Cyber cat bond market participants expect the space to grow in 2024 but on a slow and steady trajectory, as some of the concerns that initially held back ILS investors continue to restrain their steps in the sector.
The market is still in its infancy after transacting four bonds worth $415mn last year. And concerns need to be addressed around the accuracy of modelling, correlation to broader equity markets and diversification between the bonds before investor demand becomes stronger, sources said.
However, given the fast-growing nature of the broader cyber market, the long-term potential remains huge. Swiss Re data shows the cyber market tripled in value from 2017 to the end of 2022, when it reached $13bn in gross direct premiums, and the reinsurer expects this to reach $23bn by 2025.
Further diversification of cyber ILS structures would be one trend that could aid the speed of growth in the ILS space.
Peter DiFiore, managing director at Neuberger Berman, said that “the market is going to grow much slower than people think over a short period of time, but in the long term will be much larger than people think”.
Matthew Silley, a cyber broker at Lockton Re, is also cautious on the speed of growth, stating: “I don’t expect to see a material shift in the size of the market. It is on a slow journey and will take time to grow.”
Theo Norris, head of cyber ILS at Gallagher Re, estimates that there are currently upwards of 15 investors in the cyber cat bond market.
This compares to a total of 67 ILS funds tracked by Insurance Insider ILS within the space, across both specialists and non-specialists. Not all these will be active in cat bonds specifically, and some may only participate via specialists, but this does provide an indication of how far the market has to go to catch up to the nat-cat side.
However, Norris predicted that there could be a record number of investors involved in the market in 2024.
He expects it “could be on the road to billions of cyber ILS capital deployed within the next three or so years”.
The market is going to grow much slower than people think over a short period of time, but in the long term will be much larger than people think
Moreover, it is not just growth from the investor side of the market that could pick up pace.
One potential driver of the market is new larger insurers looking to enter the space, following Beazley, Axis, Chubb and Swiss Re kickstarting transactions last year.
Silley believes that “there are large carriers out there that I’m sure will be looking to catch up and join them.”
Dirk Schmelzer, a senior fund manager at Plenum Investments, said that as cyber transactions moved into the more formal 144A market last year, from some private deals initially done, this built confidence the deals could be executed.
“I would think a lot of work is going on in the background for larger companies looking to bring a 144A.”
Schmelzer also added that we may see funds that were interested in participating in last year’s issuance returning this year, adding to the size of the market, again due to the execution of deals in Q4 instilling confidence in the asset class as an investment.
Modelling concerns
One of the issues that could be stunting the growth of the cyber cat bond market is modelling.
Schmelzer said: “There is naturally more modelling uncertainty within the cyber market that is probably not going to go away because it is a dynamic and constantly developing risk.”
However, others have argued that the dynamic nature of cyber risk has a positive side. At the New York conference hosted by this publication last year, HSCM founder Michael Millette argued that cyber loss events can be more actively managed and defended against.
“In cyber, unlike nat cat, you can stand on the shoreline and deflect a hurricane.”
Unlike natural catastrophe modelling, cyber doesn’t have the benefit of years of historical data to validate the outputs the modelling produces.
Sources told this publication that there needs to be further convergence between the two major vendor models, RMS and CyberCube, to build trust from ILS investors that expected losses are accurately being predicted.
The table below from Guy Carpenter shows the wide range of expected losses from CyberCube’s own modelling of the five most impactful scenarios from the 23 available options.
A major event would also help stress test the effectiveness of the models.
“Modelling is improving all the time: we are getting to a position where models are increasingly user friendly and with outputs more akin to that of property cat, although there has yet to be a true cyber cat event to test the models,” Norris said.
Undiversified bonds
Another concern that could limit the pace of the market’s growth is that the end investor is worried about the correlation between the cyber bonds, sources told this publication.
Essentially, it is unclear how large the ramifications of a major cyber event would be, and as a result, the bonds that came to market last year are not as diversified as investors would like.
For example, Axis’ Long Walk Re deal provided coverage against systemic cyber events, while Beazley’s PoleStar Re deal provided coverage against worldwide aggregated cyber loss. While they both provide coverage for different perils and regions, investors are concerned a large cyber event would cause major losses to both.
DiFiore said: “It is unclear that when a big attack occurs, if it will impact everything or be contained, which can limit how much investors are willing to mandate into the space.”
Schmelzer added: “The cyber problem is similar to pandemic-like events, which will be felt globally, so there may be an element of increased correlation, which is something investors are uncomfortable with.”
Diversification in cat bonds can be achieved through different structures, such as a parametric deal, or varying perils – from cloud outage to data breach.
For example, a parametric deal that triggers from a widespread cloud outage that lasts longer than six hours would be a clearly defined peril and trigger in comparison to losses from a systemic cyber event or worldwide aggregated cyber loss.
Tighter wordings to hone in on the specific cyber act that is covered would also offer diversity between the bonds, such as coverage provided against a malware attack versus a ransomware attack.
In cyber, different perils like ransomware and cloud outage are as distinct in their propagation and aggregation as earthquakes are from hurricanes
Lloyd’s director of portfolio risk management Kirsten Mitchell-Wallace discussed cyber risk aggregation potential during last week’s market message.
She said that Lloyd’s analysis showed that combined losses for all four major cyber loss scenarios would be on a par with the largest single-event natural catastrophe projected loss (or realistic disaster scenario in Lloyd’s terminology).
However, she said that the chances of all four cyber loss events occurring together were remote.
“In cyber, different perils like ransomware and cloud outage are as distinct in their propagation and aggregation as earthquakes are from hurricanes.”
Correlation to equity markets
There are also questions on how uncorrelated the asset class is to the broader financial markets.
History has shown natural catastrophe ILS is relatively uncorrelated to the equity markets, which is a reason why many pension funds invest into the space.
Schmelzer said: “A concern from our investors is that if the tail events that 144As provide coverage for were to happen, we would see quite substantial financial market reaction. Investors don’t like this because the appeal of nat-cat ILS is that it is relatively uncorrelated to the financial markets.”
However, Guy Carpenter’s “Double Whammy?” report said there was a “lack of clear connection between any observable historical cyber events and a stock market downturn.”
The report shows the S&P reaction to global events, including cyber events such as NotPetya, which is to date the largest reported cyber event, to show the lack of correlation they have to the S&P.
The NotPetya attack, which occurred in 2017 and initially targeted Ukraine before spreading globally, is believed to have incurred losses of $3.5bn globally, this publication previously reported.
The table above shows the lack of correlation between that attack and broader market reaction, and that NotPetya would not be considered catastrophic in terms of losses, even though it was a global event.
A cyber loss event equivalent to Hurricane Ian would better test the strength of the correlation between the cyber and the equity markets, sources said.