Reinsurance: a growth engine for Cyber
A market in high growth mode
Cyber-related incidents have become a recurring theme in business news, from breaches involving millions of customers' private data, to system glitches resulting in the grounding of entire airline fleets.
More and more, businesses are expected to recover from such incidents promptly and effectively. Investors apply growing scrutiny on the contingency plans put in place, whereas consumers are increasingly aware of the new rights they have acquired under privacy-related legislation in many jurisdictions. It would be highly unusual, in 2019, to find no mention of cyber security in a Fortune 500 company's annual report.
Previously the sole concern of large corporations, Verizon estimated that 43% of breach victims in 2018 were small businesses, a segment where awareness is still catching up with larger businesses.
This evolution has been the catalyst for the establishment of a dedicated set of insurance products. Today, we estimate the global Cyber insurance premium to be around USD 4.5 billion, double the size it was in 2016.
A fast-evolving product
Cyber, as a line of business, has settled around a number of core set of key coverage components, such as privacy liability, extortion, business interruption, data restoration & remediation costs. The insurance profession has been able to refine its approach on the back of a meaningful claims experience building up.
With ransomware attacks on the rise, specialist cyber security firms, who typically handle their aftermath, can help us better understand the anatomy and lifecycle of such attacks. In turn, those insights can help the insurance industry put businesses back in action more quickly and efficiently.
In addition, innovative 'outside in' risk assessment techniques can prove a powerful tool to identify vulnerabilities, especially when combined with the insights derived from claims data.
Beyond the core tenets of the product, we are observing that great strides are being made towards coverage broadening. On the one hand, the dynamism of the marketplace benefits buyers, who yield better value for money. Conversely, cyber insurance policies are evolving at such a pace that new coverages remain untested from a claims standpoint. For example, coverage for contingent business interruption in a world where supply chains are growing in complexity could lead to large claims clusters, the magnitude of which is difficult to fathom. Widespread inclusion of non-IT suppliers in contingent business interruption covers could lead to a spiralling claims adjusting nightmare in the event of a notPetya-like ransomware attack.
We also need to look at cyber exposures in traditional policies, so-called 'silent cyber' covers. For example, property policies would often grant some level of IT-related business interruption cover, whilst professional indemnity policies would indemnify against privacy liability losses arising out of a data breach.
Crucially, property and professional indemnity policies very rarely provide adequate cover or essential post-breach remediation services, which are a staple of dedicated cyber insurance policies.
It is incumbent upon the insurance industry to bring clarity to what is covered and where. An expectation gap between consumers and insurers would hinder trust and undermine the perceived value of insurance. A clear message that only a 'purpose-built' cyber insurance policy can respond to the various facets of the risk would help bridge that gap, and help lay the foundations of a sustainable cyber market.
The role of reinsurance
Reinsurance has had an essential role to play in this growth story. After the 1/1/2019 reinsurance renewal season concluded, we estimated that nearly 40% of the global Cyber insurance premium flowed to reinsurers. In comparison, in more mature lines of business such as property or liability, cession rates (share of the premium ceded to reinsurers) usually remain between 10 and 15%.
Overwhelmingly, insurance carriers reinsure their business through standalone cyber treaties, highlighting the evolution of cyber as a distinct line of business.
The very large majority of insurers buy some proportional cover, usually quota shares.
Quota share treaties provide a useful tool to alleviate capital requirements, and at the same time help fund, by the means of overriding commissions, the investment required in setting up sustainable cyber insurance capabilities. Those capabilities cannot be built without the help of underwriting and broking talent, which is currently in short supply and has led to a buoyant job market for cyber experts.
Whilst proportional covers are still the norm, we also observed that the majority of insurers buy non-proportional reinsurance. Specifically, we have seen an increasing demand for aggregate excess of loss treaties in the last year. The aim of such covers is to protect insurers' balance sheets by ceding catastrophe risk to reinsurers, with attachment points ranging between 90% to 200% loss ratios.
We estimate that the total reinsurance capacity deployed for such structures currently stands at around USD 1.5 billion. Even though the amount may seem modest in comparison to property catastrophe reinsurance, this represents a 100% increase compared to last year.
This highlights the concern within insurance companies' boardrooms around the accumulation potential of a risk that knows no border. Attacks such as WannaCry and notPetya were wake-up calls, with the largest of the two, notPetya, thought by the U.S. government to have caused $10 billion in economic losses, only a third of which were insured.
Recent large losses such as the Marriott data breach have highlighted a growing unease with very large risks, with carriers being more hesitant to deploy high limits on a single policy.
Yet, the current supply of capacity has been sufficient to meet a steady increase in demand for the product. Several towers have breached the $500m mark, a formidable feat considering the relative size of the market.
On the other hand, several set of circumstances could lead to a shortage of capacity in the medium to long term. This is all the more true since cyber insurance is a concentrated market, with the top 10 carriers of cyber risk (insurance and reinsurance combined) writing half of the global premium.
A cyber attack at a global scale could lead to a capital depletion event that would prevent the industry from responding effectively to an all-but-certain rise in demand post-loss. There is a role for alternative risk transfer in this, particularly insurance-linked securities. However, the complexity of the underlying product and the lack of relevant experience compared to data-rich risk pools such as nat cat could potentially be unattractive for alternative capital providers.
The need to make an increasingly digital society more resilient
At Swiss Re we strive to work with our cedents to mitigate cyber risks and close the cyber protection gap with sustainable covers.
We aim at supporting our clients' cyber growth ambitions through reinsurance capacity, with both proportional and non-proportional treaty, as well as facultative reinsurance.
As the risk landscape evolves from the brick and mortar towards the digital world, we endeavour to help our cedents build their own sustainable cyber capabilities. Our dedicated cyber solutions encompass products for SMEs and individuals, state-of-the-art risk analytics and accumulation management tools.