The stakes on data protection and privacy are only getting higher. Hacks, breaches and data leaks are becoming bugbears of the modern corporate world. Insurers offer products for cyber-related incidents, but in a complex, evolving risk landscape, there are a lot of asterisks. We take a look at the current cyber insurance market, and how insurers are de-risking their positions through cyber catastrophe bonds.
Host: Margarita Grabert, MSCI ESG Research
Guest: Federico Darakdjian, MSCI ESG Research
The stakes on data protection and privacy are only getting higher. Hacks, breaches and data leaks are becoming bugbears of the modern corporate world. Insurers offer products for cyber-related incidents, but in a complex, evolving risk landscape, there are a lot of asterisks. We take a look at the current cyber insurance market, and how insurers are de-risking their positions through cyber catastrophe bonds.
Host: Margarita Grabert, MSCI ESG Research
Guest: Federico Darakdjian, MSCI ESG Research
Cyber Catastrophe Bonds… Wait, What?
Transcript, 09 February, 2024
Margarita Grabert
Hello and welcome to the weekly edition of ESG Now, the show that explores how the environment, our society, and corporate governance affects and are affected by our economy. I'm Margarita Grabert, your host for this episode. In the last episode I hosted, surrounded by the holiday joy of December, we were getting into the thick of climate adaptation bonds. And while we'll be talking about bonds in today's episode, they're going to have a very different, futuristic flavor. And that's because we'll be diving into the world of cyber insurance. As we're going to see, insuring companies against cybercrime is actually becoming more and more common. And even though this isn't technically a new risk, things are still pretty rough around the edges, which can make it hard for insurers to price risk effectively or for investors in risk-based bonds to know just how risky they may be. So thanks for joining me today, and let's see where this story takes us.
With technology ever evolving and a large part of our lives existing virtually, society as a whole has become more susceptible to cyber-attacks. And yes, cyber-attacks can definitely affect us on a personal level, especially if you're taken in by a suspicious email that miraculously declares you've inherited millions of dollars from a long-lost relative, and all you need to do is click on this teeny weeny, very suspicious hyperlink. But for businesses, the risk is dynamic and growing. So reliant on technology with large workforces and in some cases working in remote locations, data breaches, ransomware and other types of cyber-attacks are a daily threat. The more direct impacts of cyber-attacks on a business could include things like the loss of sensitive or personal information disruption to operations and direct financial losses. And in better publicized data breaches, companies can also take a hit to their reputation and lose the trust of their customers or other stakeholders.
For investors, the general risk of cyber-attacks or negligent data handling is not going to be new information. But what is new, what is changing is that the frequency and scale of these cybersecurity incidents is rippling into the world of insurance, which may have some long-term consequences for all companies, and that's where we're going to get stuck into in this episode. First, we'll take a quick tour of some recent cyber-attacks and their impact. Then we'll discuss how insurers think about pricing cyber risks and what tools they're using to offload some of this risk. Then we'll touch on what this might mean for companies that face cybersecurity risks and their investors. To start us off, my colleague Federico Darakdjian out of MSCI’s Zurich office gave us a palate-cleansing reminder of just how devastating cybercrime can be.
Federico Darakdjian
You are right, Rita, cybercrime has become an important risk for companies to consider. A report from Munich Re highlights that ransomware and supply chain attacks dominated the cyber risk space over the past couple of years, and ransomware was by far the leading cause of cyber insurance losses. By some estimates, ransomware will cost its victims approximately $265 billion annually by the end of the decade. Historically, most of the conversation around cyber crime focused on data breaches. However, the 2017 NotPetya attack was a pivotal point in cyber crime world, and it changed the focus of the conversation. It was a cyber-attack that originally targeted Ukrainian infrastructure, but ended up escaping into the corporate world. One of the companies affected was Mondelez, which faced damages in the range of a hundred million dollars in a four-year legal battle with its insurance provider. Overall, this attack created more than $10 billion in global damages. In general with cybercrime, what you need to understand is that the cost associated with this attacks go beyond just the ransom that you would pay and include things like regulatory fines, court costs, and even reputational damage.
Margarita Grabert
Right, so if you missed it, and don't worry, I had to look it up too, the incident Federico mentioned was the NotPetya attack. It kind of set the bar for cybersecurity attacks. So companies are nervous about cyber-attacks naturally, but most of them are not just waiting around twiddling their thumbs, they're doing something about it. And this is where data privacy and protection comes into play. Companies that implement stronger data privacy and protection measures could be better protected in the case of a cyber-attack, and it'll be harder to gain access to sensitive information if it's encrypted or there are firewalls in place. However, even companies with strong cybersecurity practices and robust data privacy policies might not be immune to cyber-attacks, which is where insurance comes into the picture. Companies and their investors will want to know that in the event of a cyber-attack or a data breach that they have somewhere to turn to offset revenue losses, legal fees, and just make sure they can keep the lights on.
