In an age where technology companies lead the equity markets and economic activity increasingly takes place online, cyber attacks have the potential to cause large amounts of damage.
For example, Aon analysts recently estimated that a hypothetical cyberattack on a US hydroelectric dam could cause up to $56bn of economic loss and total insured losses of up to $10bn.
Such forecasts about the potential damage of cyber disruptions have led to speculation about whether significant volumes of the risk are set to be offloaded onto the capital markets through catastrophe bonds or other ILS products. The sector is traditionally dominated by exposure to natural catastrophes in the US.
Singapore this week made a bid to link cyber insurance to the ILS market.
At the country’s International Reinsurance Conference, minister for finance Heng Swee Keat announced the launch of what he called the world’s first commercial cyber risk pool. It will commit up to $1bn in capacity.
The minister said it would combine traditional insurance and the ILS markets to offer bespoke cyber coverage. He said 20 insurance firms had indicated their interest in participating in the pool.
And last week AIR Worldwide, one of the two big modelling companies in the ILS sector, announced it had developed a new probabilistic model for cyber risk. This would account for the impact of security breaches and downtime for cloud service providers on insurance portfolios.
As many deals rely on AIR’s modelling, its modelling activities will be closely watched.
The model “will reinforce our ability to develop and deliver innovative cyber insurance solutions, such as cyber industry loss warranties (ILWs), and work with insurance-linked securities (ILS),” said Ian Newman, partner and global head of cyber at Capsicum Re, in the accompanying press release.
ILWs give market participants the ability to insure themselves against total industry losses exceeding a certain amount.
“We also believe analytics are key to the market of the future, which will consist of three core classes: property, casualty, and cyber,” Newman added.
Not so fast
But cyber risk still represents a challenge for ILS investors.
Firstly, there are few historical data points. When it comes to assessing the risk of a hurricane hitting Florida, or an earthquake striking California, cat bond investors have a lot of precedents to look at. That’s not the case with cyber.
There are also concerns about how many cyberattacks go unreported. According to The New York Times, in 2017 only 24 companies reported cyber breaches to the SEC, as public firms are supposed to do if an attack is material.
But the paper reported that over the course of the year there were more than 4,500 attacks on American businesses.
The second challenge relates to correlation. When ILS funds market themselves to institutional investors, a main argument they can deploy is that ILS is largely uncorrelated to other financial markets.
At the extremes, a gigantic storm could cause other assets to plummet in value. But in most cases events are largely decoupled. ILS funds suffered from hurricanes Maria, Irma and Harvey last year as equity indices powered on in the US.
Such arguments about historical data and correlation have not stopped more exotic perils getting snapped by investors in an ILS format: Credit Suisse has sold a security to cover itself against operational risk, for example.
But a cyber attack against financial market infrastructure or a big bank could easily cause devastation in traditional securities markets — at the same time as triggering a cyber risk cat bond.
The benefits of better insurance coverage for cyber risk are huge, and Singapore and others will surely move to capture what could be a large market. But investors will likely stay cautious, thanks to the problems of correlation and calculation.