More mature risk models 'to drive capacity into cyber market': CyberCube's Bole

The growth potential of the global cyber insurance market is huge, with a recent report by Howden predicting the market could exceed $50bn in premium income by 2030. But some of the obstacles in the way, not least the ability of primary cyber writers to access reinsurance capacity, are equally huge.

Only around 45% of cyber premiums written in the primary market are ceded to reinsurers at present. Howden, for example, warns the appetite of the reinsurance market for cyber risk will have to scale up significantly to meet the demand for cover between now and 2030.

Others, however, characterise the state of the cyber reinsurance market right now as fairly typical for a market dealing with an emerging peril. “An important function of the insurance market is to engage with and transfer emerging risks from enterprise balance sheets and the market is doing exactly that with cyber,” Rebecca Bole, head of industry engagement at cyber risk modeller CyberCube Analytics, says.

“To quantify cyber risk does require analysing significant volumes of data. But I would argue rather than it being difficult for the insurance industry to find that data, the problem is almost the opposite – there is too much data and it is really about the expertise to make judgment calls as to what is insightful, actionable data”
_{Rebecca Bole
CyberCube}

Reinsurance support is critical in creating a robust insurance market, Bole argues. But, in the case of cyber, the industry as a whole is in the process of getting to grips with the threat environment and ensuring its products and policy wordings are fit for purpose. “I don’t think this should be put just on the reinsurance market,” she says. “A close to 50% ceding rate on an emerging risk from the primary to the reinsurance market is pretty good.

“It is not as if the reinsurance market is not supporting the primary market. But, in any emerging market context, there is always going to be a tension between the speed at which more capital and capacity can be committed to meet the demand for cover in the market.

“That pressure will always be there for both primary carriers and reinsurers,” Bole adds.

A model view

In addition, quite a few things have changed in recent years, particularly in the area of cyber risk modelling and analytics, which, alongside accurate risk selection and pricing, is as critical as reinsurance support for the development of a robust cyber insurance market, Bole says. “Risk selection and pricing are enhanced and better understood by having a model view of the risk,” she continues.

Since their emergence eight years ago, cyber catastrophe models have now reached a level of maturity and are increasingly used to reduce the uncertainty at the extreme end of the loss curve for insurers, reinsurers, insurance-linked securities (ILS) investors and other stakeholders such as regulators and rating agencies, Bole argues. “The models give them the confidence to make decisions because the dimensions of the risk are now a lot clearer to them than before. With time, as we have seen with other more mature perils, primary carriers will become more comfortable with their own risk and exposure management.”

There have been several iterations of the basic cyber risk model. The main models in use in the market are now on version five and above, Bole says. “Those changes have been really important in helping to quantify the risk and incrementally build confidence to enable more capital and capacity to come into the market from the re/insurance and ILS sectors,” she continues. This is despite the fact cyber catastrophe risk modelling is still a relatively young discipline, particularly compared with the modelling of windstorm risks.

Much of this progress in cyber risk modelling has been driven by two key factors, according to Bole. First, the commercial opportunity represented by cyber is too big for insurers and reinsurers to ignore. Second, by the growing concerns of governments and regulators about the size of the systemic risk exposure represented by the cyber threat.

Commercial opportunity

The risk modelling sector, she says, is not leading a reluctant horse to water. “The commercial opportunity is real and insurers and reinsurers want to underwrite this risk. There is huge interest from the ILS sector to transfer catastrophic cyber risk into the capital markets and provide much-needed capacity,” Bole says. “Cyber crime is a big issue for society and the peril is not going to go away.

“Whichever survey you care to select, cyber features as the number one risk in the minds of corporate risk managers. In addition, cyber historically has been a profitable line of business for the industry.”

The ILS sector is critical to the long-term sustainability of the cyber insurance market. The sector, according to Bole, has taken some key steps forward this year, including the first two cyber catastrophe bond trans­actions sponsored by Beazley in January and May. Both transactions were modelled by CyberCube, whose risk models account for two-thirds of the global cyber insurance market by premium income. There have also been a number of innovative private cyber ILS transactions this year, including quota-share transactions. “Those prototype transactions have tested the appetite of fund managers for cyber risk and that appetite was found to be there,” Bole says.

The market will soon see other ILS transactions, including different structures, triggers and event definitions being tried in the market, according to Bole. “ILS investors are educating themselves on cyber,” she says. “We are having detailed conversations with many of these investors. Some of these are clients who have licensed our products, including analytical tools, to really understand the market in greater detail. Others are still educating themselves about the extent to which they might be able to productively deploy their capital in this space.

“I am very optimistic the ILS sector will become a meaningful capacity provider for cyber risk. We are starting to see the first signs of that now,” Bole adds.

The likelihood of a major cyber event affecting multiple risk portfolios across the primary and reinsurance market markets is very real and an equally important driver behind the investment in cyber risk modelling. CyberCube itself has invested more than $100m in risk model research and development over the past five years. “There is clearly a move by regulators to understand what a realistic catastrophic cyber event looks like and then to start to ask questions of carriers in their jurisdictions,” Bole says.

Actionable data

Bole is sceptical of the claim the cyber insurance market has an issue with getting hold of sufficient quantities of data to build workable risk models. “To quantify cyber risk does require analysing significant volumes of data. But I would argue rather than it being difficult for the insurance industry to find that data, the problem is almost the opposite – there is too much data and it is really about the expertise to make judgment calls as to what is insightful, actionable data. The real skill is how to create actionable insights from those vast pools of data,” she says.

The challenge for the risk modelling sector is cyber is a man-made and dynamic peril, which means it is less reliant on historical data than other perils. “This is not to say historical data is not relevant to the analysis of cyber risk but, in the case of cyber, historical claims data in itself is less of an indicator of future loss activity than it is with other perils,” she says.

As with any developing market, there are always first movers, according to Bole. The same goes for regulators and rating agencies. She says: “There are certain regulators and agencies that are more advanced in their approach to cyber as a catastrophe risk and its impact on both rated and non-rated entities.”

For example, Lloyd’s has developed a set of realistic disaster scenarios with the help of CyberCube and Guy Carpenter. Similar measures have been rolled out by the Prudential Regulation Authority (PRA) in the UK, the Bermuda Monetary Authority and the Singapore Monetary Authority. The European Insurance and Occupational Pensions Authority has recently submitted a request for comment on proposed stress test scenarios. “All of these regulators are thinking about realistic disaster scenarios that could impact the insurance market. Some are conducting financial stress tests with specific cyber risk scenarios they have drafted.”

Regulatory pressure

This level of scrutiny around man-made catastrophe risk management on the part of the authorities is placing enormous pressure on companies in the market, highlighting the importance of risk analysis and modelling. Indeed, the issue came to a head for the London market nearly a year ago when the PRA warned far too many carriers operating in the market were not able to calculate the scale of potential losses from non-natural catastrophe risks such as cyber and other emerging risks. The PRA was responding to the results of stress tests it had previously conducted.

London market carriers were also unable to put in place appropriate risk measures to manage these exposures, according to the PRA. As such, it warned, they were underestimating their real capital requirements and exposing themselves to significant losses. In the case of cyber, the PRA found London market carriers were using cyber risk models but, in quite a few cases, their use of the models was inconsistent.

CyberCube collaborated with the PRA as part of its broader consultation in 2021. “Our role was to educate and inform and to act as a sounding board. We very much believe regulation drives best practice,” Bole says.