Tim Freestone argues the case for a cyber risk exchange that will enable organisations to transfer the systemic and systematic cyber risks that traditional cyber insurance cannot deal with
Introduction: a future scenario for managing cyber risk?
It began with a simple software update – a maliciously altered patch pushed silently across thousands of enterprise routers. No red flags. No ransomware. But in the following days, something in the data flow changed. Orders were delayed. Logistics systems buckled. Inventory mismatches rippled across supply chains. To most observers, it looked like noise.
But the Predyct Cyber Risk Index (PCRI) on the recently formed Predyct Cyber Risk Exchange had been rising for weeks, signalling a mounting wave of systematic cyber risk buildup – one too widespread and synchronised to be idiosyncratic.1 It was like a slow but persistent widening of credit spreads indicating credit risk but not specifically identifying its source, not unlike the events leading up to the 2008 financial crisis.
The index showed that market participants were subtly repricing cyber exposure, driven by growing vulnerability in cyber risk correlations. Giving urgency to this simmering threat was the fact that the PCRI's founders had previously advised the markets of the seriousness of AIG's credit worthiness and the systemic risk it posed to markets leading up to the 2008 financial crisis.2 The developers of the PCRI warned: this was not just an operational glitch – it was the slow-motion buildup of systematic cyber risk possibly leading to a systemic cyber event, one that might be as devastating as the 2008 financial crisis.
While insurers continued to treat cyber as an event-driven, uncorrelated peril – appropriate for traditional insurance pooling and diversification – some consulting actuarial research academics had also begun to recognise that cyber represents a systematic (in addition to systemic) risk.3 Yet the industry clung to an outdated framework, blind to the long association between cyber exposure and asset pricing.
Then the downgrades came. First in logistics, then consumer goods, and finally in finance. Earnings revisions cited vague "supply disruptions". Stock prices collapsed. JPMorgan traced the source to a shared vendor deep in the tech stack. Warren Buffett's earlier warning that cyber-attacks could be "worse than nuclear weapons" was no longer theoretical.4 And Jamie Dimon's concern that cyber was "the biggest threat to the financial system" felt suddenly to be literal.5
The exchange's PCRI signaled a persistent shift in pricing behavior well in advance – not in response to the attack itself, but to some underlying exposure that markets had already begun to incorporate into valuations. While the index can't know precisely what investors were responding to, the signal suggests a latent, systematic risk factor – one that appears orthogonal to traditional macro-risk drivers but believed to be strongly correlated with digital interdependencies.6
Part 1: The misunderstood battleground
The battle against cyber risk has been fought on a misunderstood battlefield, governed by an outdated set of rules. To clarify the terrain, we must first distinguish between three critical risk classifications:
- Idiosyncratic risk (also called nonsystematic risk) is a firm-specific, diversifiable risk that can be isolated and insured against, such as an individual company's vulnerability to a phishing attack or a misconfigured firewall.
- Systematic risk is a non-diversifiable risk inherent to an entire market or digital ecosystem, distributed across firms due to shared infrastructure or broad trends.
- Systemic risk is the risk of a catastrophic, cascading collapse of an entire system. It can arise from two distinct sources:
- A sudden, event-driven shock that is non-systematic in nature, like a natural peril such as a hurricane, earthquake, or flood.
- A gradual buildup of systematic risk correlations that suddenly break or "snap", causing the system to collapse, as seen in the 2008 financial crisis.
"Despite billions spent on cybersecurity controls, both the frequency and the economic severity of attacks continue to climb"
For too long, cyber risk has been misdiagnosed as an idiosyncratic, event-driven threat – a domain exclusively for traditional insurance. This misdiagnosis has led to a profound misunderstanding of the true nature of the threat. The reality is that the most dangerous form of cyber risk behaves unmistakably like a systematically distributed market risk (SDMR), with the potential to trigger a devastating systemic collapse.
The fictional account above is not a far-off dystopia. It is an accelerated composite of very real dynamics already at work in the global economy. Surveys consistently rank cyber risk among the top three concerns for CEOs and boards. Executive resignations following cyber incidents are increasing, and cyber risk is now a permanent fixture in boardroom discussions. Despite billions spent on cybersecurity controls, both the frequency and the economic severity of attacks continue to climb. As one cybersecurity executive bluntly put it: "We win most of the battles, but we are losing the war."7
But what if we've misunderstood the real battleground?
The prevailing assumption is that cyber is an insurable event – discrete, diversifiable, and fundamentally random. That framing has failed. Cyber doesn't behave like a traditional insurable risk. It builds gradually. It's correlated across sectors. It moves with perception and exposure. And when it erupts, it does so systemically, damaging not just individual companies, but entire networks of value. This is not a question of improving firewalls or buying more insurance – it's about recognising cyber risk as a market risk, priced into valuations and capable of moving markets.
A cyber exchange is not designed to fight attackers – that role belongs to cybersecurity professionals. What we are addressing is the financial fallout from systematic and systemic digital dependence, a risk that capital markets have so far misclassified. Cyber risk is not merely an operational threat to be insured against; it is an SDMR that must be priced, traded, and hedged like any other source of correlated valuation pressure. This can only be effectively achieved on a cyber risk exchange that enables these capabilities.
A new asset class for cyber risk
This is our third article in InsuranceERM identifying the characteristics, and showing empirical proof, of cyber risk's true nature. The first article described cyber as an SDMR and how that type of risk is different from insurance risks. The second article focused on analysing the timeline of the cyber-attack against Target Corporation and other retailers. The analysis highlighted that a clear signal of an impending attack was present five months before Target publicly disclosed the breach, a prediction feasible only if the cyber domain is characterised by SDMR.
In this article, we advocate for transforming cyber risk from an unmanageable threat into a tradable, hedgeable asset class. Drawing illuminating parallels with established financial instruments like credit default swaps (CDS) and volatility derivatives (such as the VIX), we demonstrate the feasibility and necessity of this transformation. Specifically, this article will:
- Substantiate cyber's SDMR nature: We provide compelling evidence that cyber risk is fundamentally an SDMR, rather than an idiosyncratic, insurable type of peril.
- Uncover existing market pricing: We reveal how cyber risk is already being implicitly priced and traded by the market, even without a dedicated exchange.
- Present empirical evidence showing how the market value of companies fluctuates directly with movements in a cyber risk index, much as market volatility correlates with the VIX or the CDX for credit derivatives.
- Detail a robust framework: We lay out how our comprehensive framework provides all the necessary information and mechanics to form a functioning cyber risk exchange.
- Outline operational benefits and workings of such an exchange and highlight its profound benefits for cyber insurers, reinsurers, cyber brokers, investors-traders, and, most importantly, their clients seeking protection from cyber risk. A cyber exchange is a compliment to cyber insurance, not a replacement.
- Reveal how the cyber exchange will function, and will likely be regulated as a trading platform
The creation of a cyber risk exchange would represent the biggest event in financial markets since the development of the high yield and CDS markets and VIX options and futures.
Such an exchange would introduce a market structure uniquely capable of unlocking trillions in risk-transfer capacity, simultaneously remedying the traditional cyber insurance industry's inability to handle systematically distributed market risks. These include events currently excluded by cyber insurance: systematically induced events, state-sponsored attacks, and intellectual property (IP) losses. Through a clearly outlined framework, anchored by a proven index, this exchange would facilitate the efficient transfer of these critical exposures to the vast and deep capital markets.
