The severity of the recent data breaches at Equifax — in which personally identifiable information on over 143 million US consumers was stolen by unknown hackers — and the US Securities and Exchange Commission — whose Edgar database processes over 1.7 million corporate filings per year — underscores the enormous issue of cyber risk.
Over time, free-market economies have evolved ways to manage a variety of risks through the use of insurance. But the complex, ever-changing, and expanding nature of cyber risk has exceeded the insurance industry’s ability to serve those who seek protection. No standard insurance coverages or contract wording have yet evolved, and the historical data available to insurers that’s required to create actuarial pricing models are paltry. Even if such data existed, it would have limited predictive value due to the dynamic nature of the risk, as hackers constantly develop new methods to evade security and more and more of our intellectual and physical assets become interconnected through the Internet.
Despite these limitations,
Cyber risk insurance has become the fastest growing product in the property-casualty insurance industry. Annual global insurance premiums in the category are estimated to be $3 billion and projected to grow to $10 billion over the next several years, and perhaps to $20 billion over the next decade.
The nature and scope of cyber risk is rapidly changing. Like a cancer or a new kind of virus, the cyber threat metastasizes and evolves to exploit weaknesses and opportunities. The growth in demand and rapid change of cyber risk strains the capacity of insurers to carry the new risk. Since demand seems likely to exceed supply for the foreseeable future, a new approach is needed. That new approach will likely be grounded in the creativity of insurance innovators to develop vehicles through which the risk burden — and profit potential — can be spread beyond the insurance industry to tap into deeper pools of capital. The capital markets are great for this kind of creativity, as evidenced by the creation and development of asset-backed securities markets over the past 40 years, which brought liquidity to markets for mortgages, credit cards and auto loans.
The insurance industry, where reinsurers historically have served as the ‘lenders of last resort,’ has also seen the emergence of capital market solutions to manage accumulations of risk. These have taken the form of so-called ‘alternative capital’ products that have enabled hedge and pension funds to assume property reinsurance risk through catastrophe bonds and similar vehicles. In recent years, these products have served to dramatically decrease the cost of capital in the catastrophe reinsurance market while creating a high-yielding investment opportunity whose returns are uncorrelated with equities or interest rates.
At our firm,
Extraordinary Re, we have built a trading platform for insurance risk, initially targeting ‘extraordinary’ risk classes such as cyber. By embedding our trading platform inside a reinsurance company, we sit between the insurance and capital market worlds, enabling insurers to transfer accumulations of risk to institutional investors in the form of tradable reinsurance. This innovation allows investors to assume risk in a liquid market with the ability to control the amount and types of risk and the timeframe over which that risk is carried. That permits the allocation of capital in a more flexible manner than is possible in the insurance industry, which takes a ‘buy and hold’ approach to underwriting risk.
The creation of this risk-transfer market produces a new source of data that will provide new benchmarks for pricing and valuation, leading to new product development efforts among the insurance companies originating the risk. Such an information feedback loop is particularly valuable for dynamic types of risk such as cyber, where investors’ trading responses to real-time changes in the risk environment (including changes identified using new data sources and analytics) are likely to have far more predictive value than any historical data set.
Former Secretary of Homeland Security Tom Ridge commented earlier this year that cyber risk is now a major permanent condition facing our digital world. The damage from the Equifax and SEC breaches further evidences that risk, and dramatizes the societal need to do something about it.
While there is no way to eliminate cyber risk, there are ways to reduce, mitigate and transfer it through cyber insurance. But only the global capital markets can provide the resources of liquidity and expertise to value and manage such complex risk. If the track record of 300 years of capitalism has taught us anything, it’s that a liquid trading market is the best mechanism for allocating capital and pricing risk in a dynamic and changing environment.