Almost all modern companies require secure internet access and data management systems in their business model. The traditional notion of security involves ‘Confidentiality’, ‘Integrity’, and ‘Availability’ (CIA). Consider a simple case of a retail vendor who offers an online customer support service. They will be expected to keep customer data confidential so that their personal and financial details do not fall into unauthorised hands. If not, they may be liable to regulatory fines, customer complaints, or severe harm to business reputation. Further, they need to guarantee that the data held on a customer is correct and cannot be changed without proper authentication; otherwise the company will offer the wrong service to their clients. Finally, the vendor will need to access the data on a customer as soon as they submit an online query or make a customer support call, in order to provide quality on-demand service. Any breakdown in the CIA of a client’s data will directly harm the revenue of the business.
While some risk of CIA failures for a business can be managed with techniques like network firewalls, staff security training, backup storage and encryption, it is impossible to eliminate all cyber security risks. There is a significant amount of risk that either cannot be managed directly or is too costly for the business. A targeted distributed denial of service attack (DDoS) or skilled deployment of ransomware from cyber criminals or online trolls may hugely outmatch the business’s own defensive security capabilities. In much the same way that no home can afford to fully protect itself from a skilled or determined robber or extreme weather damage, no business can be expected to fully protect itself from internet-related threats. For this reason, many firms look to transfer inordinately expensive and uncertain risks to a third party, an insurer. Cyber insurance is a broad term covering policies to cover the risk of, for example, network downtime, ransomware, data corruption, or reputational harm following a breach.
Challenges the cyber insurance market faces
Established markets such as home and property insurance rely on two main principles: the stability and independence of insured risks. Stability means that the insured risks do not change in intensity or likelihood too rapidly, or at least the growth in risk is predictable over a number of years into the future. For instance, rate of damages to homes is roughly proportional to predictable factors such as population growth and seasonal weather patterns. Independence means that one package of insured risks (e.g. 1000 insured homes in one city) is statistically independent of another (1000 homes from another city). These principles imply that an insurance vendor who insures a large portfolio of risks can predict the average aggregate loss total each year with extreme accuracy (due to stability) and precision (independence). As such, the insurer can charge their clients an insurance premium that is only negligibly above their average risk, instead of the insured having to protect themselves against severe but rare loss events.
In cyber insurance, however, neither of the two principles hold up, at least not yet and not for the foreseeable future. The Internet is evolving and growing in new and innovative ways each year, and the technology employed by cyber criminals is advancing just as fast. Each new functionality provided by a web app, every software update to an operating system, and each advancement in communication provides opportunities to businesses and criminals alike. Moreover, geopolitical risks such as nation state attacks on the economies and infrastructures of enemy nations are still in their embryonic stage, and we are yet to properly measure the risks from this new threat. Cyber risks are not stable. The other problem is that risks are not independent: a virus on my device can propagate to your device, especially if we have some kind of business relationship or trust connection. Moreover, many seemingly disparate firms might all be using the same piece of operating system, or rely on the same third-party cloud service provider (CSP), and any security vulnerabilities with the operating system or breakdown in availability from the CSP will affect clusters of clients at once.
When an insurer cannot minimise the variance of risk on their own books, they can seek reinsurance. The classic approach is to sell the extremely unlikely loss events to a reinsurer. Reinsurance through another insurer works best when the base insurer cannot afford to insure a large or diverse enough portfolio to get the variance on their books down to zero, so they sell extreme risk to another insurer who diversifies their own risk by insuring a large portfolio of base insurers. But it is a poor model to transfer cyber risks because the reinsurer will cautiously overestimate the loss distributions on their books to cover potential unknown risks or, more typically, will refuse to engage in the transaction at all. A modern approach is through a process of issuing special securities known as Insurance-Linked Securities (ILS) which includes, but are not limited to, catastrophe bonds. This approach is used with great success in the insurance of losses due to natural disasters, especially against hurricanes in Florida or earthquakes in Japan. A similar approach will gain traction for losses due to a range of cyber events in the future.
An ILS is typically structured so that investors are issued the bond after depositing a fixed principal dollar amount into a trust known as a Special Purpose Vehicle (SPV). These investors hope to receive coupon interest payments periodically (e.g. every six months), and receive the principal back at a given maturity date (e.g. after three years), modulo interest rates. This payment structure, however, depends on whether a specified event occurs during the bond’s lifetime, such as a prolonged downtime of a named CSP or a remote root exploit found in a given operating system. If one of the ‘trigger events’ occurs, then the SPV is empowered to use the principal investments to reimburse the insurance vendor for the losses caused by that event, and may terminate or reduce coupon repayments thereafter. The SPV effectively acts as a reinsurer but faces negligible risk of ruin itself because the principal investments are paid up-front, a structure described as fully collateralised reinsurance.
The great advantage of ILS over classical reinsurance is that a security can be traded freely over the capital markets at any state in its lifetime, so that in a competitive market the price of the security will follow the current market information about the likelihood of the security making a profit or loss, depending on the current change of the trigger events occurring. This gives a precise metric for measuring the risk on an insurer’s books at any given time, who then can always issue new ILS notes to rebalance their risk portfolio dynamically, instead of being stuck with whatever insurance policy they agreed to with a reinsurer in the classical model. Further, there is less of a concern about risk aversion creating inflated reinsurance premiums because each individual ILS note holder can straightforwardly limit their exposure to as little as they want simply by depositing a fixed principle, even though the sum exposure of all the ILS notes may be extremely high.
Cyber will see a return to the roots of insurance as it started in Lloyds: investors sitting in metaphorical coffee houses, shuffling hundreds of small insurance policies in the form of ILS notes and deciding whether or not to bet. The policies could cover a foreign state taking-down the payment systems of credit cards, to a power-cut preventing an internet service provider from functioning, to a statement from a security standards organisation that AES encryption is no longer secure, or to a Supreme Court statement affecting data liability. Any event that can loosely be described as ‘cyber’ is a valid trigger of an ILS security, and the sheer range of possible events can cover any imaginable cyber insurance policy that a business may want to buy. All it takes is the will and imagination of insurance vendors to make it happen, and the bartering can begin!