And for insurers, risk, any type of risk essentially, represents an opportunity as well. If you can crunch the numbers and price that risk effectively, then you can turn a profit. And unsurprisingly, given what Federico was telling us, cyber risks are starting to feature very prominently on the radars of major insurers. As an example, the insurance company AXA, has been releasing an annual “Future Risk Report” and in their 2023 report, they showed that cybersecurity risk came in second place in their ranking and has been in the top three since 2018.
In case you are wondering, climate change took first place. And of course, climate risk, especially physical climate hazards, are a helpful reminder that pricing risk can include a bunch of sophisticated models with lots and lots of data. But even with all that information, it can be tricky to know when and how severe the next climate disaster will be. Cybersecurity risk though is a very different beast. Insurers will have developed their own models on this risk where it's high or low, which companies are more susceptible and all kinds of data that will help them price this risk. But as Federico told me, unlike something like climate risk, cybersecurity risk has a very human component, either on the side of simple errors by users or employees, or more direct, malicious intent by hackers.
Federico Darakdjian
The main issue with predicting cyber crime is that it has no geographic boundaries. It's inconstant evolution and is a human driven risk. This means that for insurance companies, these risks are harder to assess and quantify. Due to these factors, it makes it challenging for insurers to price risks accurately, and many have suffered great losses over the years. According to Swiss Re, with a rapid digitalization we have experienced and the increased frequency of cyber-attacks, there has been a significant spike in loss ratios for insurance companies. This has translated into increases in premiums from insurers offering coverage for cyber crime as well as stricter underwriting conditions.
Beyond that, we've also seen insurers starting to partner with cybersecurity companies to help improve cyber hygiene practices and address any potential gaps of their policy holders. An example of this is MAPFRE partnering with technology provider Cyberwrite to help the insurers clients reduce the risk of cyber-attacks with AI. Similarly, Chubb and SentinelOne have partnered to enhance the cybersecurity practices of their clients. While prices are leveling off now and more companies are looking to have cyber insurance, the scope of the policy remains a key risk for companies to watch. Coverage restrictions are increasing, most notably war exclusions and state-backed attacks.
Margarita Grabert
Okay, so it's clear that ensuring businesses against cyber-attacks is a challenging landscape to navigate, with it being a human-driven risk that has no borders or specific timelines to follow. A global risk report from the World Economic Forum found that the rate of cyber-attacks against governments varied, with the US being the most often attacked and the UK coming in second. That's also the case from industry to industry. The research and education industry is most affected by cyber-attacks at a rate of around 1,600 per week, whereas the transportation industry is seeing a lot less at around 500 per week. And as you would expect, insurers have tailored their premiums accordingly. There's actually a lot of different types of cyber insurance, not only in the form of first party versus third party coverage, but even more specific. As Federico told us, more insurers are actually diving into the practices of the companies they provide coverage for to ensure they're meeting at least some minimum cybersecurity practices.
But these measures are not a guarantee. In IBM's “Cost of a Data Breach Report” from 2022, they found that 83% of the companies they surveyed experienced more than one data breach, and these breaches are costing an average of $4.3 million. So cybersecurity is a new market and potentially a growing source of revenue for insurers. This also means that they're currently sitting with a lot of risk, and that is when the alarm bells should start ringing, at least in the background, because the right amount of risk is fine, but too much becomes a non-starter. And if insurers can't find a way to spread that risk around, it's either bad news for premiums or even worse – uninsurable risk. For now, insurers have turned to a familiar tool to de-risk their position. One that is quite familiar when it comes to insuring against natural catastrophes, and that is to issue catastrophe bonds but list for wildfires and more for wild hackers.
Federico Darakdjian
We know that insurers that are providing sever insurance are relying heavily on the reinsurance market. And this makes sense given how new this market is and the risks associated with underwriting cybercrime. But this reinsurance market isn't large enough. Howden, an insurance broker highlights that reinsurance is the single biggest challenge for the industry to overcome. Cyber reinsurance supply will need to increase significantly to meet the demand between now and 2030, and by some estimates, reinsurance capacity will need to increase more than three times in order to fulfill the growth expectations.
