Cybersecurity Insurance: Catastrophe Bonds Ready to Take the Market by Storm!
There is a possibility that cyber catastrophe bonds are on the verge of transitioning from private negotiations to becoming publicly traded in the debt markets.
So-called kitty loans, which allocate hard-to-insure risks to capital markets investors in exchange for double-digit returns, are typically built around natural disasters like hurricanes. But when the potential fallout from business-stopping cyberattacks grows too large to insure, issuers seize the moment.
Beazley Plc, which owns specialist insurance companies across Europe and the US, is exploring a potential $100 million cybercat loan, according to insurance-linked securities research firm Artemis. And Axis Capital is preparing to issue a $75 million cyber disaster bond, according to a preliminary offering document seen by Bloomberg.
Spokesmen for Axis Capital and Beazley declined to comment on the deals.
The broader market for cat loans is likely to reach a record $40 billion this year. Much of the growth has been accelerated by climate change, as extreme weather shocks threaten to make insurance companies’ business models unsustainable. For this reason, some of the most active players in the cat loan market are reinsurers such as Swiss Re AG and Munich Re AG.
Investors have been attracted to yields that dwarf those of US Treasuries. This year, the Swiss Re Global Cat Bond Performance index is up 18%, while the Bloomberg US Treasury index is down about 1%.
Cyber-lenders want to protect themselves from financial losses that could result from a major cyber-attack, including lost revenue, legal costs and legal fines.
According to a recent report written by Kathleen Faries, CEO of Artex Capital Solutions, insurance-linked securities “provide some level of comfort to corporate boards and owners of balance sheets in the event of a major cyber event.”
But with limited historical data to analyze and increasingly sophisticated forms of cybercrime, investors face unusually high risk.
“We have decades of data on hurricanes,” said Marco della Giacoma, a portfolio manager at Tenax Capital, a London-based hedge fund that regularly invests in cat bonds. “But pricing cyber risk is more difficult.”
Tenax analyst Toby Pughe says the cyber model is hard to trust. “If they say the loss estimate is 1%, it could actually be 5 or 6 percent,” he said.
Other investors said they welcomed the opportunity to get more into the insurance-linked securities market.
“We are now seeing leading cyber insurers positioning themselves to tap into the ILS market with open contract structures that target catastrophe risk – not destruction risk – in a format and pricing level that we believe is attractive,” said Joanna Syroka, head of new markets for Fermat Capital Management, one of the largest cat bond investors.
Fermat “will consider all contracts when they are released,” he said. “Cyber could be the fastest growing line of ILS in line with the growth rate of the underlying cyber insurance market because there is not enough internal diversification within the risk.”
Paul Bantick, Beazley’s global head of cyber risk, said the threat of cyber losses is now such that “traditional reinsurance can’t get you there”. While he declined to comment on specific deals, Bantick said the message from investors is “now is the time” for cat bonds to fill the reinsurance gap.
To date, a handful of cybercat loans have been issued, three of which were privately issued by Beazley. The new securities expected from Axis and Beazley are significant because they are likely to trade on the secondary market, providing access to a much wider pool of hedge funds, pensions and other investors.
Hannover Re, which insured about 800 million euros ($856 million) in cybersecurity premiums last year, is also exploring new markets.
“I’m pretty sure we’re using cat loans to transfer cyber risk to capital markets,” said Henning Ludolphs, CEO of the German reinsurer. “This could happen sooner or later, maybe even within the next few months.”
The list of known cyber attacks is long and growing. In 2017, suspected Russian malware shut down Ukrainian banks, government agencies, drugmaker Merck & Co., and transportation giant A.P. Moller-Maersk A/S, according to the White House, an event that cost $10 billion in losses. In 2021, an attack on the Colonial Pipeline company’s computer network cut off US oil supplies.
Last year, the number of ransomware attacks against industrial companies alone increased by 87%, cyber security firm Dragos Inc. estimates. And just this month, Industrial & Commercial Bank of China Ltd. suffered a cyberattack that prevented it from removing stores. The incident forced customers of the world’s largest lender to reroute transactions, forcing brokers and traders to assess the extent of the impact.
In the United States, cybercrime losses rose 48 percent last year to $10.2 billion by 2021, according to the Federal Bureau of Investigation. According to a recent survey of CEOs by PwC, a quarter consider their companies to be very or extremely exposed to cyber risks in the next five years. They are more than the 22 percent who expressed similar concerns about the threat of climate change.
The perceived risks are reflected in the costs. Munich Re estimates that insurance premiums that companies will have to pay to insure themselves against cyberattacks will nearly triple to $33 billion between 2022 and 2027.
“Cyber risk is one of Munich Re’s key strategic growth areas,” said Chris Storer, director of the reinsurer’s cyber competence center.
Theo Norris, head of cyber-related securities at Gallagher Securities, said that “there are enough ILS investors to reduce the capital needs of the cyber insurance market.”
For Gallagher Securities, which built and placed Beazley’s private cyber cat loans, the goal is to “continue to build on this to attract even more ILS investment to support our clients and ultimately make cyber insurance more accessible and affordable,” he said.