The unique, evolving and often volatile nature of cyber risks has always lurked beneath the surface as the cyber insurance premium climbed in recent years.
The recent CrowdStrike software failure underscored the dormant threats posed by aggregation risk and the potential for significant and far-reaching losses that span industries and reach across lines of insurance coverage. As for magnitude, Delta Air Lines alone has estimated that its 5,000 canceled flights related to this recent CrowdStrike event will cost it $500 million.
CrowdStrike exemplifies the kind of aggregation risk that the industry is worried about. One security bug or a software flaw has the potential to bring down businesses such as airports, airlines, financial institutions or even software companies. The interconnectedness of systems was in full display and demonstrated how businesses can be brought to a standstill abruptly and on a large scale. This incident is likely going to impact multiple insurers.
While insurers across the board rely heavily on models to estimate this type of cyber-related exposure, one might reason that the severity of such a large-scale, systemic event until now may have left some of these models untested. It’s also provided a stark reminder of the key role reinsurance must play in cyber coverage as a backstop.
Cyber insurers rely heavily on reinsurance, with about 50 percent of cyber premiums ceded to reinsurers. Reinsurers provide insurers with capital relief, earnings stability and, more importantly, valuable underwriting partnerships.
Delta Air Lines represents just one of the affected companies in this recent incident, but this illustrates the potential for widespread ransomware attacks or major data breaches to generate substantial or even outsized claims. Reinsurance enables insurers to maintain a more stable financial position, ensuring they have the capacity to meet their obligations to policyholders even in the face of significant losses.
Any pullback by reinsurers to limit their own capacity on cyber coverage will certainly flow downstream to primary insurers and possibly limit primary insurers’ appetite for cyber insurance. A similar scenario is playing out in the U.S. property insurance market amid increasing weather-driven losses.
The systemic nature of cyber risks poses another significant challenge. Unlike traditional property risks that can often be limited by geography or line of business, cyber risks can spread rapidly across borders and industries. A single vulnerability in widely used software, such as CrowdStrike, or a coordinated cyber attack can result in simultaneous losses for multiple policyholders. This interconnectedness amplifies the potential for large-scale losses and necessitates a comprehensive and coordinated approach to risk management.
Preferred Risk-Transfer Solutions
Quota share reinsurance remains a common risk-transfer mechanism in the cyber insurance segment. Under this approach, the primary insurer and the reinsurer share premiums and losses in proportion to agreed-upon terms. This straightforward distribution of risk is particularly attractive for those in need of cyber coverage, especially when the complexity and variability of risks necessitate clear and manageable reinsurance solutions.
In addition to quota share arrangements, another option involves aggregate stop loss and event covers. This approach provides protection to insurers when their aggregate losses exceed a predetermined threshold. This type of coverage is particularly valuable in managing the cumulative impact of numerous smaller claims, which can add up to significant losses over time.
Event covers provide protection against specific catastrophic scenarios. These are designed to respond to defined events, such as a major cyber attack affecting multiple policyholders.
Insurance-Linked Securities
Insurance-linked securities (ILS) are another emerging trend in the cyber reinsurance market. ILS provides another means for insurers to transfer risk to the capital markets, offering an alternative source of capacity and risk management.
The ILS market’s appetite for cyber may be driven in part by the general perception that these risks are assumed to be short tailed in nature and generally uncorrelated with the broader financial markets. However, it should be noted that to date there have been very few large-scale cyber cat events to test this market hypothesis fully.
In December of 2023, a flurry of 144a cyber bonds were issued totaling about $415 million. So far in 2024, there has been one small private placement of a $14 million cyber bond by Hannover Re, which covered cloud outages for the first time and one 144A cyber bond of $160 million by Beazley.
Growing Investor Demand
We do expect more cyber bonds in the future since some of the issued bonds so far were upsized, signaling investor demand. It’s important to note that the average loss multiples for cyber bonds appear to be at least twice that of natural catastrophe bonds, indicating that investors may be expecting much higher spreads on cyber bonds to cover modeling risk and perhaps to include a novelty premium.
It’s important to note that cyber risks are constantly evolving, driven by technological advancements and the increasing sophistication of cyber threats. This dynamic environment makes it challenging for insurers and reinsurers to accurately assess and price risk. The emergence of new threat vectors, such as those enabled by artificial intelligence and machine learning, further complicates this task. Reinsurers must continuously adapt their models and strategies to keep pace with these developments, requiring significant investment in research and technology.
Good cyber practices have proven beneficial to both insureds and insurers. These practices have led to a steady decline in the segment’s loss ratio, despite a sharp increase in ransomware attacks in 2023. The future of cyber reinsurance will depend on the industry’s ability to leverage technology, innovate and even collaborate on risk management. As the digital age and its complexities continue to mature, reinsurance has a key role to play by offering some guardrails on the path forward.