Cyber risk's fundamental mischaracterisation as an insurance risk

15 November 2023

Tim Freestone and Malcolm McLelland argue for a radical overhaul of how cyber risk is quantified and priced. In the first of a two-part article, they explain the classification of cyber as a market risk and propose using modern financial theory to model it

Earlier this year, the world's largest insurance brokerage Marsh McLennan and its reinsurance subsidiary Guy Carpenter issued a joint statement and brochure assuring investors in cyber backed insurance-linked securities (ILS) that they should not fear a "double-whammy" by investing in cyber risk. Cyber risk, they explained, is not correlated to the stock market:

"There is a long-held skepticism among the investment community that when a systemic cyber catastrophe event happens, it would result in a wide-ranging stock market downturn, since such an attack tends to be indiscriminate, and its victims would span across the entire economy. Many ILS funds are reluctant to deploy capital in cyber risk transactions for the fear of a 'double-whammy' situation in the immediate aftermath of a widespread cyber-attack."

This statement comes at a time when the cyber insurance industry, fresh from new capital raises, strives to maintain its position as the world's third fastest-growingindustry with a five-year compound annual growth rate (CAGR) of 26% (see table).

Concerns about the growth trajectory began to emerge last year during the re/ insurance industry's Rendez-Vous de Septembre meeting in Monte Carlo.

Many of the leading reinsurers and cyber risk modellers made statements about the cyber insurance industry's current predicament:

  • Torsten Jeworrek, then chairman of Munich Re's reinsurance committee said, "The demand [for cyber insurance] is there, but recent loss experience has led to a reduction in insurance capacity, and increased prices, with cyber liability rates in the US increasing about 80% since 2020."
  • Laurent Rousseau, then CEO of French reinsurer Scor said, "The main reason for Scor's lack of increasing its cyber premiums is the uncertainty around its cyber accumulation risk. Reinsurers are unsure of the probable maximum loss (PML) estimates because cyber is evolving so quickly."

Accumulation risk is defined as the likelihood of a greater-than-anticipated accumulation of claim costs due to multiple exposures being tied to the same event or a related event. Accumulation risk appears to be on all the reinsurers' minds.

  • David Priebe, chairman of Guy Carpenter said, "One of the keys to unlock is having a greater understanding of modelling systemic cyber risk. Improved modelling would also give capital markets investors more confidence in cyber risk assessment and provide more capacity via insurance-linked securities".
  • Jay Guin, EVP of Verisk Analytics and chief research officer for extreme event solutions, said, "Verisk decided earlier this year not to invest further in cyber models until the insurance market for the exposure stabilises. Right now, the market is quite chaotic because there are so many companies that are reducing exposure or exiting the exposure, so we have taken a decision to observe for a while."

These reinsurers and risk modelling organisations are concerned the cyber insurance industry still hasn't demonstrated its ability to model cyber risk. This can be seen in the last five years' results, where the industry combined ratio (loss ratio + direct and containment costs) was steadily increasing until finally brought down in 2022 based solely on an unprecedented premium increase of 62%.

If the cyber insurance industry can only influence its loss ratio though huge rate increases, we may have an industry that doesn't understand its loss costs and they may or may not have a viable business model. No wonder some reinsurers are equivocating about their continued support for cyber. This could also explain Marsh McLennan and Guy Carpenter's desire to assuage the fears of ILS investors about the potential systemic effects of investing in cyber-ILS. The need for ILS investors may be of paramount importance to sustaining the industry's growth given the wavering of cyber reinsurers.

i. Why has Modern Financial Theory not been applied to the assessment of cyber risk?

This is a two-part article focusing on a methodological approach to modelling cyber risk that is so fundamental that we are surprised that no one in the insurance industry has raised it.

The approach is based on theory and methods developed over the last 70 years by Nobel prize winners Harry Markowitz, William Sharp, Eugene Fama, Fisher Black, Myron Scholes, Robert Merton, as well as many other significant contributors including Stephen Ross, Franco Modigliani and Merton Miller.

We're talking about Modern Financial Theory (MFT), a subset of financial economic theory, which is a big part of our discussion. Prior to its development, the field of investing was largely based on intuition and ad-hoc rules. There was little empirical or theoretical work to support these rules, and investors had a limited understanding of how financial markets actually worked.

The development of MFT has revolutionised the field of finance. It has provided investors with a rigorous framework for making investment decisions and has helped them to better understand the risks and rewards of investing.

MFT is based on a number of key insights, including the efficient market hypothesis, modern portfolio theory, the capital asset pricing model (CAPM), arbitrage pricing (APT) and derivative asset pricing theory (Black Scholes). These insights have helped investors to understand how asset prices are determined, how to construct optimal portfolios, and how to assess the risk-return tradeoff of different investments.

MFT suggests, and we believe, that cyber risk is a systematic market risk; not a typical insurance risk, which is commonly nonsystematic. Cyber risk can be insured, but not using standard insurance actuarial approaches. If we are correct, cyber risk has been mischaracterised as an insurance risk when it is, in fact, a market risk essentially requiring market-based risk management solutions outlined in this article.

We begin our proof by discussing the totality of all risk that includes nonsystematic, non-market-based, insurance type risks. We then compare and contrast nonsystematic risks to systematic market and credit risks. Finally, we discuss systemic risk: the risk the cyber insurance industry believes is the most significant for cyber insurance.

After laying out the three types of risk, we outline the analytical framework as developed by the aforementioned Nobel laureates, for determining if cyber is a systematic market risk. If cyber is a systematic market risk, it changes everything about how the cyber insurance industry should be managing cyber risk.

We provide a basic overview of how we construct a cyber risk index that assesses the amount of cyber risk prevalent in the market in the same way that credit risk can be inferred from credit spreads. This knowledge also lays the foundation for how cyber risk can be underwritten and financed in the capital markets using both ILS and derivatives, as well as standard insurance policies.

Consistent with the standard cyber insurance industry view, we can confirm that cyber risk is not correlated to the overall market – at least not in the last five years – as maintained by Marsh McLennan and Guy Carpenter. But as a systematic risk it is absolutely and axiomatically correlated to subsets of the market; sometimes highly so. We outline a solution that enables cyber insurers, reinsurers and cyber-ILS investors to avoid the double-whammy...

This article continues in a PDF - click here to download it