Using Insurance-Linked Securities for Cyberrisk

John Hintze


June 1, 2023

server room vault cyber security

In early January, the first insurance-linked security (ILS) transaction covering cyberrisk was completed. This potentially opens up a new source of capacity for insurers, including corporate captives, to cover the ever-growing risk of cyberattacks. The ILS market has traditionally covered natural catastrophes, but participants have mulled cyber ILS for years. Today, a confluence of factors may finally enable capital markets investors to play a role in covering corporate cyberrisk.

London-based reinsurer Beazley sold $45 million in ILS to several institutional investors, including Fermat Capital Management (FCM), a top fund specializing in ILS. The deal was privately placed by Gallagher Securities, the ILS arm of Gallagher Re, and is tradeable under Rule 144A, an attractive feature for capital markets investors because it offers more liquidity than purely private transactions. 

More deals appear to be in the works. In early March, Hannover Re completed what it called the first proportional reinsurance transaction involving a capital-markets investor. In that deal, Stone Ridge Asset Management provided $100 million to share proportionally in the cyberrisk of the reinsurer’s global portfolio. Hannover Re executives have said that they anticipate issuing a cat bond next. Executives at Aon Securities also have stated publicly that the broker—one of the largest in the ILS market—anticipates bringing a cyber ILS cat bond to market this year.   

“For corporations looking to grow their cyber programs, cyber ILS can potentially increase capacity for insurers and could be a direct alternative for companies to issue the ILS themselves to create additional capacity,” said Aon Securities CEO Paul Schultz.

Whether a cyber ILS market grows rapidly or incrementally remains to be seen, but insurers’ capacity to provide cyber coverage remains insufficient to meet demand from organizations that are experiencing increasingly sophisticated cyberattacks. This is partially because, until recently, the insurance industry lacked the cybersecurity expertise, risk models and data to measure and value the risk with sufficient confidence to allocate more capital to the peril. More recently, insurers have faced a hard market, and their capital constraints have resulted in lower limits and higher premiums for customers.

The industry’s understanding of cyberrisk has vastly improved, however, and while the hard market continues, it may actually fuel the issuance of cyber ILS as an additional source of capital. “One by one, the issues that have held back the material development of the cyber ILS market are being addressed,” according to a February report by Lockton Re.

Should the cyber ILS market continue to grow, it can help fill what Lockton calls a “huge protection gap” between the current levels of cyber insurance purchased and the total estimated consequences of cyberattacks. Those costs are on track to increase to more than $10 trillion by 2025, when the Swiss Re Institute estimates cyber insurance premiums will be less than $25 billion. “A lot of large companies simply cannot buy the volume of limit that they need and they are looking at alternative ways to fill those holes,” said Oliver Brew, cyber practice leader at Lockton Re and one of the report’s authors, in a recent interview. 

The Potential For Cyber ILS

The primary hurdle holding cyber ILS back has been the relative newness of cyberrisk. As the Lockton report noted, the cyberrisk landscape is now better understood, including both the role of cyber insurance as well as the technical and procedural controls protecting companies against cyberrisks.

For insurers, a growing cyber ILS market would mean an additional source of capital to meet clients’ cyberrisk coverage needs. In the traditional ILS market, cat bonds have typically covered excess loss at the top of the insured client’s insurance tower, kicking in only after the client experiences major catastrophe-related losses and insurance and reinsurance coverage is insufficient. For example, the Beazley cat bond will pay out only after total claims from a cyberattack exceed $300 million.

Many companies are not strangers to the ILS market, sporadically seeking cat bond protection to mitigate earthquake and hurricane risk for years now. For those seeking sufficient coverage to meet their needs, a vibrant cyber ILS market should enable them to negotiate higher limits with their insurance carriers. According to John Seo, cofounder and managing director of FCM, companies seeking cyber insurance often ask whether the insurer has ILS backing. “An insurer that is engaging with the ILS market tends to have high confidence in its underwriting because the ILS market requires the highest levels of transparency and scrutiny of the risk,” he said.

He added that a company should “manage its expectations” in terms of the impact of ILS on coverage rates, since ILS capital is expensive. Instead, they should focus more on “line size and sublimits offered against systemic loss events.”

Seo sees the cyber ILS market growing rapidly, potentially even for the next decade, assuming buyers remain willing to pay high levels for ILS protection. But given the market is still in its infancy, it may be early for the ILS market to be engaging directly with companies or their captives. One exception may be companies with significant cloud outage exposure, since that could mean significant business interruption losses. In that case, companies may be able to structure favorable loss triggers based on the length of the outage. 

Cyber Considerations

According to Brew, one key for a large company seeking significant cyber limits is to develop a thorough understanding of what constitutes a disaster for the organization. This starts with determining the types of cyber events that would have the greatest impact, such as cloud outages, widespread malware attacks or supply chain disruptions. With this understanding, the company can then more accurately determine the costs of each of the six to eight “heads of cover” present in most cyber policies, including investigation and response, business interruption, ransomware response and systems recovery. “Analyzing those exposures helps the organization understand how to design the insurance program to be most suited to its needs,” Brew said.

Explaining the company’s steps to mitigate potential catastrophic cyber events, such as measures to build supply chain resilience in the event critical vendors are compromised or key cloud providers become unavailable, is another important part of the insurance negotiation process. “If, as a buyer of insurance, you can accurately represent what percentage of revenue is reliant on internet or cloud connectivity, that can be used by insurance companies to assess the impact of an outage and how critical that service is to the company,” Brew said.

Another important area for a company to consider is its technology infrastructure, including the quality and granularity of data it presents to the insurance market. Insurers will be using this technology infrastructure to gauge the company’s risk exposure and security and risk management. Some examples of the latter include the frequency of the company’s data backups, software patching and employee training to minimize phishing attacks.

The quality and granularity of data have become more important as cyberrisk models have become more sophisticated, Brew said, since the models are an important factor in determining the pricing of coverage, whether from insurers, reinsurers or ILS investors.

Companies seeking ILS coverage directly should also consider the trigger for payouts once a catastrophic event has occurred. Given the complexity of the underlying perils and the different types of disaster scenarios that are manifested in the risk, it is likely that companies will opt for the simplest trigger structures on an indemnity basis for a single annual contract, Brew said.

“It may be a bit early to say which trigger types, if any, will be favored,” Seo said, adding that a good guess is indemnity triggers for insurers, industry-loss triggers for reinsurers and indemnity and parametric triggers for companies. “This parallels the loss-trigger tendencies already seen in the natural catastrophe ILS market.”

While he anticipates more cyber ILS deals in 2023, Schultz said that the market’s overall growth will likely be measured in the early stages as issuers and buyers of ILS search for the appropriate price. Nevertheless, the emergence of the now-$36 billion natural catastrophe bond market was spurred by similar needs for capacity exceeding what the insurance market could provide.  “If those fundamentals remain in place for cyber ILS, then we’re likely to see it grow,” he said.

John Hintze is a New Jersey-based freelance writer.