Part 2: Cyber risk as a systematically distributed market risk
Our central thesis is that cyber risk is not merely an insurable risk; it's an SDMR. While insurers price some cyber risks, they typically exclude the largest, most systemic and systematic threats such as those posed by state-sponsored attacks or threats to critical infrastructure. This exclusion highlights that cyber risk, unlike traditional insurable risks, represents a broader market risk that capital markets must address. Cyber risk is already implicitly priced into equities, silently eroding nearly $900bn in S&P 500 valuations, $4trn globally, and growing at nearly 20% annually.8
Our claim is not that cyber risk is uninsurable in every case
This growth is far beyond the insurance industry's ability to handle. Just as CDS made credit risk tradable and the VIX made volatility investable, cyber-based derivatives will enable real-time pricing, informed speculation, and robust hedging for cyber risk. This market evolution promises trillions in new risk-transfer capacity, comprehensive and exclusion-free cyber protection at a lower cost, and a new asset class that offers both diversification and speculation opportunities.
Our claim, then, is not that cyber risk is uninsurable in every case – but that its most consequential, systemically distributed component belongs in the domain of financial markets, not on insurer balance sheets.
Cyber risk is already being traded
This is exactly the type of signal a cyber risk index (PCRI) is designed to detect. In the fictional scenario, pricing pressure emerged weeks before the market collapse – underscoring that cyber risk is being priced and traded already, just without dedicated infrastructure.
Cyber risk is already priced and traded in capital markets, though not always explicitly. A rigorous regression analysis of cyber risk against market valuation shows a clear relationship: for every 1% increase in cyber risk, as evidenced by the PCRI – a measure of underlying systematic cyber risk – the broader market loses 2.2% of its value. If cyber risk were idiosyncratic, this strong statistical relationship with overall market movements would not exist. Instead, the steep slope signals investors response to cyber risk like other SDMRs. This robust link allows us to estimate the substantial embedded notional value of cyber risk within the financial system.
Exhibit 1

Noise trading vs. information trading: uncovering arbitrage
Some market movements are due to "noise trading", where investors react impulsively to headlines. However, sophisticated "information traders" actively exploit valuation dislocations.
They do this through constructed long-short strategies (taking a long position in companies perceived to have little cyber risk and short positions in companies perceived to have substantial cyber risk) or by building "cyber-neutral" portfolios that enable traders to hedge systemic cyber risk exposure while capitalising on valuation inefficiencies between companies with varying cyber risk profiles.
There's even anecdotal evidence of cyber attackers trading on advance knowledge. These collective behaviours confirm cyber risk is actively transferred through markets; this could not occur if it were solely an idiosyncratic, insurable event.
Historical failures of insuring SDMRs
A recurring and concerning pattern emerges every time insurers have strayed into underwriting risks that are, in fact, SDMRs. The results have invariably been catastrophic, leading to systemic failures. The financial guaranty industry collapsed after enhancing lower-investment grade bonds to the AAA level, violating the efficient markets hypothesis (EMH) by only charging a small component of the spread – EMH requires that investors need the entire spread to cover risk implied by the spread.9
Cyber risk unequivocally belongs in this same SDMR category of risk
AIG nearly brought down the global financial system underwriting CDS – another SDMR. Many market participants took the wrong message from this episode believing that CDS10 were the instruments at fault. The fault lay with the reckless insuring of these instruments that, had they been uninsured, would have been properly valued by the market and not relied upon by so many counterparties. These were stark warnings; cyber risk unequivocally belongs in this same SDMR category of risk.
The mispricing of cyber risk by insurers
The cyber insurance industry persists in pricing and underwriting cyber risk as a conventional, diversifiable peril. While there's a non-zero idiosyncratic component in cyber risk (which can be diversified away in large portfolios), what cannot be diversified away is SDMR: risk that moves in correlated fashion with the broader financial system, akin to market volatility or credit contagion.
This systematic nature makes cyber risk uniquely dangerous and profoundly mispriced by traditional insurance. Insurers have treated it as scattered and random when it is concentrated, highly correlated, and capable of cascading across entire sectors.
Part 3: The evolution of exclusions
When the first cyber policies appeared in the early 2000s, insurers saw a rare chance to grow in an otherwise slow-moving industry. Yet the underwriters also sensed the threat of systemic losses – and acted quickly to exclude them. That decision mirrored standard practice in property insurance: carve out exposures that differ fundamentally from the core peril.
Homeowners policies, for example, routinely exclude floods, hurricanes, tornadoes, and earthquakes because those hazards create loss patterns – geographic reach, frequency, severity – far beyond an ordinary house fire.
The key difference is that each natural peril can be isolated, measured, and insured under a separate contract. We know exactly when an earthquake exceeds 7.0 on the moment magnitude scale or a hurricane reaches Category 3 on the Saffir-Simpson scale; parametric triggers leave little doubt about what is – and is not – covered.Virtually all other forms of insurance have exclusions that are also relatively simple to distinguish from the core risk the policy is designed to cover. For example, the exclusions embedded in general liability policies relate almost exclusively to risks covered under separate policies.
Cyber risk's idiosyncratic (company-specific) and systemic (economy-wide) components are tightly intertwined
Cyber risk does not afford the same clean separation seen in traditional insurance. Its idiosyncratic (company-specific) and systemic (economy-wide) components are tightly intertwined – much like how interest rate risk is inseparable from broader market risk. For example, if an insurer attempted to cover the market value of an asset but excluded losses due to interest rate movements, it would be nearly impossible to adjudicate a claim objectively. The moment the asset's price falls, disputes would erupt: was the decline due to rising interest rates (interest rate risk), or a general drop in commodity prices (market risk)? In practice, these forces are correlated and often simultaneous – making clean attribution impossible. The same is true for cyber risk: efforts to cover only the "idiosyncratic part" inevitably lead to exclusions that fail in real-world scenarios, precisely when the coverage is most needed.
That is exactly what we are witnessing today. Modern cyber threats exploit shared infrastructure, common software and ubiquitous third-party suppliers, so a breach aimed at one firm can ricochet across thousands. NotPetya in 2017 – now central to lawsuits Merck v. ACE American and Mondelēz v. Zurich – spread worldwide through a single software update.
SolarWinds, the Kaseya VSA ransomware attack, and the Microsoft Exchange zero-days followed the same playbook. Modular malware, supply-chain infiltration and state-sponsored campaigns blur the line between "targeted" and "indiscriminate", leaving policyholders exposed and insurers locked in costly, protracted disputes. As cyber-attacks grow more sophisticated and interconnected systems amplify the spread and impact of each breach, attribution becomes harder, exclusions become less enforceable and litigation over coverage is likely to escalate – not diminish.
As these systemic cascades grow more frequent, the traditional boundary underwriting relies on – the bright line between idiosyncratic and systemic cyber risk – keeps eroding.
Litigation drags on, case reserves swell and the capital strain on insurers intensifies. The industry's long-standing tactic of exclusion, so effective with natural perils, is running out of runway in the connected world of cyber.
Systematic risk – the unobserved risk
While early underwriters correctly anticipated the potential for catastrophic systemic cyber events, they overlooked a deeper and more persistent threat: cyber risk is also systematic. Unlike systemic risk, which can often be diversified away, systematic risk permeates the entire market. It moves in tandem with the infrastructure of modern business and cannot be isolated or carved out. That makes it far more corrosive to equity valuations – because it is inescapable.
