexities associated with on-premises hardware. Organisations can dynamically scale their computing resources, dedicating capacity precisely where and when it is needed. This elasticity enables performance optimisation, fosters continuous innovation, and allows companies to operate at the rapid pace of the digital marketplace.
The efficiencies of scaling also create externalities. Reliance on cloud computing has also created isolated and concentrated real-world locations which contain mass repositories of sensitive hardware and access to sensitive systems and data. Such concentration permits a single occurrence to have widespread damage across the cloud computing ecosystem.
As the breadth and adoption of cloud computing continues to expand, so too does the expanse of digital property and associated property rights. Databases containing hundreds of billions of data points are stored on digital servers hosted by third parties in data centres across the world. The ownership, control, and rights to this information are subject to a patchwork of common and contract law, governmental oversight, and industry guidance. Adding further complexities are the interweaving and overlapping access privileges and uses of the data. Service providers, independent contractors, and full-time employees all serving in dedicated functions and they may need to perform certain manipulations of data points for permitted purposes or view customer PII to facilitate a transaction. The magnitude of information captured and the derivative works created by these data points spin a web of possibilities and vulnerabilities.
The pace of AI’s advancement and the rate of its adoption is unlike any other technological advancement in human history. It is being interwoven into different products and services at various levels. Simultaneously, AI is also being deployed across the market as an independent product, most clearly exhibited by generative AI tools like consumer-facing ChatGPT or Gemini, but also more specialized products such as Palantir’s Gotham or Foundry. AI is best understood as “any machine-based system designed to perform functions normally associated with human intelligence, such as reasoning, learning, and self-improvement”.
Whether generative AI tools serving as customer service representatives or a machine learning algorithm used to predict marine fishery yields, AI is already fundamentally changing the way individuals interact with technology and data. Individuals are relying on AI outputs to make business decisions or to render clinical care.
As AI continues to proliferate, the human element of the decision-making process will be further removed and at points will appear to be fully automated in both ends and means. Further, and perhaps most profoundly changing the world, will be AI’s introduction of non-human created outputs - images, content, videos - into the world. The consequence of this influx of non-human created output will be particularly felt when AI models are continuously trained on AI-generated inputs, creating potential loops or exaggerating biases or errors in the underlying model.
Regardless, whether through self-driving cars, food development, pharmaceutical research, or interacting with a chatbot, AI will be as ubiquitous as oil or corn.
These features of the digital landscape compose the atmosphere and climate in which risks and vulnerabilities exist, allowing for the occurrence of new forms of loss.
“The reinsurance sector is uniquely positioned to insulate the digital economy against catastrophic loss.”
Vulnerabilities, Threats, & Catastrophic Risks
The vulnerabilities, threats, and catastrophic risks that exist in this new digital age are as awesome as the possibilities it presents. These hazards arise across multiple tiers of the digital ecosystem and take shape along spectrums of harm and likelihood. Downtime, malicious actors, cyberwarfare and AI-enhanced fraud and identity theft represent common causes of disruptive losses.
An outage of a network firewall or access to a production database for a major financial service company or hospital could result in significant financial or physical harm. As organisations increasingly rely on cloud-based services and integrated digital infrastructure, any outage can result in catastrophic exposure. Compounding this problem is the interdependency of network protocols, end user devices and the physical and digital supply chain. A single downtime event for an ISP provider or a major technology company could result in billions of dollars in losses in the aggregate across various industries. For critical infrastructure systems, such as power grids and financial clearinghouses, downtime poses threats to national security, public safety and global economies.
Beyond downtime, breaches, cyber civil espionage and criminal elements traverse the digital landscape seeking to leverage vulnerabilities for illicit gains. Hacktivists are organised and sophisticated groups of cyber vigilantes, seeking access to sensitive databases trying to observe or expose corporate misfeasance. Script kiddies, while generally less experienced than hacktivists, deploy malware and employ automated tools to abuse discovered vulnerabilities. Finally, insiders and competitors represent human elements, which may inadvertently or knowingly expose entities to losses as consequences of a breach or release of trade secrets.
In addition to criminal activities, cyberwarfare and state-sponsored threat actors represent risks of various sizes and scopes in the digital age. State-sponsored actors are well-funded and technically trained. They target international and publicly traded companies or government agencies and facilities. Attacks can be persistent, sophisticated, and enable national espionage, sabotage, and large-scale disruption to national interests or international supply chains. Additionally, the proliferation of techniques, technologies, and tools developed in the interest of military defence, trickles out of these confidential and protected networks and enters the consumer ecosystem when these advanced devices are in the possession of hacktivist and script kiddies.
