With computer security incidents causing business interruption and privacy breaches, there is a “very real possibility” that a catastrophe bond covering cyber risk might be available, the head of a cyber risk modelling vendor predicts.
Catastrophe bonds are a form of insurance-linked securities (ILS) that allow pension funds and institutional investors to bet some of their money that a certain type of catastrophe (such as a hurricane or earthquake) will not happen.
If the insured event does not happen, the investors get a higher rate of interest than if they had parked their investment money in treasury bonds. If the insured event does occur, the investors could lose all the money they put in.
There was US$89 billion in alternative capital on risk in ILS in 2017, according Aon.
Right now, most insurance-linked securities reinsure property catastrophe risk, Pascal Millaire, CEO of CyberCube Analytics Inc., said in an interview Thursday. But he added there is a “very real possibility” that a cyber cat bond could be offered.
“It’s very early days for that market, but I think it’s something we should all watch very closely in the years to come,” Millaire said. He added there are “plenty of players” who are “thinking about the provision of risk transfer and ILS in the cyber world.”
CyberCube announced Wednesday a partnership with Jardine Lloyd Thompson Group plc’s reinsurance brokerage unit. JLT Re will use CyberCube technology to model cyber risk.
CyberCube was founded within Symantec Corp. (the computer security vendor that makes Norton Anti-Virus) to make cyber modelling software for insurers. CyberCube emerged this past March from “stealth mode.”
One of the challenges for insurers in pricing and underwriting cyber coverage is figuring out how much a catastrophic cyber incident could cost the insurer. It is possible the same cyber incident could affect a dozen or several hundred separate individual organizations, all of whom bought cyber insurance from the same insurer.
Cyber crime causes economic losses on the order of several hundred billion dollars a year, Millaire noted Tuesday, citing data from a Rand Corporation report released in 2018. But this estimate “doesn’t account for what the losses [could] look like in a really bad year,” he added.
In an extreme event arising from a software vulnerability, losses could be nearly US$30 billion, Lloyds noted in Counting the cost: Cyber exposure decoded, a report released in July 2017.