Exclusions alone won't work – not when risk is embedded in the digital fabric of every firm
This problem isn't unique to insurance. The banking industry faced a similar crisis in the 20th century, when laws like the McFadden Act of 1927 prevented geographic diversification of loan portfolios across state lines. Banks were exposed to local downturns and cyclical risk until regulatory reforms and innovations – like asset securitisation and credit default swaps – allowed them to transfer and manage systematic credit risk more effectively.
Cyber insurance now faces its own reckoning. Exclusions alone won't work – not when risk is embedded in the digital fabric of every firm. As we'll outline later in this article, the solution lies in building a new market structure that allows insurers and capital markets to share and transfer systematic cyber risk. Just as securitisation and CDS reshaped credit, a cyber risk exchange can unlock a path forward.
In short, cyber risk is not only systemic and catastrophic – it is also systematic and persistent. Trying to exclude pieces of it, like state-sponsored attacks or large-scale outages, is akin to excluding interest rates from credit risk or market risks. The distinction is breaking down. And as legal and financial pressures mount, the industry will be forced to evolve. We believe the cyber risk exchange is that next step.
Systemic risk: event-driven vs. accumulated buildup
To better understand the distinction, we can see that systemic risk can arise in two fundamentally different ways. The cyber insurance industry recognises the first cause of systemic risk, listed below, not the second.
The first, and more intuitive source, is through large, clearly defined, event-driven shocks (e.g., hurricanes, floods), typically uncorrelated and well-suited to traditional insurance pooling.
However, the second source of systemic risk is more subtle, insidious and – critically – more relevant to cyber risk. This form arises from the accumulation of systematic risk, where risks – normally only moderately correlated in benign environments – become tightly synchronised under stress or heightened market anxiety, as demonstrated during the 2008 financial crisis where correlations built up to the point of collapsing the economic system.
Systematic risk in action
To see how a buildup of systematic risk correlations works in practice, consider a macroeconomic analogy. Imagine three companies in different sectors: a construction firm, a consumer goods manufacturer and a logistics provider. Their businesses appear uncorrelated.
However, as inflation rises, so do borrowing costs, wage pressures and input prices for all three. One delays expansion, another sees shrinking margins and the third loses customers.
This creates synchronised valuation pressure: not from direct linkages, but from shared exposure to the same macroeconomic forces. This is systematic risk in action: emergent, correlated and inherently difficult to diversify away. As digital or market interdependencies tighten under stress, otherwise manageable individual exposures can rapidly align into a dangerously synchronised downturn.
The same applies to cyber risk: when market perception of cyber vulnerability rises across firms, market values begin to drop in tandem, well before any actual attack is announced.
Part 4: Cyber risk is undeniably an SDMR
Once we recognise that systematic risk arises from tightening correlations – not just from sudden, rare events – it becomes increasingly difficult to treat cyber risk as a traditional, insurable peril. In Modeling and Pricing Cyber Risk, Kirsten Awiszus and her coauthors describe systematic cyber risk as stemming from "common vulnerabilities of entities affecting different firms at the same time,"11 a phrasing that underscores cyber's interconnected nature.
The industry acknowledges correlation risk but often sees it only as a consequence of sudden, event-driven failures
However, this also reflects a broader challenge in the literature and the insurance industry itself: the tendency to conflate systematic correlation (a pricing concept in finance) with systemic causation (a contagion dynamic). The industry acknowledges correlation risk but often sees it only as a consequence of sudden, event-driven failures. They miss that this risk can also build up over time due to correlated systematic forces, generating a detectable signal – just like the strong signal in our opening scenario. This oversight is critical, because if you are missing that signal, you are missing almost everything about cyber risk. Our framework treats cyber as a priced risk factor, aligning with the financial definition of systematic risk.
The actuarial-capital markets divide
We applaud Awiszus and her co-authors' work (to our knowledge, a first from noted actuaries) for highlighting the systemic and systematic nature of cyber threats that are rooted in shared technologies, interdependent supply chains and correlated vulnerabilities. However, their analysis stops short of demonstrating whether these risks are actively priced by financial markets. This distinction is critical. In financial theory, a risk becomes systematic not merely because it is real, but because it is perceived and priced across assets.12
The unresolved question, then, is not whether cyber is dangerous, but whether its risk profile is embedded in return behaviour – and therefore tradable. This distinction between real-world exposure and market-perceived/priced risk is essential to understanding why cyber must be treated as a systematically distributed market risk (SDMR) rather than just an operational or insurable threat.
A deeper challenge with Awiszus's framework is the absence of empirical evidence linking digital interdependencies to observed, correlated loss distributions. Demonstrating such a link would require identifying shared technological dependencies across firms, tracking cyber events tied to those dependencies, and proving that losses are systematically correlated as a result. Given the opacity of cyber event disclosure and the confounding effects of industry scale and preparedness, this is exceptionally difficult to do. Ironically, markets often perceive and price such latent correlations in advance – as the PCRI demonstrates. This highlights a core strength of market-based models: they can detect systematic pricing pressure from perceived cyber exposures, even before traditional actuarial models can observe realised losses.
When insurance fails, markets must step in
The risks explicitly excluded from standard cyber insurance policies have not disappeared; they've simply been pushed back onto the balance sheets of the companies seeking protection. The critical exposures that corporate boards and CEOs fear most – systemic disruptions, state-sponsored attacks and IP theft – are now explicitly carved out of most cyber insurance policies. This fundamental misalignment is precisely why cyber risk has climbed into the top tier of corporate concerns.
Cyber insurance: virtue signalling vs. comprehensive protection
Today, most large corporations still purchase cyber insurance, but increasingly, its primary function is not comprehensive risk transfer. Instead, it serves predominantly as a signalling mechanism – a public declaration to customers, partners, investors and regulators that the company is undertaking every conceivable measure to address cyber threats.
Among small and mid-sized enterprises (SMEs), however, cyber insurance penetration is reported to be less than 10%13. This is due to policies being prohibitively expensive, having ambiguous language, and having exclusions cutting directly at what companies genuinely seek to protect; thus leaving a vast segment of enterprises exposed.
Ending cyber risk: the foundational solution
The earlier fictional scenario would never have spiralled out of control had the affected companies held protection in a market-based cyber derivative structure – pricing their PCRI exposure in real time and hedging against exactly the kind of systemic movement that eventually hit earnings.
We must apply the identical methodological approach to managing cyber risk as the markets have successfully applied to other well-understood financial risks
The answer is simple in principle, yet profoundly powerful. We must apply the identical methodological approach to managing cyber risk as the markets have successfully applied to other well-understood financial risks, because both are fundamentally SDMRs.
Predyct has meticulously extracted the underlying signals from current cyber trading behaviour observed across public equity markets, including from "noise traders" and "information traders". From these rich data streams, we have successfully constructed a robust, market-based price of cyber risk. This innovative approach is conceptually identical to how the Capital Asset Pricing Model (CAPM) effectively captures and prices general market risk.
How the SDMR problem was solved for investment portfolios
The solution to effectively managing SDMRs in investment portfolios has a rich and well-established academic history. In the 1960s, William Sharpe, building directly upon Harry Markowitz's Modern Portfolio Theory (MPT), developed the seminal CAPM.14 For these transformative contributions, Sharpe and Markowitz were awarded the Nobel Prize in Economics. CAPM introduced the concept of beta: a quantifiable measure of how sensitive a company's stock price is to broad, general market movements.