Finally, AI both creates new risks and modifies existing threats. Both the Act and NIST AI RMF are particularly focused on understanding and limiting the risks AI presents. The Act identifies the largest risks are potential harms to the health, safety, and fundamental rights of EU citizens. NIST AI RMF captures and categorises risk as well. It identifies three categories of risk: 1) harm to people, 2) harm to an organisation, and 3) harm to ecosystems. These risks can manifest intentionally - a purposeful consequence of an AI system, which was designed to harm - or it may be an unintended result from an underlying error or end-user abuse of the AI system.
Synthetic fraud, fabricated identities, manufactured financial statements, and false consumer engagement reports can all be generated and produced at scales and paces never seen through generative AI tools. Additionally, AI integration into cybersecurity tools and safety mechanisms may result in significant disputes as to the origin of harms. The deployers of an AI system may be, and often are, distinct from the developers of the AI system. Where a resulting harm’s origin, in part, is from an AI system, there will inevitably be disputes as to whether the deployer or developer is responsible for any losses. Machine learning models likewise contain a host of exposures, including potential claims of bias, abuse of data rights or insufficient support for its modelling. These shortcomings could lead to increased incidents of roadway accidents with self-driving cars or limitations of access to financial services, resulting in costly damages for a series of individuals along the chain of the development, deployment and reliance on AI system outputs.
AI will also accelerate development of malware, and the growing reliance on generative AI to assist in programming may foster the environment of widespread common critical vulnerabilities. Finally, intellectual property rights disputes will arise, both concerning underlying training data and information and the resulting output. Large language models or image-generating AI systems are trained on billions of pieces of data, each data point created or provided by someone or some entity with some form of intellectual property rights in the information. Additionally, courts have found AI-generated work is not copyrightable. Accordingly, use and reliance on AI systems will not only create new risks, but augment existing causes of loss.
As each lawsuit which contains an AI aspect to it will be treated as novel and a case of first impression, there is a tremendous lack of certainty in all ventures connected to AI.
Losses and harms caused by any one or a combination of these risks can manifest in different ways. There are direct damages caused by loss of revenue or theft of information, but there can also be consequential damages such as obligations to provide monitoring services to affected customers or government directives to undertake remedial actions. The instruments available in the reinsurance portfolio present an opportunity to distribute these risks and losses across the reinsurance market to limit exposure for business enterprises, while supporting liquidity and reserve requirements in the insurance market.
Reassurance through Reinsurance
The reinsurance sector is uniquely positioned to insulate the digital economy against catastrophic loss. Facultative contracts, treaty programmes, catastrophe bonds, and specialty captives entities each represent a method for reinsurers to participate in the transference of risks found in the modern digital economy and digital supply chain. Through these instruments reinsurers can assume and price risk to distribute the potential harms across solvent participants.
Facultative contracts could be employed for large-scale commercial enterprises processing and storing sensitive personal information. Data breaches, downtime, or unauthorised manipulation of these datasets could impact access to information or alter decision-making processes, resulting in significant legal and financial exposure for the entity. For entities that serve as datalakes or warehouses, cloud-service providers and cybersecurity vendors, consequences to their network and systems could have seismic ripples downstream. Facultative contracts can be used to underwrite specific portions of the risk, databases, categories of data processing, amongst other activities, to increase solvency in the event of high losses for specified covered risks.
The benefits of facultative contracts in these scenarios are the ability to tailor the risk bearing and costs between the insured, insurer, and reinsurer. This flexibility allows primary insurers to expand its portfolio of insured clients, while limiting exposure to emerging cyber threats. Facultative contracts can also be used to support the creation of new cyber insurance products, based on pre-defined parametric triggers, such has downtimes extending beyond certain time periods or data breaches impacting more than 500 customers in a unique jurisdiction. Through distribution of risk across the insurance and reinsurance marketplace via facultative contracts, reinsurance can insulate dire financial consequences for both individual enterprises and the global market.
