Viewpoint: The first green shoots of a maturing cyber insurance market are now apparent

Over the past three to four years the cyber re/insurance market has gone through a marked evolution as it approaches a newfound level of maturity.

Following a sustained period of growth and profitability, increased losses stemming from ransomware from late 2018 onwards resulted in a material deterioration in performance and highlighted the dynamic nature of the risk. To address this, a meaningful correction in the price was required, leading to significant price increases over the past 18 to 24 months.

Signs are now appearing in the market that pricing is beginning to stabilise; nevertheless, the ransomware phenomenon demonstrated how the complexity of the cyber risk environment can present new opportunities for criminals and bad actors to exploit. Consequently, a question lingers: what is next?

To date, the cyber insurance market has relied heavily on quota-share reinsurance to support its growth and development, concentrating capital on a limited number of cyber insurers and still fewer reinsurers.

To some degree this is to be expected, given the availability of cyber expertise remains limited throughout re/insurance, as it does in the wider economy. However, as the global cyber market has now grown to more than $10bn in annual premium, all participants are beginning to assess the volatility of the line, their appetite to retain risk and the wider availability of capital to support the market’s next growth phase. In doing so, the market has and continues to demonstrate a mature and robust approach to securing its future – not only by contemplating the challenges ahead, but also actively putting in place measures to address them before they occur.

In addressing such challenges, the over-riding theme has centred on controlling systemic and catastrophic cyber risk. This has parallels with the genesis of the property catastrophe market and the breaking out of infrequent, high-magnitude events capable of affecting multiple companies from smaller, individual, localised loss events. The difference is the cyber market is attempting to put these measures in place ahead of time, heeding the lessons from historic market developments.

Exposure definition

Various approaches have been taken to define cyber exposures more acutely to ensure capital structures and products can more tightly reflect their respective profiles of risk. It is likely that none of these are perfect and while many have their critics the intent remains a positive one.

The insurance market wants (and arguably needs) to provide cover for cyber exposures and it is critical it finds solutions to overcome these challenges to ensure the wider industry can remain relevant for the ever-growing pool of cyber insurance customers.

Cyber and many other emerging risks pose fresh challenges for the industry, but they remain material risks in society and are likely to grow. If new solutions are not found and the industry is constrained by approaches and techniques applied to more established risks then it is not serving the needs of its customers.

Arguably, even well-trodden techniques and re/insurance market structures are increasingly being questioned as the industry tries to grapple with the implications of climate change on traditional lines.

As the global cyber market has now grown to more than $10bn in annual premium, all participants are beginning to assess the volatility of the line, their appetite to retain risk and the wider availability of capital to support the market’s next growth phase

In the past 18 months we have seen significant insurance product evolution, with multiple carriers addressing systemic and catastrophic risk exposures separately from individual loss events in their products.

Similarly, for years the re/insurance industry has faced the insurance-linked securities (ILS) market to try to attract and unlock additional capital for the cyber market. However, quota-share deal structures do not naturally present the profile of investments sought by ILS investors, even where they have appetite for cyber exposure.

As a result of market evolutions and product innovations throughout the value chain, Beazley recently transacted the first cyber risk into the ILS markets via a 144a bond structure. What is telling is the risk transferred was catastrophic risk, enabled by the cyber industry’s growing understanding not only of investors, but also the divergent nature of cyber exposures in the market.

Similarly, Lloyd’s recent move to define cyber war exposures more acutely – while much criticised – stems from the same objective. The intention has been to better define and manage catastrophic exposures that have the potential to severely affect existing capital structures. Despite the criticism, the approach is centred on proactivity and sustainability.

Reinsurance structures

We have also seen the reinsurance buying strategies of insurance companies begin to change significantly; primary carriers are moving away from the tried and tested formula of purchasing quota-share reinsurance – which is often paired with an aggregate stop-loss – to explore and transact new and innovative products offered by the reinsurance market directly addressing catastrophic cyber risk, mainly through occurrence and event excess-of-loss solutions.

These changes require not only an understanding of the different risks within the market, but also a willingness to attempt to define them and transfer them – on both sides of the trade. It is encouraging both the insurance and reinsurance markets – and, by extension, the ILS market – are beginning to come closer together to find common ground on intent, definitions, market structures and products to enable peak cyber perils to be discretely traded. This not only enables different pools of capital to be unlocked, but also provides a mechanism for the existing capital in the market to be more efficiently deployed.

It is likely in five years’ time the definitions and product structures we are seeing today will look quite different. However, these are the first stepping stones to a more mature, efficient and sustainable cyber market and should be celebrated. Through these innovations the market is creating the foundational components to enable its continued and much-needed growth. It is not in the insurance industry’s interest not to provide cover for growing levels of risk. It needs to close the coverage gap, not widen it, but it needs the right structures in place to enable that to happen.

The next phase of the cyber market’s development will focus on embedding these changes further, while building out the infrastructure needed to scale transaction volumes through the provision and structuring of data, modelling enhancements, partnerships and the continued education of end customers, market participants and investors, but these are the first green shoots of a maturing cyber insurance and cyber catastrophe marketplace.

Daniel Carr is head of cyber at Ariel Re