A stock with a beta of 1.0 is expected to move in perfect synchronicity with the market. Every publicly traded stock possesses a unique market beta, and by taking a weighted average of these, we construct a comprehensive market risk index. Crucially, the same type of structured methodology can now be applied with equal rigor to cyber risk.
Part 5: Introducing cyber beta and the cyber risk index (PCRI)
Every publicly traded company also exhibits a cyber beta. This unique measure is meticulously derived by statistically filtering out all other known macroeconomic and general market risks. What remains is the company's specific and unique sensitivity to cyber-specific market forces. When these individual cyber betas are systematically aggregated across a broad universe of public equities, the result is an index of pure cyber risk – a dynamic, market-driven measure of how cyber risk is priced across time, continuously reflecting prevailing perceptions and valuations.
Cyber beta is a specialised form of beta, capturing a company's exposure to cyber threats
Cyber beta is conceptually like CAPM beta, but with an important difference. In CAPM, beta measures how an asset's returns are expected to move in relation to the broader market's returns, reflecting the asset's exposure to systematic market risk. Similarly, cyber beta measures how an asset's value is expected to move in relation to cyber risk (e.g., changes in the PCRI, reflecting the asset's sensitivity to cyber-related factors).
However, the key distinction is that cyber beta doesn't always follow the same logic as traditional market beta. In the case of cyber risk, company valuations can sometimes increase as cyber risk rises. This happens because investors might price in the value of cybersecurity efforts or the expectation that certain companies will benefit from increases in cyber risk. This is true, for example, of Microsoft due to its ownership of Azure, a cloud service that is expected to obtain considerable business if cyber risk increases, as many companies give up on providing their own cybersecurity and retreat behind the high castle walls of Azure. In contrast, CAPM beta typically indicates that as market risk increases, company valuations tend to decrease due to higher perceived risk.
In short, cyber beta is a specialised form of beta, capturing a company's exposure to cyber threats rather than traditional market risks. While traditional beta links asset performance to market fluctuations, cyber beta reflects how shifts in cyber risk – whether increasing or decreasing – can impact company valuations, which may behave counterintuitively compared to typical market risk. This also amplifies cyber risk derivatives attractiveness to cyber risk investors and traders.
The no-arbitrage price of cyber risk
The market price of cyber risk, as captured by this comprehensive index, reflects its arbitrage-free value. This means it represents a price point at which no riskless profit opportunities exist for informed traders, given all currently known information and their risk-adjusted expectations. This means there's no opportunity to obtain the same cyber risk protection at a lower price without bearing additional risk or exploiting an inefficiency. This ensures market efficiency.
Market pricing vs. insurance pricing of cyber risk
The PCRI, graphically illustrated in Exhibit 2, vividly portrays the market's real-time pricing of cyber risk over a representative period of 60 trading days. This price is set by the collective, dynamic actions of countless traders and investors – a forward-looking mechanism. This stands in stark contrast to the backward-looking actuarial models that predominantly build risk assumptions based on historical data, data that most assuredly does not reflect SDMR forward-looking risk distributions. Observe how the price of cyber risk, as reflected by the PCRI, changed over time reflecting the market's changing required equity pricing discount for accepting pure cyber risk.
This market price of cyber risk is fundamentally distinct from the price determined by traditional cyber insurance for several critical reasons:
Exhibit 2

Forward-looking pricing by traders/investors
Traders and investors are not primarily concerned with historical attack frequency. Their paramount concern is whether, and when, a company's valuation will decline due to its cyber risk exposure. In efficient capital markets, the possibility of an attack or a broader systemic cyber event is already actively priced into asset valuations. Investors proactively discount a company's valuation based on perceived exposure to cyber threats – regardless of whether those threats ultimately materialise. What moves the market is the dynamic repricing of this perceived risk. Valuations often remain stable, even after a publicised breach, because the market had already embedded and discounted that risk. This mirrors how sophisticated investors treat other SDMRs, where forward-looking perception drives valuation.
Backward-looking pricing by insurers
Insurers, by contrast, focus primarily on covering the direct costs of cyber events – not on how cyber risk affects a company's market value. Their models remain largely event-driven and backward-looking, treating cyber as an idiosyncratic threat rather than a systematic financial risk. But this framing leaves a critical blind spot: it ignores how cyber exposure erodes enterprise valuation over time, even in the absence of a breach.
Understanding this connection would be immensely valuable – not only for setting more accurate premiums, but for helping clients understand and mitigate the long-term financial drag that cyber exposure imposes. Failing to measure cyber's impact on valuation is like trying to assess auto safety without accounting for speed: it misses a central, causal driver of risk. As long as this link remains unacknowledged, companies will continue to carry valuation risk that no insurance policy currently covers – and that the market is already pricing in.
It should be understood that the market prices both the expectation of asset devaluations due to fluctuations in cyber beta (which reflects a company's sensitivity to cyber risk) and the potential impact of cyber-attacks. In contrast, insurance actuaries typically price the expected probability and severity of cyber-attacks using historical data, focusing on past events to estimate future risks. This practice works if risk distributions are stationary. It doesn't work for SDMR.15
Relationship between the PCRI and the market value of company equities (PCRX)
Exhibit 2 illustrates how the broader PCRI influences the pricing behavior of diversified equity portfolios – similar to how CAPM beta affects the S&P 500. As PCRI rises, portfolio values adjust, demonstrating that cyber risk functions as an SDMR.
If cyber risk were not systematic, it would not exhibit this influence over PCRX pricing
Exhibit 3, by contrast, focuses specifically on cybersecurity companies over the same 60-day window ending 11 April 2025. These firms, while highly differentiated in business model and scale, show visible price convergence during periods of elevated PCRI. This compression in valuation spreads is consistent with how efficient markets price systematic risk: when the broader threat level increases, idiosyncratic distinctions between firms diminish in importance, and capital reallocates accordingly. This convergence is not static or universal – it evolves as PCRI shifts, as firms' sensitivities to cyber risk change, and as investor sentiment responds to new information. What we observe is not the elimination of arbitrage, but the re-pricing of perceived exposure as the market processes a new class of tradable risk.
Together, Exhibits 2 and 3 provide empirical evidence that PCRI is functioning as an arbitrage-free pricing benchmark for cyber risk. If cyber risk were not systematic, it would not exhibit this influence over PCRX pricing. The persistent relationship between PCRI and equity prices offers strong support for the claim that cyber risk is both systematically priced and hedgeable.
Exhibit 3:

Price discovery and trading opportunities from lag
Differences across individual PCRXi (where i denotes a specific firm) values primarily reflect differences in each firm's sensitivity to systematic cyber risk – not errors in the PCRI itself.
Because markets process information unevenly, firms may respond to PCRI signals at different speeds, resulting in temporary pricing dislocations. These lags may be due to liquidity constraints, behavioral hesitation or the complexity of identifying cyber-sensitive exposures.
For example, around trading day 212, one cybersecurity equity (cyber security 3 in Exhibit 3) showed a delayed response to a sharp upward move in PCRI. Given its positive PCRI sensitivity, this lag created a relative-value trading opportunity: a long position initiated before the equity repriced in line with its cyber exposure. Such patterns do not imply miscalibration of the index – they reflect natural information frictions in the early stages of any new risk market. In this context, PCRI provides a dynamic benchmark that highlights these inefficiencies as they emerge.
