The global IT outage caused by a defective software update from CrowdStrike has highlighted the “persistent uncertainty” in the cyber catastrophe bond and insurance-linked securities (ILS) asset class, rating agency AM Best said, also highlighting that there is uncertainty surrounding the tail and potential for loss development, which it seems is misunderstood.
On CrowdSrike, AM Best commented, “This incident serves as a real-life example for stakeholders to further their understanding of cyber coverages, policy language, and event definitions, as well as to understand how accumulation risk can be modeled and managed.”
Adding, “The CrowdStrike outage could bolster demand for cyber reinsurance coverage, and cyber ILS will continue to play a part in providing that capacity.”
AM Best explains that ILS investors are looking to get paid for some of the uncertainty associated with cyber risk being a relatively new and less well-understood class of reinsurance business that catastrophe bonds are now covering.
While the average multiple of expected loss paid by cat bonds covering natural catastrophe risks in the fourth-quarter of 2023 was 3.4, for the cyber cat bonds issued during the same period the loss multiple averaged 7.25 times the expected loss, while the range was from 5 to 10.3 times.
Without doubt there is a novelty premium associated with cyber risk currently, but as well as it being new, or novel to investors, there is also a good deal of uncertainty over the peril itself still.
AM Best said, “Although investors find several features of cyber cat bonds appealing, the CrowdStrike outage highlights the persistent uncertainty for this asset class, which is also demonstrated by the high loss multiples of the cyber cat bonds issued so far, compared with the average loss multiple of natural cat bonds issued during the same period.
“The high loss multiples demonstrate that investors want to explore this asset class prudently by receiving adequate compensation for the uncertainty they are accepting.”
The industry has worked hard to educate investors and to get them comfortable enough with the cyber model output and the peril itself, to get the first wave of cyber catastrophe bonds to market.
While cyber risk is uncorrelated with natural catastrophe risk, so can be additive to the diversification of a cat bond fund or investment strategy, AM Best highlights other factors it believes have fuelled investor interest.
“Helping to fuel investor interest in cyber cat risk is the general perception that such risk is relatively uncorrelated with the broader capital markets, except perhaps in the extreme tail of the loss distribution,” AM Best said.
Going on to say, “Investors also perceive the cyber risk loss development lag to be relatively short.”
Which is where the second part of our headline to this article comes in, what about the tail?
AM Best’s statement above is intriguing and it is a question that comes up frequently in discussions about cyber cat bonds, whether the potential for loss development lag with major cyber catastrophe events is particularly well-understood yet.
Our discussions with market participants suggests that this is one of the key factors that has held some cat bond fund managers back from allocating to the cyber cat bonds successfully issued so far.
There are a number of live cyber insurance industry loss events that are still seeing their estimates develop, some well-over 12 months after the cyber incident began.
Cyber has both the potential to be very short-tailed. A major cyber catastrophe of the severity level that could actually trigger cat bonds would likely see the development of loss quantum being very fast, so clarity over losses may be understood reasonably quickly, is one opinion.
But, there are cyber attack vectors that can develop losses more slowly and this has potential ramifications for both sponsors and investors in cyber cat bonds and ILS, as the structures may in time need adjusting to allow for longer development periods, some also believe.
The potential tail, and therefore risk of collateral being held while a cyber loss event develops, is a key area of uncertainty and one that concerns a number of cat bond fund managers and investors we’ve spoken with.
Over time we should see the market developing a better understanding for the potential tail risk and loss development lag that may occur under certain cyber scenarios. But it’s certainly not the case this is considered a short-tail peril by everyone, in the cat bond market.
It’s important to qualify that, this isn’t necessarily a problem for the emerging cyber catastrophe bond market, it’s just a consideration that needs to be made and in fact another difference to nat cat perils that continued education is needed for.
Natural catastrophe events have also often exhibited far-longer tails than ILS investors had anticipated, with loss development times for earthquakes and hurricanes both having been longer, than perhaps was envisaged until that more complex loss event is experienced. In fact we’re still seeing loss development on hurricane Ian that has impacted a handful of cat bond positions.
Cyber risk in the ILS market remains very new and the understanding of it, while increasing, does remain relatively limited as a result.
The potential for tail risk to emerge in cyber catastrophes, that could drive trapping of capital, is something ILS managers are acutely aware of and with a peril like cyber it may be that structural innovation is the way to go. With a slightly different approach to extension clauses perhaps a viable area to explore, should uncertainty over the potential for cyber event tails persist.
We expect the market will innovate around cyber risk, as more is learned from events that occur, whether they threaten the cat bonds in-force or not, and that this could in time also drive improvements to catastrophe bonds more broadly.
There’s a lot to learn on cyber still for the ILS market and lengthier loss development timelines can emerge suddenly, based on the specifics of an event (as also seen in nat cat risks).
More event experience is needed and losses like CrowdStrike provide a valuable learning experiences for the ILS market, which should help structurers develop solutions to any tail-risk that could become evident with certain loss scenarios.
Overall though, we concur with AM Best’s assumption that CrowdStrike highlights uncertainty. But we believe that the market will continue to learn and educate, to respond to this and seek to reduce uncertainty in structures, triggers and models. At the same time the cyber models continue to improve, as they too learn from events and attack vectors that appear.
AM Best concluded, “Demand for cyber coverage in the primary market is expected to increase, and the current primary market relies heavily on reinsurance.
“The need for cyber reinsurance capacity will continue to grow, as the primary market grows and the capacity sourced from the capital markets will become a more material component of cyber reinsurance towers.”
That speaks to a growing role for the capital markets and ILS structures in cyber. We believe this is a sector to watch for innovation and also a risk class where structurers can add increasing value, by responding to markets that are hesitant to invest and taking into account their feedback.
It’s also worth considering the potential for a role for legacy specialists in cyber ILS, as like the emergent casualty ILS market the exit and liquidity needs of investors may be something that requires support as this sector grows. Especially if event experience in future shows that the cyber tail can sometimes be longer than anticipated.
Read about every cyber cat bond transaction, including the first private cat bond deals and the more recent 144A cyber cat bonds, by filtering our Deal Directory by peril to view only cyber cat bond transactions.