Treaty reinsurance programs offer reinsurers the opportunity to improve risk management practices. A key aspect of treaty reinsurance is the composition of the ceding premium. Depending on the exposure, risk tolerance, and likelihood of occurrence of loss, reinsurers may be demanding increased portions of the premium if it lacks confidence in the administration of the direct insurance program or believes in a high likelihood of excessive losses. Reinsurers can reward well managed cyber liability insurance programmes by reinsuring those books of business on favourable terms, freeing up capital and reserve requirements for the direct insurer to expand its presence in other insurance markets.
The treaty programme flexibility in composition also permits layering of improved policy coverage options at the direct insurer level, further distributing the weight of the risk across many insurers and reinsurers. Whether it is excess loss, fronting relationships or pro rata, the fashion and construction of the treaty programme is sufficiently flexible to account for unknown risks or to narrowly tailor the reinsurer’s exposure. Further, reinsurers’ supervision of direct programmes may lead to improved underwriting practices and compel better business practices at the insured level, such as increased training of employees, employment of multifactor authentication, or deployment of SIEMS (Security information and event management systems) and DLP (data loss prevention systems).
Catastrophe bonds have traditionally been used to mitigate losses from consequential natural disasters, such as once-in-a-century hurricanes or earthquakes. However, with emerging technologies such as blockchain and AI, there are novel catastrophic risks that may be best mitigated through cat bonds. These could include systemic failures to network firewalls, compromises to blockchain encryption keys, or material and detrimental reliance on an AI systems outputs resulting in widespread harms. Cat bonds offer a promising solution to transfer these emerging risks to the capital markets, thereby protecting corporations, insurers, and governments from financial disruption, while encouraging development of trustworthy AI systems.
The structure of these digital cat bonds would be identical to their traditional counterparts, with the establishment of a Special Purpose Vehicle (SPV), the entry of a reinsurance agreement, and the requiring of a triggering event. The organisation assuming the catastrophic risk exposure forms a SPV, organised in a jurisdiction with a favourable regulatory environment for insurance-linked securities. The SPV raises debt equity from willing and qualified investors, to invest in secure, liquid assets, held in a trust account. The SPV enters into a reinsurance agreement with the ceding reinsurer, detailing the ceding premiums to be paid, the triggering event, and loss obligations and coverage terms.
If the cyber-related catastrophe occurs, the SPV pays out the reinsured losses to the ceding company, using the funds held in the trust account. This structure provides significant returns for investors if no catastrophic event occurs but also creates a marketplace to adequately insure against consequential events while protecting the insurance industry from excessive losses.
The use of cat bonds for emerging risks offers several advantages. It provides additional capacity for highly disruptive or emerging risks that traditional insurance markets may be reluctant to fully underwrite. It also diversifies risk for investors, as emerging technologies and AI-driven events will have different and unique risk profiles from conventional natural catastrophes. Additionally, the SPV structure can simplify the regulatory treatment of reinsurance transactions, particularly for complex or emerging risk categories.
Finally, for certain enterprises that may wish to establish captive insurers, reinsurers may be able to enter into the modern risk space by serving as a backer of captive vehicles insuring an individual enterprise’s own risks. Serving in this capacity, reinsures would be able to gain access to critical insights into entities risk appetites, cybersecurity programs and makeup of the organisation's information system, and reduce the reliance on primary insurers.
This approach offers several potential advantages. It allows the reinsurer to develop a direct business relationship with a specific insured, gaining insights into its and its industry’s risk profile and management practices. This can be particularly valuable in assessing and pricing cybersecurity-related risks, which are often complex and company-specific.
Moreover, this model has the potential to benefit the insured as well. By working closely with a reinsurer, the insured gains access to a broader range of expertise and resources that can help enhance its risk management capabilities. This can lead to a more robust and tailored risk mitigation strategy, potentially reducing the likelihood or impact of future cyber incidents. Furthermore, it can provide the insured with greater flexibility in managing its insurance costs, as the captive insurer can be structured to meet the specific needs and risk appetite of the insured.
Reinsurance’s role in managing and facilitating risk for the digital age is continuing to take shape. The demands and risk exposures of the next 100 years will be balanced between historic catastrophic events and the creation of new occurrences. As the market navigates the emerging risks, reinsurance will remain an impactful industry in stabilising global markets and protecting insurers and insureds alike.
Ian Guthoff is an associate in-house counsel at GuarantR Inc., based in New York City. Prior to joining the company, Guthoff served as a special referee and court attorney for the New York Supreme Court. He can be reached at Ian.Guthoff@theguarantors.com.
Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.