Positive and negative correlations to cyber risk
The PCRI framework reveals that companies can exhibit either positive or negative correlations to systematic cyber risk, depending on their role in the digital economy.
Cybersecurity firms, such as those featured in Exhibit 3, often experience positive correlations to PCRI. As cyber threats escalate, demand for their services increases, and their valuations tend to rise. However, their returns don't always move predictably with the price of PCRX contracts (i.e. a cyber derivative written on a particular company, capturing how its valuation responds to changes in market-wide cyber risk as measured by the PCRI). Broader tech-sector dynamics, risk-on/risk-off flows and timing mismatches in procurement cycles can all reduce their value as pure hedges in cyber-sensitive portfolios.
In contrast, non-cybersecurity firms – especially those holding proprietary data or relying on vulnerable digital infrastructure – often exhibit negative correlations to PCRI. As cyber risk rises, these companies face higher expected losses or disruptions, leading to market devaluation. Their equity prices often move inversely to PCRI and directly with the value of protection strategies such as PCRX contracts.
In this way, the same rise in systemic cyber risk can have opposite effects across sectors. These differences are exactly what a functioning market requires to support effective hedging, arbitrage, and price discovery. PCRI enables market participants to measure, manage, and trade these exposures with precision. Regardless of our prior assumptions about market efficiency, Exhibits 2 and 3 demonstrate unequivocally the market is already pricing cyber risk – and this pricing materially influences equity valuations.
Part 6: The ultimate goal: transferable and hedgeable cyber risk
Our primary objective is not to turn the audience into cyber risk traders. Instead, it is to convey one simple, yet profoundly important, point: if cyber risk can be reliably priced and actively traded in liquid financial markets, then it can, by definition, be effectively hedged. And if it can be effectively hedged, then it can, with unparalleled efficiency and scale, be transferred to those financial entities best equipped to bear it – which is precisely what the deep capital markets are uniquely built to do.
Until now, the misdiagnosis of cyber as an idiosyncratic, event-driven and solely insurable risk has left traditional insurers bearing far more systematic risk than their balance sheets are designed for, and policyholders paying more than they need to for incomplete coverage. The PCRI and PCRX have the potential to enable a robust market structure and create a powerful, scalable and desperately needed alternative.
Distinction between attacks and breaches
PCRI should be seen as a complement to cyber insurance – not a replacement for it
It is imperative to draw a precise distinction between "attacks" and "breaches". Nearly every large company is under constant "attacks" – persistent, ambient, systematically distributed intrusions. However, a financially material "breach" occurs only when attackers succeed by exploiting overlooked idiosyncratic vulnerabilities specific to an organisation (e.g., misconfigured firewalls, unpatched servers, socially-engineered security breaches). These are idiosyncratic risks, the legitimate domain where traditional insurance can still operate effectively, provided policies are structured with appropriate incentives, clear exclusions for systematic risks and stringent conditions to manage moral hazard.
Because these idiosyncratic risks cannot be hedged on a cyber risk exchange, PCRI should be seen as a complement to cyber insurance – not a replacement for it.
Systemic and systematic cyber risks belong in capital markets
In contrast, systemic and systematic cyber risks unequivocally belong in the capital markets and should not be confined to insurer balance sheets.
To illustrate this, our data show that Target Corporation – and its sector peers – began registering higher cyber beta as much as five months before the 2013 Target breach was publicly disclosed, as illustrated below in Exhibit 4.
Exhibit 4: Cyber Risk Sensitivity Preceding Cyber Attacks

As with the earlier fictional scenario, the Target example shows how cyber risk becomes visible in valuations well before an incident is disclosed. There is almost never an exception to this observation.
Market repricing: the Target case study
The Y-axis in Exhibit 4 quantifies cyber sensitivity via cyber beta. For Target, cyber risk rises sharply around month 120, signaling a proactive repricing by investors that saw the stock lose approximately 10% of its value between 20 July 2013, and the day of the breach announcement on 19 December 2013. We know this because of the signalled cyber risk sensitivity and the decline in value of Target's immediate peers.
It's important to note that this represented a secular stock price decline by Target and its immediate peers of Walmart, Costco and Home Depot (and some other large retailers not included in our study). The rest of the market remained highly stable during this period.
On the day of the disclosure itself, the stock's reaction was a seemingly minor 2% decline, which it regained within two days.
However, this quick recovery was a misleading signal of stability. The stock then entered a prolonged and painful correction, losing another 22% of its value by 3 March 2014. Some portion of this 22% loss likely stemmed from idiosyncratic tail risk – that is, the firm-specific vulnerabilities not captured by systemic risk models and therefore not hedgeable through a cyber risk exchange.
This pattern reveals that the market's initial risk pricing was incomplete and continued to adjust as the broader implications of the breach became clearer.
While investors may have processed the idiosyncratic, event-driven news of the breach quickly (the 2% drop in price), their initial discount of 10% proved insufficient as it took months to fully reprice the deeper, systematic implications of the event, including brand erosion, cascading supply chain vulnerabilities and the full extent of consumer trust loss. The Target case, therefore, is a powerful illustration of a complex repricing process where the market reacts not just to an event but to the slow, painful realisation of systematic and systemic risk over time.
At least half of the 22% value loss Target experienced in the months following its 2013 breach was likely driven by systemic market repricing of cyber risk
While it's impossible to assign an exact figure without a full forensic model, a reasonable estimate suggests that, all of the 10% loss in value pre-attack announcement and, at least half of the 22% value loss Target experienced in the months following its 2013 breach, was likely driven by systemic market repricing of cyber risk. This view is supported by the fact that many, if not most, of Target's publicly traded peers in retail and payments also experienced significant declines in market value during the same period – despite not being breached themselves.
This broad-based reaction signals that investors were re-evaluating systemic exposure across the sector, not just punishing Target's specific vulnerabilities. That portion of the loss – the correlated, market-wide repricing – would have been hedgeable through PCRE. The remaining loss likely stemmed from idiosyncratic tail risk, including company-specific failures in breach response, litigation exposure and brand damage – risks that fall outside the scope of a PCRE hedge and remain the domain of traditional cyber insurance. The key insight is that PCRE doesn't replace insurance; it complements it by allowing firms to transfer the systematically priced portion of cyber risk – the kind already reflected in market valuations and often excluded from insurance coverage.
It is also important to understand the exchange does not serve as a governing authority to determine what constitutes systemic versus idiosyncratic cyber risk. There is no central adjudicator (as there is with insurance claims) deciding whether a given event is hedgeable. Instead, the structure of the hedge itself – and the market's pricing of systemic risk – determines its responsiveness. Risk managers will learn through experience that certain tail events fall outside the bounds of what the exchange can hedge
Predicting signals, not attacks
We are frequently asked: "Is Target the one case where cyber sensitivity predicts a cyber-attack?" i.e, that proves your model? Understanding the distinction between signals and attacks is vital. The PCRI didn't forecast a breach – it captured a persistent shift in investor pricing behaviour. The signal reflected the market's gradual integration of cyber risk into valuations – a sensitivity that became visible in the data well before any public disclosures.
