There are four ways to manage cyber risk. One is avoiding risk by eliminating or foregoing it. Two is mitigating risk by reducing its likelihood or impact. Three is transferring cyber risk to a third-party cyber insurance company. Four is accepting the risk without eliminating, mitigating, or transferring it. Given that eliminating cyber risk is practically infeasible in a digitally connected world, most enterprises usually mix all of the remaining three ways to manage their cyber risk.
Despite enterprises mitigating cyber risk via security solutions, the total cost of security breaches worldwide exceeded $8.4 trillion in 2022. We would expect much of this cost to be absorbed by the cyber insurance industry. However, the cyber insurance business worldwide approximates to a paltry $10 billion for the same year – leaving room for exponential growth in the business.
According to Conning, around nine out of 10 small and medium businesses (SMBs) in the US are still uninsured, and these businesses form the majority of global enterprises. This implies that enterprises are still accepting trillions of dollars worth of cyber loss. The cyber insurance market is projected to grow to only $20 billion by 2025 and $60 billion by 2029, meeting its growth potential.
Limiting the growth is that there currently isn’t enough capital in the cyber insurance market for enterprises to transfer cyber risk to insurers and re-insurers. An influx of sources of capital into such a market will be needed to sustain long-term growth. Moreover, enterprise cybersecurity could be improved as a side product of such growth. One way significant capital can be injected into the cyber insurance market is through insurance-linked securities (ILSs).
ILSs as a Concept to Boost Cyber Insurance Market Capital
One could argue that cyber (re-)insurance suppliers should resort to insurance-linked securities (ILS) markets to boost their capital – just like (re-)insurance firms have been doing for decades. After all, the global scale of the economic impact of cybercrime runs in trillions of dollars annually, most of which is not insured (as insurers flee the market with rising claims) and leads enterprises to accept this large loss. This amount is far greater than the economic impact (a few hundred billion dollars) due to natural catastrophes (Nat CATs such as hurricanes Andrew and Katrina) for which the ILS markets came into existence in the early 1990s to inject capital into traditional (re-)insurance markets. If there can be an ILS market for Nat CATs that pose a societal, economic impact far less than that posed today by cyber-risks, why not have an ILS market for cyber?
As a detour, even if for a while we forget the global scale of economic impact and focus on the local scale of economic impact due to a cyber-attack, we can infer that cyber (re-)insurance markets alone will not close the supply-demand gap. Consider the (futuristic) once-in-a-fifty-year possibility scenario of 150 million home/office IoT devices (including smartphones) in a single, smart city become simultaneously inoperable due to a cyber-attack with an average cost of $100 per device. Even if 50 million (out of the 150) devices led to losses in business (say due to power grid failure for hours) and quality of life spanning five million households/corporations, with each of the latter contributing to a loss of an average $5000, we are looking at $25 billion in catastrophic financial losses incurred by the smart city due to a single cyber-event. The cyber (re-)insurance industry will be unable to handle such an extent of loss impact without the support of government programs and/or the ILS markets.Also Read: How insurance-linked securities can improve cyber-security in India
While cyber (re-) insurers have initiated multiple times steps towards resorting to capital-boosting ILS products in the past, it is only recently that cyber-ILS products such as a cyber catastrophic (CAT) bond (and parametric re-insurance) have gained market attention. Beazley announced the first cyber-CAT bond, Cairney, in 2023, with Fermat Capital as the investor. The bond, structured by Gallagher Re, covers up to $45 million of losses for a $300 million catastrophic cyber-loss event.
There have been two more cyber-CAT bond announcements by Beazley in 2023 (and more expected from other providers in 2024), boosting their capital market up to $82 million. This increase in cyber-ILS contracts will also boost cyber (re-)insurance market capital. Beazley states, “Developing effective solutions for CAT risks is vital to allow the supply of capacity to the cyber (re-)insurance market to increase, to meet growing demand, and cover from business and society.”
Three Action Items to Sustain Cyber-CAT Bond Markets
We list (as part of recommendations from our research) three important action items towards sustaining cyber-CAT bond markets in the long run. After all, we are potentially looking at a multi-fold reduction in the cyber-insurance supply-demand gap through such markets. Doing so will significantly boost cybersecurity in the enterprise cyber-space. The action items are targeted at cyber-risk modellers, cyber-CAT bond investors, regulators, and bond-selling (re-)insurers.
