Cyber catastrophe bonds may be about to move out of the shadows of private deal-making and into the public debt markets.
So-called cat bonds, which farm out hard-to-insure risks to capital market investors in exchange for double-digit returns, have typically been built around natural disasters such as hurricanes. But as the potential fallout of business-halting cyber attacks becomes too big to insure, issuers are seizing the moment.
Beazley Plc, which owns specialist insurers across Europe and the U.S., is exploring a potential $100 million cyber cat bond, according to Artemis, a research firm specializing in insurance-linked securities. And AXIS Capital is preparing to issue a $75 million cyber catastrophe bond, according to a preliminary offer document seen by Bloomberg.
Spokespeople for AXIS Capital and Beazley declined to comment on the deals.
The wider market for cat bonds is likely to reach a record $40 billion this year. A lot of that growth has been fueled by the impact of climate change, as extreme weather shocks threaten to make insurers’ business models untenable. For that reason, some of the most active players in the cat bond market are reinsurers such as Swiss Re AG and Munich Re AG.
Investors have been drawn to returns that trounce those of U.S. Treasuries. This year, the Swiss Re Global Cat Bond Performance Index is up 18 percent, while the Bloomberg U.S. Treasury Index has dropped about 1 percent.
Issuers of cyber cat bonds want to protect themselves from financial losses that can follow a major cyber attack, including lost revenue, legal fees and regulatory fines.
Insurance-linked securities “offer corporate boards and business owners a degree of comfort over their balance sheet resilience in the event of a larger cyber event,” according to a recent report co-authored by Kathleen Faries, chief executive officer of Artex Capital Solutions.
But with limited historical data to analyze, as well as increasingly sophisticated forms of cyber crime, investors face unusually high levels of risk.
“With hurricanes we have decades of data,” said Marco della Giacoma, portfolio manager at Tenax Capital, a London-based hedge fund that regularly invests in cat bonds. “But it’s more difficult to price cyber risk.”
Toby Pughe, an analyst at Tenax, says it’s hard to trust a cyber model. “If they say the loss estimate is 1 percent, it could actually be 5 or 6 percent,” he said.
Other investors said they welcome the opportunity to get more exposure to the market for insurance-linked securities.
“We are now seeing leading cyber underwriters positioning themselves to tap the ILS market with transparent deal structures that target catastrophe—rather than attritional—risk, in a form and at pricing levels that we believe have become attractive,” said Joanna Syroka, director of new markets at Fermat Capital Management, one of the biggest cat bond investors.
Fermat “will consider all deals as they are announced,” she said. “Cyber could be the fastest-growing line of ILS, in line with the growth rate of the underlying cyber insurance market, due to the relative lack of internal diversification within the peril.”
Paul Bantick, global head of cyber risks at Beazley, said the threat of cyber losses is now such that “traditional reinsurance can’t get you there.” Though he declined to comment on specific deals, Bantick said the message from investors is “the time is now” for cat bonds to fill the reinsurance gap.
There has been a handful of cyber cat bonds issued so far, including three privately placed by Beazley. The new securities expected from AXIS and Beazley are notable because they will likely trade on secondary markets, providing access to a much wider pool of hedge funds, pensions and other investors.
Hannover Re, which underwrote about €800 million ($856 million) of premiums for cybersecurity last year, is also exploring the new market.
“I’m fairly confident we’ll use cat bonds to transfer cyber risk to the capital markets,” said Henning Ludolphs, a managing director at the German reinsurer. “This could be sooner rather than later, maybe even within the next couple of months.”
The list of known cyber attacks is long and growing. In 2017, suspected Russian malware shut down Ukrainian banks, government agencies, drugmaker Merck & Co. and shipping giant A.P. Moller-Maersk A/S, an event that cost $10 billion in losses, according to the White House. In 2021, an attack on the computer network of Colonial Pipeline disrupted U.S. oil supplies.
Last year, the number of ransomware attacks against industrial firms alone surged 87 percent, cybersecurity firm Dragos Inc. estimates. And just this month, Industrial & Commercial Bank of China Ltd. was hit by a cyber attack that prevented it from clearing swathes of trades. The incident forced clients of the world’s largest lender by assets to reroute transactions, leaving brokers and traders scrambling to assess the extent of the impact.
In the U.S., losses stemming from cyber crime soared 48 percent to $10.2 billion last year from 2021, according to the Federal Bureau of Investigation. And a recent PwC survey of CEOs found that a quarter consider their companies to be highly or extremely exposed to cyber risk over the next five years. They outnumber the 22 percent who voiced similar concerns about the threat of climate change.
The perceived risks are reflected in costs. Munich Re estimates the premiums that corporations will have to pay to insure themselves against cyberattacks are set to almost triple to $33 billion between 2022 and 2027.
“Cyber risk is one of Munich Re’s main strategic growth areas,” said Chris Storer, head of the reinsurer’s cyber center of excellence.
Theo Norris, head of cyber insurance-linked securities at Gallagher Securities, said “there are enough ILS investors to make a dent in the capital needs of the cyber insurance market.”
For Gallagher Securities, which structured and placed Beazley’s private cyber cat bonds, the goal is to “continue building on this to attract even more ILS investment to support our clients and ultimately make cyber insurance more available and affordable,” he said.