The model does not predict cyber-attacks; it is a powerful, early-warning signal. When cyber sensitivity (cyber beta) rises, something is happening, a change in perception of underlying risk. This observation reinforces our earlier statement that most cyber risk impacts to valuation – whether from cyber-attacks or just heighted cyber sensitivity – result from the slow build-up of cyber's systematic influence, not from sudden event driven systemic risk. It may not always culminate in a breach, but on average the underlying exposure and increased hacker attention are demonstrably real. In Target's case, the breach was well-planned, and traders acted on non-public information. The same threat actors targeted Home Depot and surveilled Walmart, reinforcing the systematic nature of these threats.
Exposure vs. certainty: the value of a warning signal
This phenomenon is not unique to Target. We routinely observe significantly raised cyber sensitivity three to six months before major breaches. Sometimes these signals do not result in a public breach (Walmart, Costco), but this is not a flaw. Just as in credit markets, pricing and discounts to par value of fixed income instruments reflect broad exposure and perceived risk, not absolute certainty of default. Increasing cyber sensitivity, therefore, should be interpreted as a potent warning – one that could have provided invaluable foresight to both Target and Home Depot.
The credit risk analogy revisited
In structural credit models, a company is in "technical default" when the total value of its assets falls below the value of its liabilities. The tails of structural credit models' distributions show high variability because firms can actively defend against default using a number of strategic options – such as refinancing, restructuring or asset sales – which aren't fully reflected in static balance sheet assumptions. Similarly, cyber-attacks don't always materialise into public breaches, even under high market-perceived cyber pressure. Firms like Walmart and Costco may have taken protective actions that Target and Home Depot didn't.
Market perception and trader response to cyber risk
The model detects increased hacker attention, heightened market perception of exposure, and underlying vulnerability. These perceptions are often influenced by non-public information and observable "dark web" activity, directly impacting a company's cyber sensitivity and market value. Traders respond to perceived risk and expected valuation impacts that precede or accompany events, demonstrating a forward-looking market dynamic.
A powerful tool for insurers
This powerful market signal, derived from real-time equity market data, is immensely valuable to insurers – even if their traditional risk pricing methods differ. Investors look forward, using market signals. Insurers look backward, pricing based on historical loss data. This mismatch is problematic for systematic risks like cyber, which may not be visible in claims but are clearly visible in forward-looking market signals. The Target cyber beta trajectory demonstrates this for virtually every monitored cyber-attack.
To effectively price what hasn't happened yet, we must move beyond purely actuarial models. This is where a sophisticated cyber risk index and a liquid cyber risk derivatives market come in – transforming amorphous signals into actionable, tradable prices that insurers, investors and corporations can all leverage to efficiently transfer risk.
Is there a futures market for cyber risk?
If cyber risk is purely idiosyncratic, it logically has no meaningful forward price or tradable market.16 The options available to the bearers of cyber risk are to exclude it or offload it via high-premium cyber catastrophe bonds. For example, Beazley Insurance has issued cyber cat bonds priced at a 13.25% premium over US Treasuries for an 17.25% all-in return.17 This exceptionally high pricing questions traditional cyber insurance's ability to scale systematic cyber risk, especially as an SDMR, and reflects the significant risk investors are pricing in given the lack of effective risk modelling.
Market signals for insurer pricing
However, insurers and insureds should not disregard market signals and pricing. They can strategically utilise the market price of cyber risk (PCRI) to gain invaluable insights into whether systematic cyber risk is increasing/decreasing and to objectively differentiate risk across firms (using cyber beta and PCRX). Notably, Target's cyber sensitivity rose sharply three to four months before the exfiltration of customer data began. How might that lead time have been used to detect, investigate and shut down the data exfiltration in progress?
This is a powerful underwriting advantage the industry can't afford to ignore
While insurers would need to add a spread to PRCI – for capital charges, administrative costs and position in the risk tower – to the market price of cyber risk, the relative risk sensitivity of different firms is clearly embedded in their relationship to the market price. This is a powerful underwriting advantage the industry can't afford to ignore, vital for reinsurers needing rational pricing explanations for why one company's cyber insurance price is higher or lower than another company. The market-derived price of cyber risk offers a profound way to introduce rationality and transparency into pricing different cyber risk exposures.
How do we make cyber risk disappear?
We have demonstrated that cyber risk is, at its core, an SDMR like interest rate risk, credit risk, equity risk and FX risk. For these established SDMRs, the capital markets have, over decades, developed and perfected remarkably effective tools: forward curves, sophisticated derivatives, robust hedging strategies, and mathematically elegant risk-neutral pricing models. These tools have allowed these risks to be managed with unprecedented precision and scale.
This is precisely why CEOs or corporate boards do not rank credit risk or market risk among their top concerns today. Consequently, the real and pressing question is: how would a tradable cyber risk market concretely function?
Part 7: Building a tradable cyber risk exchange
To successfully create a tradable cyber risk market, we need to establish a clear and familiar benchmark as its foundation. Our system proposes to anchor this market (beginning with the S&P 500) to the estimated $900bn in cyber risk already embedded in the S&P 500. This estimate comes from our robust regression results, which show that a 1% increase in systemic cyber risk consistently results in a 2.2% drop in the S&P 500's market value. As a result, this $900bn serves as the essential baseline notional value for our Predyct Cyber Risk Index (PCRI), which is conveniently set at a starting point of 100.
PCRX contract mechanics
Under this proposed structure, each individual PCRX contract would represent a standardised $1m in cyber risk notional value. This innovative design allows the full $900bn of embedded cyber risk to be efficiently subdivided into 900,000 standardised units – a critical step that significantly enhances accessibility and liquidity for a wide array of institutional traders.
The mechanics are intuitive: a 1-point movement in the PCRI directly translates to a 1% change in the underlying cyber risk pricing (1% of $1 million = $10,000 per contract).
Thus, a rise in the PCRI from 100 to 101 reflects a substantial $9bn shift in the market's valuation of cyber risk (1-point movement in PCRI = 1% of $900bn = $9bn). For traders, a single long contract would gain or lose $10,000 per index point (each point represents $1 million of cyber risk, so 1% of that is $10,000).
Cyber beta and advanced hedging strategies
Individual companies' specific cyber risk exposures (PCRX) are carefully mapped to the overall PCRI using their unique cyber beta, similar to CAPM. For instance, a firm with a cyber beta of 1.5 would typically experience a 1.5% drop in its equity valuation for every 1% increase in the PCRI.
This clear and measurable structure provides traders with actionable insights: they can build advanced hedging strategies (such as going long PCRI contracts positively correlated to PCRI to offset exposure from high-cyber-beta firms) or make informed speculative decisions based on anticipated future cyber repricing.
The Predyct Cyber Risk Exchange
The Predyct Cyber Risk Exchange (PCRE) would serve as the central matching and clearing venue for these novel cyber derivatives (PCRX). It would operate with the same robust functionality and stringent regulatory oversight as established markets as VIX derivatives of CBOE options. All transactions would be cash-settled with standard margining requirements, ensuring financial integrity and mitigating counterparty risk. Over time, as the market matures and liquidity deepens, the PCRE could expand its offerings to include forward curves, futures and various options contracts.
