Cyber Cat
“What in the world is most mispriced?”
If I had a really good answer to this question, I would be keeping it to myself, and probably working at a hedge fund. But here’s a passable answer - and a topical one too: cyber reinsurance.
Cyber is a big deal. Global cyber insurance premiums are projected to be ~$15 billion in 2024, and are projected to grow to $43bn by 2030. Historically, insured cyber losses have been 30-40% of premiums; in 2023, the FBI received more than 880,000 complaints of cybercrime with reported losses of $12.5 billion. Every business in the world is at risk of a devastating cyber attack or outage. The potential blast radius is enormous - as the Crowdstrike issue which caused BSODs on 19th July 2024 demonstrated.
In property insurance, big losses are caused by natural catastrophes - two canonical examples are the 1906 SF earthquake and the 1992 Hurricane Andrew. The insurance industry has a good understanding of the mechanisms (or ‘perils’) by which nat cats occur. Those perils can be planned for, and their frequency can be modelled in the aggregate.
However, cyber insurance is much more difficult, for a straightforward reason: nobody knows what a cyber catastrophe looks like. There’s no expert consensus on how cyber losses aggregate. We’ve never had a real cyber cat, and experts can’t even agree on the mechanisms by which a cyber cat might happen
A 2016 study by Cambridge academics and the leading risk modelling company, RMS, suggests five main processes by which a massive cyber loss might occur:
Cyber Data Exfiltration: Systemic release of confidential customer records from many corporate enterprises
Denial-of-Service Attack: Attacks to disable websites and disrupt online business activity across multiple companies
Cloud Service Provider Failure: A large number of companies have business operations disrupted by losing cloud-based functionality when a major cloud service provider company suffers a disruption
Financial Transaction Cyber Compromise: Theft of large sums in cyber attacks on multiple enterprises that carry out financial transactions
Cyber Extortion: Many companies are held to ransom by hackers disabling IT functionality to obtain payoffs
But that leaves lots of questions outstanding, including:
What are the biggest vulnerabilities? SAP? AWS? DNS?
If hackers identified a zero-day vulnerability in a widely-used piece of software, would they have to exploit it in series (target-by-target) or in parallel?
How exposed is property (e.g. factories and oil rigs) to cyber attacks? Could hackers take down the electricity grid? Is that more or less important than financial or data-related attacks?
Would “good guys” be able to respond in time to prevent most of the damage (unlike e.g. in an earthquake)?
As a result, experts reasonably disagree, by over an order of magnitude, about how big the probable maximum loss(PML) from a cyber cat could be.
UK Government and Marsh (2015): global PML is £20 billion.
IMF (2018): PML to financial institutions could be $270-350 billion.
Marsh (2020): set out five cyber loss scenarios for the US. Biggest is a “widespread data loss from a leading operating system provider” - $23.8 billion
UK OBR (2022): PML from an electricity grid attack in the UK is £29 billion
Lloyds (2023): PML from an attack on financial services payments system is $3.5 trillion globally - $1.1 trillion in the US alone.
Coalition (2024): 1-in-250 year PML in the US is $29 billion.
Traditional (re)insurers aren’t comfortable with the risk of cyber cat. For instance, at the 2023 Rendez-Vous, Laurent Rousseau, then CEO of French (re)insurer Scor, said:
The main reason for Scor's lack of increasing its cyber premiums is the uncertainty around its cyber accumulation risk. Reinsurers are unsure of the probable maximum loss (PML) estimates because cyber is evolving so quickly.
By contrast, specialist cyber insurer Coalition is much more bullish: its Head of Insurance Shawn Ram said that:
There's always the possibility of a black swan event, and we won't dismiss that. But we do believe, at least where cyber insurers offer coverage, that the potential for and consequences of a cyber event are oftentimes overstated.
And Josh Motta, Coalition’s CEO, thinks that reinsurers are overestimating the risks of a cyber catastrophe:
A lot of the scenarios that people think about, in my estimation, just simply aren't possible. People have a fundamental misunderstanding of how the internet is structured. … And that can lead to some pretty rash and implausible assumptions. For example, malware taking down all Windows computers globally. You don't know how hacking works if that's a plausible scenario in your catastrophe modelling. … I'm not overly optimistic in that there can be no accumulation event in cyber, I just think that the modelling that's being done now is so overblown that absolutely there is an arbitrage opportunity for those that are willing to seize upon it.
In the aftermath of the Crowdstrike failure, one might take issue with Motta’s optimism - haven’t we just seen an event “taking down all Windows computers globally”? But it’s not clear that hackers could exploit the same kernel permissions that Crowdstrike has - and that’s exactly the issue. Experts reasonably disagree about cyber cat, so reinsurers can’t price it, and insurers can’t be sure what they’re buying protection against. As such, there’s too much uncertainty for cyber reinsurance brokers to make a market effectively.
This disagreement is so significant that I think there’s an opportunity for hedge funds to develop a differentiated view on the risk of cyber cat by getting actuaries and hackers together. Are reinsurers pricing it correctly?
You then want to bet on insurers if you think reinsurance is too cheap, and on reinsurers if it’s too expensive. You could take equity positions in the insurers and reinsurers that are relatively more exposed to cyber; but since it can take a long time for the ultimate responsibility for cyber losses to be adjudicated, and most insurers and reinsurers are broadly diversified, it’s probably better to provide capital-at-risk for insurers and reinsurers directly.
That could happen in various ways; as far as I’m aware, the market for insurance-linked securities (ILS), or ‘cat bonds’ in cyber is still nascent, but you could provide capital to reinsurance programmes or cyber MGAs. Funds already do this to some degree; D.E. Shaw actively deploys capital into reinsurance, but I don’t know what they think their edge is.
I’m not well placed to judge whether cyber reinsurance is overpriced; I don’t have the cybersecurity chops to generate that view. But for an appropriately-informed actor, there’s an interesting opportunity in cyber reinsurance.