“It is time for discipline and considered expansion.”
That was the core message from Lloyd’s chief of markets Patrick Tiernan during the company’s Q1 2024 market message – and one that is particularly applicable to the rapidly expanding cyber insurance market.
Kirsten Mitchell-Wallace (pictured), director of portfolio risk management at Lloyd’s, noted that while the best in the market already have world-class capabilities for managing cyber, the rest need to catch up to meet demand. She emphasised the need to retain discipline on the attritional and large elements of cyber and to ensure the easier to understand aspects of this risk are adequately captured and quantified before attention turns to the more challenging aspects of severity and catastrophe.
“Cyber cat requires that systemic risk is measured, managed and capitalised,” she said. “This discipline becomes even more crucial as demand for cyber insurance increases. The economic losses associated with cyber events may be significant, but insurance penetration is still low.
“In cyber, different perils like ransomware and Cloud outage are as distinct in their propagation and aggregation as earthquakes are from hurricanes. We need to start recognising this and changing the way we talk about this risk.”
Mitchell-Wallace highlighted that while all Lloyd’s cyber cat scenarios have much lower final net claims than its nat-cat scenarios (as seen in the graph above), cyber is complicated by being less well understood and more difficult to model than nat-cat. In addition, she said, it’s important to note that these Realistic Disaster Scenarios (RDSs) are untested.
“There are three principles which guide our approach to managing cyber at Lloyd’s,” she said. “These are one, the cyber market should be profitable across the rating cycle, considering the volatility. Two, we should not have an outsize cyber loss compared to our market share.
“And three, the cyber market must be adequately capitalised. We need a comprehensive view covering underwriting, exposure management, pricing, outwards reinsurance and capital. So, we're building a multidisciplinary capability assessment, considering each oversight principle as it relates to cyber.”
Understanding of cyber catastrophe has some way to go before it reaches the maturity of nat-cat, Mitchell-Wallace said, as seen in the example that cyber cats do not yet have a common definition of event. This definition is needed so events can be modelled to get the price and the capital right.
In addition, she said, agreeing on this definition will also help with detection and in distinguishing a cyber catastrophe at the early stages of claims. With that in mind, Lloyd’s will work with its syndicates and the wider market to refine these topics.
“Cyber has not had its Hurricane Andrew,” she warned. “Both Andrew and Katrina prompted huge advances in catastrophe modelling and exposure management. But for cyber, we want to build the foundations before we need the roof. We know that understanding of exposure is the foundation for managing all types of risk.”
To have a good grasp of exposure, three perspectives are needed – exposure data, scenarios, and probabilistic models. For nat-cat, the market has insights into all three, she said, while, for cyber, Lloyd's currently only has the RDSs which offer a snapshot of all possible outcomes. This is why Lloyd’s will be helping the market analyse cyber aggregates by peril, and why it is designing a probabilistic framework, analogous to the Lloyd’s cat model.
“This will give us a view across the distribution and into the tail, allowing us insight into a whole range of outcomes so that we can better understand pricing and capital implications,” she said. “When we have all three ingredients, and crucially, all of those work together, it will provide confidence to take on more cyber risk as demand increases.”
Issuing a message to the market, Mitchell-Wallace said: “We want your help to ensure our approach both supports and constructively challenges. We will work with you through the LMA to flesh out the four pillars of Lloyd’s cyber market management strategy.”
Pillar one is around assessing capability to ensure that growth is commensurate with underwriting capability, she said. Pillar two is ensuring Lloyd’s has all three of the key ingredients to effectively manage the risk – data, scenarios and models. Pillar three is on preparing for a major event and pillar four is about developing insights and market intelligence.
“All of these work streams have a common purpose, to give us the tools and capabilities to appropriately manage volatility,” she said. “So to conclude… for cyber, we're working with you to develop the tools to advance modelling. This is not oversight for oversight’s sake. [Rather], it allows more risks to be taken more confidently and to support your ambitions.
