Before you can help someone, you need to help yourself, right? For insurers looking to help client companies manage their cyber risk, they must first protect their own balance sheets. Memories of heavy losses in the tumultuous early years of cyber risk coverage are still fresh. Insurers and insureds are now rethinking coverage feasibility and strategies.

An insurance company’s brand needs protection too. When a market disruption occurs, companies that embrace it can gain on competitors and strengthen their corporate brands. But strategic business decisions need to be made, and that can take time. Wait too long, and you might discover that missing the starting gun placed you at a competitive disadvantage. Jump in too early, and you might regret it.

Despite the pain some insurers endured the past few years, cyber risk and the demand for cyber insurance coverage are not going away. They are evolving – and in fact are increasing.

Improved analytics have helped insurers tighten their underwriting standards. They are limiting the cyber coverage offered to certain critical infrastructure sectors and introducing cyber catastrophe bonds to indemnify themselves from catastrophic loss. Insured companies have begun implementing or improving cyber hygiene. They’re also considering self-insurance methods, such as investing more in prevention, and looking harder at their willingness and ability to take risks.

As the industry evolves, this is a great time to educate yourself about the possibilities for your business.

A brief but painful look at cyber security

Viruses, data breaches, and ransom attacks have been around for a while. More recently, insured cyber losses have reached into the billions of dollars, resulting in massive pains as companies try to get their bearings. The 2017 Equifax data breach alone affected 147 million Americans and cost the company nearly $2 billion.

The outlook for 2023 is brighter. Although hacker sophistication has grown along with demand for protection, the cost of coverage (while high) has stabilized. Insurers and insureds continue to refine and enhance their approaches. But one thing hasn’t changed – the need to stay on top of this evolving threat.

Cyber risk protection – ideas under review

Insurance carrier expectations for underwriting coverage have grown to include multifactor authentication, privileged access management, employee training, and more. Carriers are working with third-party vendors to streamline what presently can be an inefficient and error-prone application process. Policy language is tightening, and coverage is more restrictive than in the past, especially in the event of an attack on critical infrastructure with systemic loss potential.

The federal government too is exploring options. In 2022, the Treasury Department and the Cybersecurity and Infrastructure Security Agency (CISA) sought feedback on the creation of a national cyber insurance program. The question of whether federal funds should be used as backstop to help protect critical infrastructure is an ongoing debate. It’s been argued that private insurance isn’t sufficient, that there may not be enough money to cover costs. Some say a major attack could seriously harm economic activity, while others say there’s no such evidence. Others say a federal backstop is an unsustainable model that will amplify cyberattacks.

Regardless, stricter underwriting, tighter corporate internal controls, and a federal government safety net likely won’t solve the problem. What’s another solution?

Cat bonds for cybersecurity – the new path forward?

In January 2023, the cyber insurance market took a page out of the property and casualty insurance market playbook when a specialty insurer introduced a $45 million cyber catastrophe (cat) bond. The cat bond will indemnify the insurer against catastrophic events that exceed $300 million. It represents the cyber insurance market’s first insurance-linked security (ILS).

As demand for cyber coverage increases, cyber cat bonds could become a desirable asset to counter-balance the decreasing appetite for underwriting cyber policies.

"As an ILS investor, we have been monitoring the cyber insurance market for several years waiting for the appropriate opportunity to invest … We believe this deal marks an important step in unlocking capital market investment into cyber risk and creates a solid foundation for a future cyber ILS market."
– John Seo, Co-founder and Managing Director, Fermat Capital Management

While reinsurers and sidecars provide avenues for insurers to transfer risk to other investors, ILSs – particularly cat bonds – are another option for transferring risk from corporate balance sheets to institutional investors through capital markets. These are usually issued through an insurer’s special-purpose vehicle. Insurers can increase their underwriting capacity through use of ILSs.

According to the NAIC, cat bonds used in the life insurance and PC sectors appeal to some investors. That’s because those bonds are often based on high single-digit returns with low volatility and are not correlated to other asset classes. Their average maturity is three years.

2022: Ups and downs for cat bonds

Cat bond returns had been trending upward from March 2018 through mid-2022, as indicated by the catastrophe bond market index calculated by Swiss Re Capital Markets. Returns declined sharply after Hurricane Ian, although they recovered quite a bit of lost ground by late October 2022.

Margins on new issuances of catastrophe bonds covering US wind events are now at the highest since 2019, at 5.3% (Source: Gallagher Securities Transaction Database).

Bloomberg wrote in January 2023 that cat bond investors want higher premiums after suffering losses from Ian and as weather events become more extreme. Yet, in this time of rising interest rates, investors may find comparable, safer returns elsewhere.

Despite the ups and downs, cat bonds, in the absence of catastrophes, usually yield more than most fixed-income securities. It may be that the newly launched cyber cat bond the first step in a trend away from cyber insurance.

The CEO of a large European insurance company recently said that as cyberattacks grow they could become “uninsurable,” likening them to pandemics and climate change. His comment kicked off widespread debate about cyber risk and insurance coverage.

How a catastrophe bond works

The sponsor – an insurer, reinsurer or corporation – sets up a special purpose vehicle (SPV) that has legal authority to act as an insurer. The SPV issues the cat bond to investors. Investor money is placed into liquid collateral securities held in a trust and, usually, not usually linked to the financial markets or economic conditions. Investors receive Interest payments from the securities that are greater than that of most fixed-income securities. If a catastrophe protected by the cat bond occurs, the insurer gets paid. Investors lose their principal if the cost of the catastrophe exceeds the total dollar amount raised from the bond issuance.

More confidence in cyber risk models and better understanding of cyber threats helped make the first cyber catastrophe bond possible. Growth could be fueled by improved catastrophe modeling tools. Modeling in this sector isn’t like modeling in PC. It’s much tougher to account for mutating cyber threats.

If ILSs become a regular source of capital to cover catastrophe cyber risk, market capacity could improve. This is the year cyber risk cat bonds could begin to take off.

Where to from here?

At this point, we see a lot of opinion but no certain solution. While the conversation around cyber risk coverage can be disconcerting today, the problem is fluid. This market has come a long way in a few years. As more data becomes available and analytics become more powerful, the knowledge base will become more robust. Thus, strategic business decisions will be better informed and become a bit easier to make.