Cyber industry loss warranties aid affirmative and silent cover

The global cyber insurance market is a mess right now, argues Tom Johansmeyer of PCS, Verisk Insurance Solutions, while debating potential consequences and solutions.

Premiums in cyber are small, losses are creeping up, and policy language and event definitions are inconsistent. And that’s just within affirmative cyber! Across the industry as a whole, the greatest concern is where cyber may not have been excluded properly—or at all. Insurers and reinsurers looking to manage their risk and capital have quite the maze to navigate. Different risk-transfer approaches bring distinct benefits, and there are roles for both tactical activity and broader, comprehensive programmes.

The distinction between ‘affirmative’ cyber and ‘silent’ cyber is fairly straightforward. Affirmative involves clear and intentional cover for cyber, as in a stand-alone cyber policy. Silent cyber, on the other hand, refers to cover that may be unintentional. A property programme that doesn’t define (and exclude) digital property, for example, could result in an unexpected claim payment. There are similar risks in other lines of business, such as general liability and marine.

As cyber risk proliferates and stand-alone cyber gains adoption, understanding and managing both types of risk will become increasingly important for insurers and reinsurers. In addition to managing their affirmative cyber books of business, it’ll be important to understand accumulations of silent cyber risk—and perhaps cede them out to other players.

Particularly in reinsurance, risk transfer can be difficult, although there are challenges arising up and down the value chain. Chatter across the reinsurance industry suggests that capacity is still not sufficient to satisfy all cedant needs—a situation likely to be exacerbated throughout 2018. And for reinsurers seeking protection, the situation is nothing short of vexing. Even where retro capacity is available—assuming there are enough players that aren’t writing the same reinsurance risk they’d be assuming—reinsurers would have to reveal proprietary information to their competitors to secure the cover they seek.

That’s where industry loss warranties (ILWs) could become crucial to near-term risk transfer and future market development.

For affirmative cyber, ILW capacity has already been made available by several players, with more markets evaluating the space. This approach to risk transfer could help insurers and reinsurers move risk off their books without having to reveal too much, particularly in the early days of the affirmative cyber sector. However, that would only free up capacity for further affirmative cyber underwriting. The problem of silent cyber would still remain.

Silent cyber has two components: stand-alone risk losses and catastrophe losses. Both have become relevant in the past year, particularly with the Petya/NotPetya event of 2017. Silent cyber catastrophe events can lead to the accumulation of insured losses across several lines of business fairly quickly. For Petya/NotPetya, for example, PCS, a Verisk business, has identified approximately US$2.7 billion in insured losses from that event, including affirmative cyber, kidnap and ransom, and property. The affirmative bit accounts for only a little over 10 percent of the overall insured loss. Within the catastrophe, there’s the potential for individual large-risk losses to develop because of silent cyber, as we’ve seen with Merck within Petya/NotPetya.

Like affirmative cyber, silent cyber could require risk transfer in the near future as well, and many of the issues that arise from the former come to bear on the latter—including confidentiality and risk concentration. Because of this, silent cyber ILW trading could facilitate the rapid optimisation of risk and capital while helping reinsurers protect their competitive advantages. With the launch of a cyber catastrophe index encompassing both affirmative and silent, our market will see the last remaining piece needed for the development of a robust and reliable cyber retro market.

Cyber insurance and reinsurance—as a sector—are still in their infancy. However, evolution can sometimes do with a bit of a nudge. And the gentle encouragement to develop more alternatives for risk and capital management might be exactly what the market needs.