Understanding ILS risks

Minimising and mitigating cyber attacks by criminal and terrorist groups seeking to steal, disrupt and damage is one of the most serious challenges faced by governments, businesses and the re/insurance industry.

According to a UK government report published in May 2016, two-thirds of large businesses experienced some sort of cyber breach or attack during the previous 12 months. However, the threat of a large-scale attack to critical national infrastructure poses a particular threat to governments and the people they are charged to protect, from accessing security data to causing loss of life through an attack on a power plant, public utility, hospital or airport.

Frequent attempts to hack into the UK’s national grid are understood to have been thwarted, but in Ukraine thousands of people were left without electricity supply for a few hours in the middle of winter when hackers were more successful. According to a cyber espionage expert quoted in the Financial Times, John Hultquist, this was the first example of a cyber attack leading to a power shutdown.

UK chancellor George Osborne’s speech last November at GCHQ, the government’s communications headquarters, highlighting the threat of cyber terrorism to national security would have chimed with the concerns of the re/insurance industry.

For the industry to fulfil its obligations it needs the capital and expertise to manage and transfer risk for complex threats which are not universally well understood. The potential threat is such that the capital markets have a role to play in supporting traditional re/insurance operators in developing risk models that properly and more effectively synthesise cyber exposures that can be distributed more efficiently around capital markets. That way, insurance can continually evolve to keep up with demand, allowing insurance markets to operate more efficiently.

While the challenges and complexity of cybercrime are clearly daunting, they also present extraordinary opportunities for the industry—as well as the third party capital investors who are increasingly providing capital to these markets.

As an April 2016 report published by BNY Mellon, Insurance-linked Securities—Cyber Risk and the Capital Markets,points out, London is well placed to take a lead on this given its long history in understanding complex, specialist risks. Among its findings, BNY Mellon found that cyber-risk is “one of the fastest-growing exposures faced by the corporate world” and predicted the market could grow to $25 billion by 2025.

We know already that US and Japanese companies are looking to London for leadership in securitisation of cyber risk for transfer into alternative structures. It is clear that the capital markets are needed to meet demand that cannot be met by re/insurers alone. It is not just a question of the concentration of risk within the insurance industry, but that alternative capital insists upon a more visible, comprehensive approach to underwriting risk; simple arbitrage will not suffice.

While BNY Mellon described the capital markets as the “logical place for catastrophic emerging risks”, it noted its dependency on more work being done by the re/insurance markets to aggregate and model risk.

The challenge facing third party investors to begin underwriting or investing in cyber insurance is to understand true cyber risk and probabilistic threat. The barriers confronting capital markets securitising and investing in cyber risk have been an incomplete understanding of cybersecurity and the unadorned threat environment, together with an indeterminate method of modelling cyber risk.

The threats can be better understood by deploying threat intelligence and a technical understanding of technology—and then have them modelled appropriately in a way that capital markets understand. Progress has been made here: aggregation and severity of cyber risk can already be modelled, and re/insurers in the London Market are working with alternative capital providers to bring to market the first generation of cyber insurance-linked securities (ILS) products.

This lack of real understanding of cyber is particularly evident for vital national infrastructure where insurers in the main do not adequately understand motive, opportunity and means in the context of cybersecurity. Cyber risk, especially in national infrastructure, lends itself to be transferred via ILS structures as it is typically not correlated on an intra-industry basis.

It is clear that reinsurers and the capital markets are aware that the demand to insure cyber is not presently being met by supply. It is becoming more viable to model and package cyber risk into ILS that can therefore transfer the risk to the capital markets. It follows that the ability for reinsurers to model cyber risk will create a secondary market for cyber that is currently not modelled, underwritten or priced by insurers of non-cyber classes such as property, energy, nuclear, marine and aviation.

As current modelling techniques enable parameterisation of cyber risk, there is clear alignment of interest between investors and sponsors. Cyber risk avoids the risk arbitrage associated with some other classes of insurance because it is increasingly central to reputational loss, shareholder approbation, regulatory censure and enterprise risk management generally.

Cyber insurers understand event-based relativity that allows for cyber terrorism causing property damage and bodily injury to be properly addressed under a cyber policy. With this understanding, a clear approach to parameterised risk and risk analytics that addresses attribution, alternative capital structures are well placed to drive the cyber insurance market forward.