A way in which insurers are bypassing these limitations is by looking at the capital markets. Those looking for reinsurance protection have been sponsoring cyber catastrophe bonds. Actually, British-based insurer, Beazley was the first company to sponsor such a bond. The company sponsored four transactions in 2023 and in total secure around $220 million in reinsurance capital. And since then, we've seen other companies sponsor such bonds as well, including AXIS Capital, Swiss Re and Chubb. One of the benefits of turning to the capital markets for the industry is that this helps them build resilience against extreme tail risk events. The use of catastrophe bonds isn't something new in the insurance market, but historically it's use was more associated with natural catastrophes rather than for cyber risks.
Margarita Grabert
So it seems like the insurance industry, especially the companies focused on cyber insurance, are having to explore more financial tools to try to de-risk their portfolio. And as Federico just told us, we might be waiting until 2030 for the reinsurance market to grow enough to fulfill the demand for insurers and the riskiness of this area of insurance and the limited reinsurance market is reflected in the soaring premiums that have been observed for cyber insurance. Swiss Re forecast that in 2023, the total global premiums for cyber insurance will amount to just over $15 billion as compared to two years before in 2021 when it was sitting at around 10.
However, research from the Harvard Business School highlighted that even though premiums are growing and it looks like the market is expanding, part of this growth is actually just from companies spending more to buy insurance that covers the same or even less than it did before.
And while there may be more companies queuing up to buy insurance products, some insurers have been leaving the market altogether, so things feel pretty delicately poised. Cyber risks are rising. Companies know this and so do investors. IT departments are frantically trying to stay on top of things with the latest technology, best practices, and somewhat cheesy training videos. Both companies and investors though would probably feel a lot better if alongside these best efforts to prevent breaches or hacks that there was some kind of backstop and that backstop would usually be an insurer. But if the cyber insurance market can't roll with the punches and can't figure out a way to bring in a more solid reinsurance market, well then things do get a little trickier.
That might put way more pressure on a company's own internal controls and more demand from investors to see exactly what a company is doing to head off hacking risks and more disclosure about when data breaches occur. All of this is to say that cyber risk is rising and it's not clear exactly where and how that risk is going to land. So to wrap up, I asked Federico to tell us in his opinion, where this market might be heading in the coming years.
Federico Darakdjian
Overall, it seems like the cyber insurance market will keep growing. On the back of this, the global cyber insurance market tripled in volume in the last five years, expanded to gross direct premiums of around $15 billion in 2023 according to Swiss Re. The four main things I expect to see in this market are firstly, scope of coverage is still an important part of the conversation. We could see continued litigation between policy holders and insurance companies and potential payouts related to cyber-attacks.
Secondly, I would expect to see strong cyber hygiene requirements from insurance companies from their policy holders. Those not reaching minimum standards will find it harder to secure coverage in the coming years. In line with this, we expect to see more board-level involvement in privacy and data practices. As of today, our data shows that only around 11% of MSCIs ACWI companies have a board-level committee overseeing privacy and data security.
Third, I expect regulators to look closer at the cyber space. For example, in January 2023, the Bank of England warned that insurers must assess the consequences if exclusions in their cyber policies do not hold up when challenged by customers.
And lastly, at its current size, the cyber insurance market is not deep enough. There have been conversations, particularly in the US and the UK about the possibility of governments stepping in to provide a backstop in case of a large systemic event and AXIS deputy chief executive recently mentioned that a public-private partnership on cyber is a “must have”.
Margarita Grabert
So that's it for this week. I want to say a big thank you to Federico for joining me today and giving us his take on the news with an ESG twist. And a big thanks to you for listening. If you enjoyed our content, feel free to give us a like or some stars or even subscribe on whichever platform you are listening from, so that you can hear me or one of our other regulars again next week. So thanks again and talk to you soon.
The MSCI ESG Research podcast is provided by MSCI ESG Research LLC, a registered investment advisor under the Investment Advisors Act of 1940, and a subsidiary of MSCI Inc. Except with respect to any applicable products or services from MSCI ESG Research, neither MSCI nor any of its products or services recommends, endorses, approves or otherwise expresses any opinion regarding any issuer, securities, financial products or instruments or trading strategies. And MSCI's products or services are not intended to constitute investment advice or recommendation to make or refrain from making any kind of investment decision and may not be relied on as such. The analysis discussed should not be taken as an indication or guarantee of any future performance analysis, forecast or prediction. The information contained in this recording is not for reproduction in whole or in part without prior written permission from MSCI ESG Research. Issue is mentioned or included in any MSCI ESG research materials may include MSCI, Inc, clients of MSCI or suppliers to MSCI and may also purchase research or other products or services from MSCI ESG Research. MSCI ESG research materials, including materials utilized in any MSCI ESS indexes or other products have not been submitted to nor received approval from the United States Securities and Exchange Commission or any other regulatory body. The information provided here is as is and the user of the information assumes the entire risk of any use it may make or permit to be made of the information. Thank you.