Companies can proactively hedge against potential valuation loss stemming from systemic cyber shocks
For corporations and traditional insurers, this transparent and liquid market provides an invaluable forward price for cyber risk. Companies can proactively hedge against potential valuation loss stemming from systemic cyber shocks, protecting their enterprise value. Simultaneously, insurers can strategically short the cyber risk index to protect their underwriting portfolios against broad, systemic cyber events.18
In both scenarios, the PCRI offers not just an early warning system but also unprecedented strategic flexibility. By anchoring the PCRI to a quantifiable $900bn and building a robust derivative structure, cyber risk is transformed from a backward-looking insurance issue into a sophisticated, forward-priced, and actively tradable market risk – elevating its status to par with other major financial asset classes.
Part 8: Roles of key participants in the new ecosystem
Just as the emergence of credit default swaps and securitisation initially threatened the dominance of traditional lending and insurance structures, the creation of a cyber risk exchange may at first seem disruptive to incumbent players.
Institutional lenders once viewed CDS as undermining their competitive advantage, only to later adopt and profit from them as essential tools for managing credit exposure and capital requirements.
A functioning cyber risk exchange complements rather than replaces cyber insurance
Likewise, securitisation was initially met with resistance by balance-sheet lenders who feared disintermediation, but it ultimately transformed their business models by enabling capital recycling and risk distribution.
In the same way, a functioning cyber risk exchange complements rather than replaces cyber insurance by offloading systematically priced risks to capital markets – freeing insurers to focus on diversifiable, idiosyncratic exposures. History shows that innovations in risk transfer often appear threatening at first, but they consistently unlock greater market efficiency, broader participation and improved capital allocation for those who learn how to adapt.
Insurers and reinsurers: strategic risk transfer
Within this new market paradigm, cyber insurers and reinsurers will gain the unprecedented ability to precisely measure where they are accumulating non-diversifiable systematic risk.
They can then efficiently sell or transfer this unwanted systematic risk onto the PCRE, optimising capital allocation. Real-time PCRI direction will inform pricing decisions.
This allows insurers to offer more robust policies, virtually devoid of systemic, state-actor and IP exclusions, at lower, more sustainable prices. This fulfills their core mandate of managing diversifiable idiosyncratic risks more effectively while enabling efficient allocation of systematic risks. This will free up capital, improve rating agency confidence, improve return on equity and markedly improve market valuations for companies that learn how to leverage the cyber exchange to their advantage.
Brokers: expanded client solutions
Cyber brokers will retain their vital role as primary originators and distributors of traditional cyber insurance. The PCRE will also present them with a novel opportunity: to originate and transfer risks directly onto the exchange. This expands their service offering, providing clients with sophisticated hedging solutions in addition to traditional insurance, acting as a crucial bridge between corporate policyholders and capital markets.
Clearing: ensuring market integrity
As with any exchange-traded derivatives market, the integrity of the cyber risk market will hinge on robust risk management. Participants will hold securities whose value fluctuates, requiring them to post and maintain margin. This critical function should be diligently handled by a recognised and highly capitalised clearing house for security transactions, ensuring central counterparty clearing and mitigating systemic risk. This standard practice provides reliable risk transfer infrastructure.
Buyers, sellers and market makers
A cyber exchange will introduce some changes into how cyber risk is intermediated, beginning with language. Today, companies purchase cyber insurance. At a high level, companies will now lay off (sell) their cyber risk on the PCRE by taking a hedging position. They will "ask" for a bid from investors to buy a derivative contract designed to appreciate in value when systematic cyber risk rises. The buyers (investors) of this derivative will bid prices for the cyber risk they are willing to assume. Market makers will act to facilitate these transactions by providing liquidity when the spread between the bid and ask prices is too wide to encourage a rapid flow of activity.
A great deal of the PCRE's activity will be invisible to most participants, as cyber insurers and brokers will be accessing this capital through hedging activity on their customers' behalf, just like with reinsurance. But large companies with mature trading operations and/or deep investment banking and capital markets expertise may access the exchange on their own.
Market makers and other participants in the PCRE ecosystem will provide analytics to reveal the reliability of the PCRI and its performance in pricing cyber derivatives.
Regulators
The regulators for the PCRE will be the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CTFC). It is highly unlikely that cyber derivatives will be regulated as insurance because they function as financial instruments, not traditional insurance.
Claims handling: a paradigm shift
This may be one of the more unnecessarily contentious issues in the use of the PCRE. Insureds will not receive funds from a third party in the form of a claim payout. This is because the hedge is intended to preserve the attack victim's enterprise valuation, thereby enabling the covered party to more efficiently pay their own claims.
The hedge is intended to preserve the attack victim's enterprise valuation, thereby enabling the covered party to more efficiently pay their own claims
As systematic cyber risk materialises and a company's valuation declines, its purchased derivative position on the PCRE appreciates in value by an offsetting amount. The company can then liquidate this appreciated asset to satisfy legal claims and pay other stakeholders' legitimate claims, preserving goodwill.
Our observation has been that the value preservation afforded by the hedge far exceeds typical cyber insurance payouts, in addition to having no exclusions. Nevertheless, we anticipate that some companies may put a higher value on a claim being paid by a third party than having enterprise value preserved, even when the benefit of the PCRE is manifestly greater.
To provide context, Target Corporation's market capitalisation was approximately $46bn on 20 July 2013 (stock price ~$72.5 × ~635m shares). By early March 2014 – when the share price bottomed around $56 – it had fallen to roughly $35bn, representing a total loss in enterprise value of nearly $11bn. In contrast, Target incurred the following costs related to the breach:
| Costs | Value |
|---|---|
| Bank Settlements | $58m |
| Payment network/merchant payouts | $67m |
| Consumer class action settlements | $10m |
| State restitution settlements | $18.5m |
| Internal investigations and R&D | $162m |
| Total | $316m |
These outflows, while substantial, totaled a fraction of the estimated $10bn+ in market capitalisation lost during the same period. Target's cyber insurance reimbursements covered only about $90m of that loss, leaving more than $10bn effectively uninsured.19 While it's true that Target's stock price eventually returned to its 20 July 2013 value by 16 December 2014, the interim volatility embeds a steep valuation discount in stock price – penalising long-term shareholders and damaging enterprise value.20
Part 9: The real objective
It is often overlooked that the primary purpose of cyber insurance – or any form of risk transfer – is to preserve the enterprise's valuation, not merely to fund external claimants. The Target case underscores this distinction. While payouts to customers, card networks and regulators drew headlines, they were minimal relative to the impact on shareholder value. The tradeoff between traditional insurance payouts and enterprise value preservation is not unique to Target; in fact, analysis reveals this case reflects an average example of how hedging cyber risk through market-based instruments outperforms conventional cyber insurance in terms of risk transfer and shareholder value.
No additional cost
Hedging through PCRE doesn't add to the cost of cyber protection – it reduces it. By offloading the systemic portion of cyber risk to the market, insurers can focus their capital on what they do best: covering firm-specific breaches. This unbundling lowers premium, removes systemic exclusions, and frees up insurer capital – all while giving companies a hedge that's mark-to-market and liquid.
For investors, that's the opportunity. As insurers sell off systemic cyber risk, someone has to take the other side of the trade – and they'll pay to do it. Buyers of cyber risk gain exposure to an uncorrelated, mispriced asset class with built-in yield. In this way, PCRE doesn't compete with insurance – it completes it. The result is better coverage at lower cost, with capital markets earning the spread insurers no longer want to hold.