Categorise Cyber-Incidents Based on Data Availability and Spillover Effects
A key stakeholder in the cyber-CAT bond (and cyber-insurance) market is the cyber-risk modelling enterprise. The risk modelling enterprise assessing the cyber-terrain should categorise cyber-incident types based on the extent to which frequency-severity data on such incidents is available and the degree of adverse impact spillover the incidents have across geographies and industries.
This categorisation will result in the development of case-specific cyber-risk quantification models, which are fundamental prerequisites to achieving successful cyber-CAT bond markets. After all, no one size fits all! A model suited for large data availability cannot generate effective accuracy when it is applied to small data.
We can categorise incidents into three types depending on the extent of such statistical cyber-incident data availability. We first have frequent enough cyber-incidents (e.g., most data breaches) for which sufficient statistical data is available on cyber-loss impact. We then have medium-frequency cyber-incidents such as malware and DoS attacks for which available statistical data is patchy in quantity on average. Finally, for relatively very low-frequency, high-impact cyber-incidents such as cloud outages (e.g., AWS outage), power grid failures (e.g., the Ukraine grid hack of 2015), oil pipeline outages (e.g., the Colonial Pipeline cyber-attack), historically available data is either negligible or non-available.
While high/medium frequency cyber-incidents have lower spillover effects across geographies and industries on average, low frequency cyber-incidents usually have large spillover effects (e.g., a power grid breakdown for hours will affect all business sectors in a locality).
Ensure Investor Sustainability
An investor will only stay in the market if the feasible values of cyber-CAT bond attributes make it economically viable for the investor to sustain itself in the market over time. At the same time, the attributes should also be viable for the (re-)insurers to ensure ‘harmony’ (market equilibrium) between the supply and demand stakeholders.
Contracts covering frequent cyber-incidents with high availability of breach statistics across industries should usually mature in 1-2 years). The rationale is that the demand stakeholder side, i.e., the capital injectors, takes upon low spillover risk on high-frequency, low-impact cyber-incidents for which considerable historical data is available for assessing cyber-risk. Hence, investors expect to be paid low recurring interest by suppliers for a shorter time as they do not bear high risk.Also Read: Seven challenges against securing the systemic cyberspace in the industrial IoT age
Moreover, scenarios of high availability of breach statistics across industries suffer less from the problem of information asymmetry. This is the problem where insurers and capital investors do not have enough information on the cyber-posture profile of cyber-insured enterprises, which is a primary contributor to spillover effects. A significant quantity of breach statistics alongside insurance audits and Software Bills of Materials (SBOMs) helps infer the cyber-posture profile of enterprises. It is recommended that cyber-CAT bond contracts to manage such a class of cyber-incidents have a low multiplying risk premium factor, with indemnity triggers as the appropriate form of capital forego triggers.
Contracts covering low-frequency, high-impact incidents with virtually no data availability should mature much later (a maximum of 10 years) and pay high interest rates to investors to prevent the latter from bearing the catastrophic risk of principal default. In such scenarios, the demand stakeholder side, i.e., the capital injectors, bears upon themselves a higher spillover risk on rare high-impact cyber incidents for which less historical data is available for assessing cyber risk. Hence, investors expect to be paid recurring (and higher) interest for a longer time by re-insurers for such incidents compared to frequent cyber incidents for which sufficient historical data is available.
Ensure (Re-) Insurers Sustain in a Cyber-CAT Bond Market
In principle, insurers will only participate in the cyber-CAT bond markets sustainably if the cost incurred to transfer cyber-risk through cyber-CAT bonds is less than that incurred by retaining cyber-risk in the form of the cost of equity (CoE).
Currently, an insurance company’s CoE is hardly impacted by cyber risk in its portfolio, as the latter reflects a paltry one percent of the total risk underwritten. Consequently, insurers usually pay recurring premiums to capital investors that are multiple times a fair premium amount so that the latter can hedge against extreme adverse impacts of (cyber-)CAT event spillovers. As long as this multiplier is below a certain threshold, there will be a sustainable cyber-CAT bond market between (re-)insurers and capital investors.
This situation is achievable only if there is
(a) a considerable (if not significant) frequency-severity statistical data availability on cyber-incidents to risk modellers and
(b) sufficient enterprise cyber-posture information shared (e.g., SBOMs) in public/private partnerships.
Regulators will play a key role in ensuring conditions (a) and (b). Alternatively, in the futuristic scenario when cyber-risk will significantly reflect in an insurance company’s portfolio, the CoE will be reduced via insurer diversification and ensuring actions (a) and (b). This will promote sustainable cyber-CAT bond markets.
[This article has been published with permission from IIM Calcutta. www.iimcal.ac.in Views expressed are personal.]