Cyber: The defining risk of our time

Executives from around the cyber market agree that it is “the defining risk of our time”. While the market has recently seen more meaningful capital entry, and rates appear to be holding for the time being, the industry has not yet been able to fully comprehend a ‘Black Swan’ event – increasingly defined as a cyber attack having serious physical asset ramifications.

But according to Roman Itskovich, co-founder and CRO at cyber insurtech At-Bay, when demand for this event type increases, the market should be ready to help provide coverage.

“Certainly, cyber risk can manifest into a lot of different shapes and sizes, and we're always having these discussions,” said Erica Davis, global co-Head of cyber at Guy Carpenter.

“Currently, [physical risks] aren't typically included as part of the cyber product today, but this class will continuously change as the risk evolves,” she added.

On that point, Itskovich elaborated: “We exclude property and physical risk in our policies, but cyber as a product has evolved through excluding cyber coverages and carving it out from other policies – from property and casualty, and some other stuff.

“I actually think this could be an opportunity where you make it explicit, price it, limit it, and then bring it to market. We don't see demand for that type of coverage yet. But, I think that if there were demand, this is something that we will be adding to our cyber product, and thinking about how to price,” Itskovich added.

Davis added: “There's better clarity on the non-cyber lines of business around what that intent looks like. Some of the modelling capabilities do factor in cyber risk impacts beyond the cyber product intent. But that's not a conversation we've had more recently, in terms of the cyber risk transfer.”

Itskovich and Davis made these comments during The Insurer TV’s Casino Square Session on cyber in Monte Carlo during the reinsurance Rendez-Vous, and were also joined by Jonathan Spry, CEO and co-founder of EnvelopRisk.

The three executives highlighted continuing changes in cyber attacks.

“You need to be on top of it,” noted Itskovich, adding that changes “matter for attritional loss performance, but they also matter in how you think about aggregation and cat scenarios”.

The At-Bay executive highlighted the importance for active risk management: “We believe this is a risk that can and has to be mitigated before it materialises into loss. And that's always something that we're looking at.”

“This is a complex area, and it has not been one that sits very well in the traditional pigeonholes of insurance,” Spry added.

“Is this an attritional class? Is it a cat-exposed class? Do any of us truly understand the nature of a risk? So, there is a lot of discussion required. But the reality we have now is that the gut feel that we've all held about cyber for many years is now backed up by more and more evidence and the data, the track records are now there. So, we can actually have far more informed and transparent discussions around our success and our performance today,” said Spry.

Cyber war coverage

Similar challenges have arisen in defining and covering war risk, which was in the spotlight earlier on this year when Lloyd’s announced that state-backed cyber attacks would be excluded from standalone cyber policies emanating from Lloyd’s. The move created concerns around both coverage gaps and market competition.

Erica Davis commented: “This is definitely something that, as an industry, we've been working on for six to 10 years now: looking at how to refine those wordings, how to bring better clarity to policyholders and across our clients and the reinsurance partners.”

She added, “I think what's most important is to reinforce that cyber war exclusions have always been on these policies.”

London-based Spry added there will never be consensus on what should and shouldn’t be covered in these situations, but added that the market as a whole has “invested heavily in understanding aggregations risk and tail risk. So, these types of elements and the state-related threat actors are things we think about all the time.

“We're quite comfortable to be part of that discussion. We would struggle to see how it's possible to completely eliminate that risk, particularly given questions around attribution and so on. So, I think, getting to understand the risk is often just as important as the comfort that might be afforded by exclusions and wording,” Spry added.

Market dynamics

Given the panel’s backdrop of the largest annual meeting of reinsurance executives, the topic of reinsurance capital growth in the cyber world inevitably came to the fore.

“We have seen far more capital enter the market in 2023. I think evidence of the market's performance improving, as well as the depth of the data quality, is bringing enhanced confidence to what that view of risk looks like,” said Davis.

Itskovich added that “[t]he rate level has been adequate,” but admitted that “we have not seen increases, like we saw last year, but we are at a very high level right now – so, it feels like a good place to be”.

The executives welcomed the capital influx, emphasising that, due to the highly specialised nature of the market, cyber insurance is less of a short-term capital play:

“We see part of our role as to go off and help manage the expectations and manage the volatility associated with capital, then we can face the market in a consistent kind of relationship-driven manner,” said Spry

Itskovich added: “The broader reinsurance market still doesn't have a very strong gut feel about cyber and how it will behave. An example of that is how divergent cat models are.”

He also noted that the market still has further progression in terms of modelling cyber: “It's all about how we can get more data, more iteration, so that there is a broader understanding of what it is. I think we've made a lot of progress over the last few years, but there's still a long way to go.”

Alternative capital

During the panel, the trio of panellists made specific mention of alternative capital, and how it might be utilised within the cyber market.

Spry noted that there is “a lot of attention on structures and the evolving nature of non-proportional reinsurance.”

“We're seeing a lot more interest in current or event-based covers, and how that will service a client's needs,” he added.

Davis highlighted the need to continue explaining cyber to capital partners, who often fail to fully understand the risk.

She also expressed the need for “a better understanding of the product intent, ways to put parameters around what a cat bond could potentially look like, and then making sure to bring a very data-driven, technical view of risk to market.

“Analytics are playing such a big role in the market evolution and the capacity that it can bring.”

Summing up the discussion, Itskovich noted that “more capital will come in and, most likely, from the outside. We are still unsure about structures and how exactly it will pan out. If you ask me in a decade, I think we'll see a lot more capital. I think we'll see a much bigger market and, I think, we'll see a much more diversified panel of capital providers for this market.”

Spry concurred, adding, “I think capital providers can generally see that there is a very long-term, ‘here to stay’ type opportunity. The oil tanker is turning, and I don't think it will turn back any time soon.”