Conclusion
For too long, we have stubbornly treated cyber risk as a simple, insurable threat, misdiagnosing a systemic vulnerability as an idiosyncratic event. This self-inflicted misstep has left us flying blind, unable to manage a risk that is both visible and measurable.
For too long, we have stubbornly treated cyber risk as a simple, insurable threat, misdiagnosing a systemic vulnerability as an idiosyncratic event
The solution is not to invent new tools, but to apply a proven financial architecture to the digital age. Just as the breakthroughs of Markowitz and Sharpe transformed our understanding of portfolio risk and unlocked a new era of financial efficiency, a liquid, market-based solution for cyber risk stands poised to do the same. This pivotal step will unleash the immense capacity of capital markets to absorb, price and actively manage this pervasive threat.
This proposed paradigm shift is a call to complete the financial architecture of risk management. A fully functioning, tradable market for cyber risk is not merely a theoretical possibility – it is an urgent necessity, long overdue. It is the final piece of the puzzle needed to transition from merely surviving cyber threats to thriving in a digital world.
Earlier in the article, we cited one cyber security expert as saying, "We are winning every battle but losing the war." This article has revealed a strategy for winning this war.
The greatest misconception among all participants in the cyber ecosystem, including cyber insurers, is the fundamental misunderstanding of the nature of cyber risk. The cyber insurance industry has remained largely paralysed by the belief that a massive, catastrophic cyber event of unpredictable magnitude lies ahead – an event not yet reflected in historical data, but one that could potentially collapse the entire insurance sector. This fear has led to overly restrictive underwriting practices, resulting in cyber policies that offer minimal real protection to insureds.
The great irony is that once cyber risk is properly recognised as a systematically distributed market risk (SDMR), it becomes clear that investors have already priced this peril into the valuation of global equities. This recognition does not deny the possibility of a large, sector-wide cyber event in the future – it simply means that the catastrophic features of such perils can now be approximated for individual companies using the magnitude of the discount implied by PCRI and hedged on a cyber risk exchange, making comprehensive and effective risk transfer finally achievable for insureds.
This article has outlined how that framework can be implemented – allowing insurers and non-insurers to transfer the catastrophic, systematic component of cyber risk through a functioning cyber risk exchange. In doing so, cyber risk can be relegated to the status of other managed market risks, no longer an existential threat, and no longer a top concern in the boardroom.
That is not just how we win the war. It is how we end it.
Footnotes:
1. See definitions of idiosyncratic, systematic and systemic risks in Part 1, below.
2. https://www.economist.com/finance-and-economics/2002/02/28/shine-a-light
3. Awiszus, K., Knispel, T., Penner, I., Svindland, G., Voß, A., & Weber, S. (2023). Modeling and Pricing Cyber Insurance – Idiosyncratic, Systematic, and Systemic Risks. European Actuarial Journal, 13, 1-53
5. In a 2018 interview with CNBC, JP Morgan Chase CEO Jamie Dimon stated that "the biggest vulnerability is cyber, just for about everybody," describing cyberattacks as "the biggest threat to the current financial system" https://www.foxbusiness.com/markets/jamie-dimon-cyberattacks-are-financial-systems-biggest-vulnerability
6. The latent risk's orthogonality highlights its independence from conventional economic cycles, allowing it to signal underlying vulnerabilities early. However, as such a systemic risk propagates through digitally interconnected systems, its aggregated effects will inevitably influence and reshape traditional macro-risk drivers.
7. Allison Nixon, Chief Research Officer at Unit 221b. On a 1 June 2025 episode of 60 Minutes, she remarked:"It feels like as defenders we're ... we're winning every battle and losing the war."
8. A hedge ratio (delta) showing that a 1% increase in cyber risk causes a 2.2% drop in market value implies that market prices already reflect exposure to cyber risk. By applying this 2.2% sensitivity to the total market capitalisation of the S&P 500, we can estimate the notional value of cyber risk embedded in those stocks – i.e., the portion of market value at risk due to changes in cyber risk.
9. Under EMH, bond spreads reflect all known risk. When guarantors enhanced lower-grade bonds to AAA but charged only a fraction of the spread, they ignored the market's full risk assessment. EMH implies that the entire spread is required to compensate for that risk – charging less led to underpricing and eventual collapse.
10. https://en.wikipedia.org/wiki/American_International_Group
11. Awiszus, K., Knispel, T., Penner, I., Svindland, G., Voß, A., & Weber, S. (2023). Modeling and Pricing Cyber Insurance – Idiosyncratic, Systematic, and Systemic Risks. European Actuarial Journal, 13, 1-53
12. In modern finance theory, a risk is considered systematic not simply because it exists in reality, but because it is perceived by investors and priced across a broad array of assets. This principle is foundational to the Capital Asset Pricing Model (CAPM) developed by Sharpe (1964), Lintner (1965), and Mossin (1966), which asserts that only systematic (non-diversifiable) risks are rewarded with a risk premium. As Merton (1973) extended in the Intertemporal CAPM, systematic risks are those that affect expected returns in equilibrium and cannot be eliminated through diversification. In this framework, a risk becomes systematic when it is reflected in asset pricing.
Key References:
- Sharpe, W.F. (1964). Capital Asset Prices: A Theory of Market Equilibrium under Conditions of Risk. Journal of Finance.
- Lintner, J. (1965). The Valuation of Risk Assets and the Selection of Risky Investments in Stock Portfolios and Capital Budgets. Review of Economics and Statistics.
- Merton, R.C. (1973). An Intertemporal Capital Asset Pricing Model.
14. https://www.nobelprize.org/prizes/economic-sciences/1990/sharpe/facts/
15. Stationary distributions have constant statistical properties over time – its mean, variance, and structure remain stable and tends to characterise insurance risk – while a non-stationary distribution changes, often unpredictably, making modeling and forecasting more difficult. Market risk generally represents a non-stationary distribution because it evolves with changing economic conditions, volatility regimes, and structural shifts in markets, meaning the risk profile does not remain constant over time.
16. A tradable forward price requires a risk that is systematic or broadly shared – i.e., one that affects many market participants and can be priced into asset values. If cyber risk were purely idiosyncratic – affecting only individual firms independently – it would be diversifiable and have no consistent or observable market-wide effect. In that case, there would be no aggregate price signal or hedging demand to support a futures market. This is consistent with financial theory, which holds that idiosyncratic risks are not compensated with risk premiums and do not support active derivatives markets.
18. However, because the PCRI is currently anchored to the cyber sensitivity of S&P 500 companies, its effectiveness as a hedge for insurers depends on how closely their insured portfolios track that universe. Insurers heavily exposed to smaller or non-public firms may require either a broader index or custom overlays to fully benefit from PCRI-based protection.
19. Target Data Breach Price Tag: $252 Million and Counting | Mintz
20. Numerous studies in financial accounting demonstrate that firms with more volatile earnings exhibit significantly lower market valuations, even after controlling for other financial metrics. For example, Hunt, Moyer, and Shevlin (1996) find that lower earnings volatility is associated with higher equity values, underscoring that markets apply a discount to firms with unpredictable earnings streams (see diva-portal.org+13faculty.washington.edu+13onlinelibrary.wiley.com+13.) This aligns with broader valuation theory: when earnings are unstable – whether due to cyber attacks, commodity shocks, or other disruptions – investors demand a higher risk premium, which depresses stock prices even if average profitability remains unchanged.