Thomas Johansmeyer, head of Property Claim Services (PCS) at Verisk – insurance solutions, talks to Emerging Risks about the continuing challenges of the cyber market, and why we might soon see an offensive cyber campaign related to Russia-Ukraine.
Cyber protection: companies are desperate for it; carriers are wary, with capacity increasingly at a premium.Why is this and what can we do to change this?
First and foremost, the cyber market is just rough right now. Why do insureds want it? Because the threat level is the highest it has ever been and it keeps growing. Up until COVID-19 there was a belief that buyers would buy as much as they could at any price, which was kind of true, though there were limits. And once the pricing on the tower starts to become inverted, it’s usually a sign that something is askew as well. So, there was a situation heading into the pandemic, and with the pandemic companies started to re-evaluate what was truly an existential risk. Cyber wasn’t as bad a risk as they thought, it seems.
At the moment, anyone who has massive growth plans based on premium growth based on rate increases and at least no change in prior limits might be in for a rude awakening, or at least an unpleasant surprise. That’s because buyers are re-evaluating what they will buy. Insurers are keen to take advantage of rate increases without having to allocate massive amounts of capital to the space, which means that premium increases could drive enough growth even if buyers reconsider how much cover to secure.
That’s insurers. Looking at reinsurers, they seem to love cyber. Especially with the rate increases recently, it’s been fantastic. The problem is that losses have developed, with some 2018 and 2019 surprises surfacing in the middle of last year, and I think 2020 will shape up to be a particularly difficult loss year, though nobody is going to know fully for a while.
More concerning though is that cedants are probably ceding 55% of the premium they write to reinsurers, which means they are not holding a lot of the risk. And the only way for them to grow is to cede more. So, underlying cyber insurance industry growth relies directly on increased reinsurer capital allocation, which the cyber underwriters want but which the CUOs and ERM people are putting the brakes on.
What do you do? You go out and buy some retro, right? If you are in cat you can do that all day long… but that does not exist in cyber… cyber retro, where it exists, is heavily broked, definitely bespoke, and not terribly big. So, what do you do? Well 75% of the London market is calling for the ILS market to become involved, and the other 25% is saying to themselves that the ILS market is not going to do anything. The reality is somewhere in the middle. There is a place for the ILS market, but we need to see some more groundwork first. And cyber ILWs will probably be a useful point of entry for many.
I have said almost every year for almost half a decade that this is the year we are going to see cyber ILWs. I’m going to keep the streak alive and say it again now. The difference is that I know of a couple of transactions that are being worked on right now.
-How far away is the market from sufficiently robust loss data to be truly comfortable when it comes to writing cyber?
We have loss data, but the problem is there haven’t been many cats. There is the sense that you have to stick your neck out into the unknown to make a new line of business work… what’s interesting is that in cyber there is no shortage of data, there is a shortage of insurance data.
The threat environment right now is tricky, and I am getting question after question about Russia-Ukraine. The big problem is that the tanks are lined up on the border, but COVID is still tearing though Russia, and soldiers don’t fight as well when they are sick.
Cyber could offer an alternative to traditional military action. I think that some amount of offensive cyber is going to be really interesting but the model for classifying these things is going to have to be re-thought. There are three main categories of activity, state-active, state-sponsored and state-accommodated, with the other category the lone nut in his basement.
State-accommodated is what you are seeing with Russian ransomware, which is that ransomware gangs can go out and attack foreign targets. They can gain ransomware income while also contributing to the destabilizing effects that achieve a pollical objective.
Looking at Russia-Ukraine, you have to ask whether we might see ransomware gangs kicking up their activity in the West because they have some amount of distractive cover from offensive cyber operations?
This might actually help the cyber retro market, because if you are looking at something that might attach at a 150-200 point industry loss ratio, then they are looking at events which are 15x the largest affirmative cyber loss from a cat. You can do the math and get yourself up to a $5 billion loss; that’s doable. So, with that you realise how remote that is relative to the nature of the threats that are occurring. As an ILS fund or as a rated retro writer you can go out and do the cat bond or the ILW, attach high enough that you are going to be safe, and get enough rate on line because the threat environment pushes that up enough so you clear historic ILS hurdles. You are sitting above the losses but taking the first steps to building a robust market.