A recent report from the Geneva Association (GA) highlighted how maintaining the pace of growth seen across the cyber insurance market will require additional capital to manage ever-more complex cyber risks. The report explored the potential of alternative risk transfer (ART) solutions, including insurance-linked securities (ILS), such as cyber catastrophe bonds, to facilitate broader distribution of these risks to financial markets.
Discussing where ART solutions fit in with the evolution of cyber insurance, Darren Pain (pictured), director of research and head of cyber at the GA, noted that the genesis of the report predated the flurry of private cyber cat bonds issued in early 2023.
Those bonds, together with subsequent 144A cyber bonds, showed there was some appetite among financial investors to take on catastrophic cyber risks, he said, but the question remained – to what extent is that risk transfer market ripe for lift-off, or will it see a more gradual development?
“I think the punch line of our report is the latter,” Pain said. There are good developments happening in terms of the process of structuring these deals and educating the investor base, but a number of hurdles must be overcome before cyber ILS become mainstream.
“Perhaps the most obvious diagnostic on the state of this nascent market concerns pricing,” Pain said. “The cost of this capital from the third-party investors is, understandably, still relatively expensive because it’s a highly uncertain peril that people still don’t know how to firmly assess and quantify. As a result, a significant novelty premium is likely embedded in required returns on cyber ILS. In order for there to be a significant ramping up in the transfer of capital from the reinsurance sector to the capital markets, that cost of capital has got to come down.”
The Geneva Association’s research revealed three key underlying challenges, Pain said, the first of which is doubts over contract certainty. The lack of policy standardisation, both in primary cyber insurance policies and some of the associated reinsurance contracts, has made some investors nervous as they don’t have a full picture of the cyber risk profile, what triggering events might occur, the timeline of a cyber incident, or whether non-cyber policies might be covered within the ILS contract.
Pain said that the second challenge is around the still relatively limited participation in this marketplace. There are a few high-profile investors that are willing to take on this novel risk, he said, but they’re limited not only in the number of participants but also the level of exposure that most are willing to take on. In property, for instance, you might have 30 or 40 investors involved in a natural catastrophe bond – but when you’re not getting those numbers, the risk is skewed towards a smaller pool of investors.
“There’s limited participation, and not only in the primary issuance market. ILS in general – and this is not exclusive to cyber – is relatively illiquid with limited secondary trading,” he said. “Most people who invest in ILS are ‘buy-and-hold’ investors, who trade out of their positions infrequently when they need to rebalance their portfolios.”
The third challenge is the most structural consideration, he said, involving questions around the extent to which cyber risks are genuinely a diversifier for investors. “It’s a big elephant in the room because we just don’t know. We haven’t observed enough peak cyber events to be confident about what sort of interaction with other financial market instruments, such as corporate bonds and equity markets, might lead to correlated returns across asset markets.”
Pain said the reality is that, in the event of a big enough shock, all markets are probably correlated. As such, in the event of a major cyber incident, the question is how far it would affect market perceptions about the creditworthiness of the victim of the attack, or the others that might fall victim to a similar attack, as well as the earnings potential of these firms.
“We might imagine a scenario where, depending on the nature of the incident, there would be significant financial market impacts that correlate with a cyber event,” he said. “That's typically not the case with a nat-cat for an earthquake, which is part of the reason why some investors seem to like to have some kind of nat cat ILS within their investment portfolio.
“Because it provides a natural diversification to their other types of holdings. That's not assured in cyber. [….As such] people have to take a view about what diversification benefits they would gain from adding cyber to their portfolio. And I think there's caution about that at the moment.”
Even in light of concerns regarding cost of capital, as well as the other underlying issues constraining cyber ILS expansion, the GA’s report is optimistic about the bonds that have emerged and their capacity to catalyse further risk transfer. While that is the case, Pain said, it’s also likely that the development of ART solutions in cyber is going to be gradual in nature rather than experience a sudden lift-off moment. It’s important to note that this is essentially the evolution story experienced by other nascent ILS or securitisation markets.
“Typically, they do develop quite gradually,” he said. “There's sometimes a catalytic event that boosts expansion. For instance, post-Hurricane Katrina in 2005, there was a big ramp-up in nat-cat bonds because there was a shortage of capacity in the reinsurance sector which also influenced how willing cedents were to pay up for the capital.
“But it did ultimately attract more capital into the re/insurance space. So, in principle, you might get some catalytic events like that happening in cyber, but most probably, cyber ILS/ART market expansion will be gradual and steady, rather than sharp and rapid. That's our take on the outlook anyway.”
