As the market for cyber insurance grows the amount of exposure in the re/insurance industry is increasing, so reinsurance companies are also finding their portfolios more exposed making the ability to hedge that exposure vital, according to Tom Johansmeyer, Assistant Vice President, PCS Strategy & Development at ISO.
While you were watching Hurricanes Harvey, Irma, and Maria, you may have missed something important! Quietly, 2017 has become a major year for large cyber risk losses. Three events resulted in significant insured losses, and in aggregate, they could be more meaningful to the cyber reinsurance industry than the U.S. hurricanes and wildfires combined.
While the cyber sector is still small, this year’s events show the importance of developing a global cyber industry loss warranty (ILW) market to meet the need for cyber retrocession that is clearly on the horizon.
Yes, 2017 was a big year. According to data from PCS® Global Cyber, three events (Southwest Airlines, Equifax, and Merck) account for nearly US$500 million in insured loss for affirmative cyber. With events of at least US$20 million measured under our methodology, 2017 accounts for more than half of all losses tracked by PCS Global Cyber since 2013. And like the hurricanes and wildfires the global reinsurance industry is fixated on, these three cyber events came in rapid succession.
Of course, the cyber insurance losses are but a drop in the bucket compared with U.S. catastrophe losses this year. A reasonably large hail event can generate US$500 million in industry wide insured losses. And we’ve seen over the past few years that there’s rarely a shortage of hail events in the United States. Yet, to take this view is to miss the lesson inherent in the 2017 cyber losses we’ve identified. The potential for both a high aggregate cyber loss and a high aggregate U.S. catastrophe loss illustrates the need for a change in future thinking about risk and capital management—in particular, the need for cyber reinsurance risk management tools.
Greater penetration of bigger cyber losses
A proportionately large cyber loss year now may not mean much for the global reinsurance market as a whole, but it could serve as a sign of what’s to come. The insureds affected by losses so far have had relatively limited amounts of protection. However, much larger covers are being placed elsewhere in the market, with some exceeding US$500 million. And even then, as we’ve seen from some 2017 activity, it wouldn’t take long to exhaust the protection available.
This year alone, uncovered losses from the likes of British Airways, Maersk, and Federal Express—not to mention economic losses above insured limits at Equifax and Merck—show the potential for cyber losses to accumulate in the future. An increase in major attack activity, insured losses from cyber catastrophe events (like WannaCry, Petya, and NotPetya), and an increase in limits and overall market penetration make it easy to imagine a loss year of above US$20 billion.
Larger towers, more insureds, and more losses translate to potentially much larger aggregate loss years, especially if attack frequency increases as well. In general, the cyber insurance and reinsurance industry needs to prepare for losses as the sector grows. Unfortunately, that’s only the first step in the necessary risk and capital management activity underwriters need to undertake as cyber risk transfer evolves. Across an entire insurer or reinsurer, there may lurk an even more menacing risk.
When both wind and bytes blow with equal ferocity
As the cyber reinsurance sector grows—bringing with it the potential for larger aggregate annual large risk losses—the potential for a capacity crunch may develop at a disproportionate rate. Contemplate a proportionately large cyber loss year a few years down the road, when cover is ubiquitous and more capable of absorbing large economic losses. Now, pair that with a U.S. catastrophe year like 2017. It’s conceivable that a property-catastrophe year of US$70 billion and a global cyber year with US$20 billion in losses could occur—even if it remains hypothetical for now. And at some point, the cyber number could go even higher.
So, what happens if (or when, really) we see a combined property-catastrophe and cyber insurance loss year of close to US$100 million…or more? That’s when the potential for a capacity crunch could arise, even if both cyber and catastrophe are managed effectively each on a standalone basis.
Following a decade of discussion around market-moving losses from capacity events, in which ‘the number’ ultimately reached US$200 billion, the development of the cyber insurance market could prompt a reevaluation of that thinking, in which the absorption of risk capital could come from a series of unrelated— – and utterly conceivable—events.
Managing the flow of capital
Retrocession has become one of the key points cited in most discussions about cyber reinsurance industry growth. Even though there’s been little need for it so far, the day is coming—quickly—when the reinsurance market will benefit from the availability of retrocession capacity for cyber. A robust market for cyber retro can help reinsurers deploy more capacity and manage their risk and capital more effectively. The ability to manage a cyber book actively becomes even more important for a reinsurer when considered within the context of a large property-catastrophe loss year (as described above). The unexpected accumulation of losses could have an unexpected impact on a risk bearer’s financial results, even when the losses come from events that aren’t necessarily correlated.
To get a reliable and useful cyber retro market off the ground, industry loss warranties will be crucial. As you get further from the risk, it becomes more and more difficult to understand what’s coming into a portfolio. This isn’t news to the property-catastrophe market, which has used ILWs to manage risk and capital in the retrocession market for decades. The same approach could work effectively in the cyber space too.
Cyber ILWs would help insurers and reinsurers transfer risk effectively without requiring the deep analysis required of traditional covers. And where that deep analysis isn’t possible, an ILW would facilitate reasonable and prudent risk transfer using available information for execution of a non-underwritten cover (that is, a cover using an industry loss trigger). The cedant would have to accept some basis risk, but a robust ILW market would enable the swift execution of trades—and rapid settlement when necessary—to make the maturation of a cyber retrocession market possible. And as an industry loss history develops through the increase in capacity available (along with an increase in cyber incident activity), everyone in the cyber risk and capital supply chain would be able to learn more about the risks in the market to tailor their protections more effectively. But it all starts with cyber ILWs—that’s really the only way to get scale quickly.
Alleviating future pain
We all know that the future of our industry will involve a certain amount of anguish. There’s plenty of data to show just how bad a year of property-catastrophe losses can be. And after 2017, we’ve gotten our first tangible case of the loss potential the global cyber insurance sector holds. Both can happen at the same time, and as an industry, we have to get ready for that eventuality.
In the property-catastrophe space, risk and capital management have had ample time to evolve, and the progress made over the past 30 years, in particular, is impressive and has shown results. Post-catastrophe reinsurance rate increases have softened since Hurricane Andrew. Unfortunately, that dynamic hasn’t been tested in a year of heavy large cyber losses. An evolving cyber insurance market could have knock-on effects for other lines of business, especially in a clash year with catastrophes.
A mechanism for increasing the flow of new forms of capacity into the cyber reinsurance market could have benefits for the global reinsurance industry as a whole. Cyber ILWs represent an important tool for driving the development of the cyber industry and preventing a potential capacity crunch across lines of business in the future. The need for cyber retrocession is already coming quickly. Getting it right early could ensure that a year like 2017—but with much higher stakes—can be handled properly.
Author – Tom Johansmeyer:
Tom Johansmeyer is assistant vice president, PCS Strategy and Development, at ISO Claims Analytics, a division of Verisk Insurance Solutions. He leads all client- and market-facing activities at PCS, including new market entry, new solution development, and reinsurance/ILS activity. Currently, Tom is spearheading initiatives in global terror, global energy and marine, and regional property-catastrophe loss aggregation. Previously, Tom held insurance industry roles at Guy Carpenter (where he launched the first corporate blog in the reinsurance sector) and Deloitte. He’s a veteran of the U.S. Army, where he proudly pushed paper in a personnel position in the late 1990s.
This article was contributed by a sponsor.
