A one-size-fits-all approach to cyber reinsurance is no longer suiting an increasingly specialized market, according to The Lockton Re Cyber Centre in a recent report titled, The All Risk Cyber (ARC) Challenge – An Assessment to Simplify Cyber Reinsurance.
This is because as cyber risks are dynamic and ever changing, managing these risks “has been a game of whack-a-mole with ever evolving cyber perils creeping up, and old ones coming back to haunt loss development,” Lockton Re said in the report.
“We are at a juncture where, as part of the ongoing maturing of the cyber market, qualitatively different coverage deserves qualitatively different treatment by reinsurers and capital providers to maximize the market potential,” the report said. “First-party perils and third-party liabilities are not the same. Catastrophe losses behave differently from attritional losses.”
For most insurance carriers, the report explained, cyber insurance policies incorporate a mix of first- and third-party covers. These risks have become bundled into a single product over time known as all risk cyber, or ARC, which supports first- and third-party perils, as well as catastrophic or systemic cyber exposure.
However, Lockton Re believes this solution is limiting the supply of capital in the market as well as the insurance industry’s ability to scale cyber insurance in a sustainable way. The report instead proposed singling out these three perils into separate coverages.
“In mature classes of commercial insurance where first- and third-party risks are broadly separated, billions of dollars of capacity are available to support demand,” the report said. “Within cyber, these two elements create an original sin by commingling protection types for largely a single cost.”
The report said that splitting these perils would allow for more effective risk transfer to reinsurers and further down the value chain capacity in a targeted and scalable fashion. It also would provide an opportunity, the report said, to increase participation in the market and unlock the supply of capital to support its growth and meet continued demand.
“There are very distinct differences in how first-arty and third-party risks are handled in the insurance value chain,” the report said. “Underwriting, claims and reserving all require separate methodologies, experience and data.”
More Knowledge, Open Conversations
Separating first- and third-party risk in reinsurance allows clients to access two pools of intellectual knowledge and reinsurance capacity aggregate, the report said. This ultimately allows access to more capital. It can also lead insurance carriers to have open conversations with insurance buyers and brokers about the impact risk controls have on first- and third-party pricing. Rather than focusing on cyber hygiene as a general area of improvement, they can focus the conversation on conducting more meaningful cost/benefit analysis, the report added.
Lockton Re said another benefit is that shorter tail first-party perils mean that it will be easier to package and trade in the secondary and alternative market, encouraging more capital to participate in the market.
Lack of Efficient Data
That said, there are challenges with this approach that would need to be ironed out. Many of these challenges revolve around the collection and use of data.
“Some carriers do not currently capture premium data in a sufficiently detailed format” to identify risk premium specifically associated with individual types of cover, or even broad first- and third-party peril categories, the report said. “Improvements are required to create a consistently high standard of premium data quality for widespread adoption.”
Losses that involve both first- and third-party perils would require pre-agreed allocation of losses to different coverages, the report said. Because reinsurer appetites can evolve at different speeds, this could create challenges fulfilling primary carrier needs.
Another challenge is that insurance policies are often written with past incidents and losses in mind.
“When the risk is as dynamic as cyber, which is anthropogenic in nature and thus rapidly changing, insurance and associated risk mitigation is forever catching up with reality,” the report said.
Indeed, as the Internet has become more universal, previously segregated perils that were classified within a specific commercial insurance line of business have now become nebulous and hard to pin down, the report said.
“This is an example of how the edges of cyber insurance can blur with other classes of insurance,” the report said. “It is only through careful management of the policy language intent, and the transparency of customer communication and underwriting approach, that the risk can be appropriately managed.”
The Trend Toward Specialization
The most important initial step, according to Lockton, is to capture risk data in a more accurate way that is better aligned to separate perils. Credible premium allocation needs to exist based on underwriting rating between first- and third-party risks. This includes premium for monoline cyber insurance, as well as cyber risks that are part of joint covers, such as E&O, the report said.
“The accurate capture of claims data is equally critical to demonstrate performance over time for the separate segments of first and third party risks, as well as catastrophe risk,” the report added.
Additionally, education of both buyers and sellers about cyber reinsurance is an ongoing priority, the report said, as the trend to increased specialization is likely to continue.
Ultimately, Lockton said the goal of separating cyber perils into more segregated categories for reinsurers is to create a better opportunity for varied appetites. First-party covers with short tail characteristics are more suitable for reinsurers with an appetite for volatility, while reinsurers who are comfortable with long tail liability classes of business, such as casualty and financial lines, are more likely to gain confidence in the third-party liability exposures created by cyber risks, the report said.
Systemic or catastrophic cyber risk created by the interconnectivity between companies and consumers is another type of risk that behaves differently from traditional first- and third-party perils. This can require an approach that draws on the experience of natural catastrophe losses within insurance, the report said, adding that this type of peril is suited for alternative capital markets and can be packaged in a way that is attractive to non-traditional capital structures.
“The argument for separating cyber reinsurance into three categories is compelling. [While] the end buyer of cyber insurance values the combined product, the specialization within reinsurance enables the separate perils to be treated differently by distinct parts of the market,” the report said. “So, why have they been under one reinsurance umbrella for so long? It takes time to change, but we view this approach can truly create a cyber reinsurance market which is fit for purpose.”