Takeaways:
- Reinsurers' margins on backing cybersecurity insurers are narrowing
- Insurers can securitize cyber coverage risks
- Insurers should model cyber risks to price appropriately
The
Cyber insurers also have securitization of cyber risk available to them as an additional protection, noted Rory Chisholm, VP and cyber reinsurance broker at Gallagher Re.
Reinsurance, another backstop for cyber insurers, has become a buyer's market, according to Tatjana Loepker, cyber treaty underwriter at SCOR. "When an insurance company is buying reinsurance, they're basically sharing losses for a portion of the premium," she said. "The margins have been deteriorating."
Ransomware losses are accumulating for reinsurers, partly driven by secondary losses when customers of companies targeted by cyber attacks litigate for compensation, Loepker explained. "We need to deal with the aggregation and systemic risks coming from this multitude of losses being triggered by ransomware," she said.
Cyber insurance-linked securities (ILSs) increase the capacity of available cyber insurance by securitizing the risks. Cedents – the insurance companies that transfer risks to reinsurers – developed securitization starting in 2017, with
"Cedents that have cultivated investor relations will be well positioned for when the market does turn," said Chisholm. "They will be able to scale and have ready access to underwriting capacity. It will definitely take others that are moving in the hard market, a little bit longer to cultivate and get those investments comfortable."
To get a better handle on cyber risk, insurers should model correlations of events, according to Neeti Bhalla Johnson, president of global risk solutions at Liberty Mutual. "Are we modeling correlation or merely counting accumulation? Accumulation says lots of losses happened at once. Correlation asks, why did they happen together, and will they happen again together?" she asked. "To unlock durable capital, we need better scenario analytics. We need models and portfolio limits that traverse shared dependencies, cloud regions, identity providers, core vendor platforms, and widely used open source components. Then we need to price and limit those concentrations, not just report on them."
Insurers also must reckon with how to manage the secondary losses that can result from litigation or harm to parties other than the primary target of a cyber attack, Johnson explained. "Will we manage the tail by exclusions and by litigation, or will we manage the tail explicitly through structure and price?" she asked. "Let's have contractual clarity around systemic triggers and more related questions. Let's be candid about what sits within the private markets' appetite versus what extreme catastrophic events might require. We have to price and structure through it, exploring alternative capital solutions and alternative capital markets."
