There’s a threat to cyber defence buried deep enough in the insurance industry to go generally unnoticed. Reinsurance – colloquially ‘insurance for insurance companies’ – has become increasingly disjointed from the underlying insurance market. Among the structural challenges in the reinsurance market, that ultimately compromise part of companies’ holistic cyber defence strategies is the increased concentration of capital among only a few reinsurers. The insurance industry’s over-reliance on reinsurance is worsened by the fact that they’re really over-relying primarily on four companies. Without broader access to reinsurance capacity or a vast change in how insurers allocate capital, the insurance portion of cyber defence will likely become further constrained in the near future.
The kink in the hose
Over the past year, the concentration of affirmative cyber reinsurance premiums among the top four reinsurers, in the sector has increased rather significantly, despite a real lack of industry-wide growth. As insurers and their end customers struggle to find sufficient capacity to meet increasing demand for cyber insurance protection, the dynamics in the reinsurance community shows a kink in the hose through which capital flows. Unless the industry is able to find a way to loosen that kink, cyber insurance growth will remain severely constrained, creating economic vulnerabilities that could have profound implications for the defence community.
The current situation follows several years of impressive growth. That trajectory seems to have stalled, though, with the sector stuck for more than a year at roughly $5 billion in global premium, according to client sources of PCS, the team I lead at Verisk. Meanwhile, cyber reinsurance premium ticked a few hundred million dollars higher from 2020 to 2021, ultimately landing at around $2.5 billion this year. Insurers yield roughly 50 per cent of the business they write to reinsurers, according to several of our clients, which reveals the market’s vexing problem. Insurers rely very heavily on reinsurance support in cyber, and as a result, growing reinsurance capacity has become the most important lever in expanding the underlying insurance market. To do so on their own, insurers would have to change fundamentally, their cyber-related risk and capital management strategy.
Such a change doesn’t seem to be coming anytime soon, though. At the insurer level, there’s little appetite to allocate more capital to cyber. While it would be easy to attribute that development to the proliferation of ransomware, indicators of appetite limitations were evident before the rapid onset of that relatively new threat. Risk management has remained heavily centered on limiting the amount of capital put at risk and keeping an eye on exposure to single risks and certain accumulations. Crudely, you could call the strategy “don’t bet more than you can afford to lose, net of reinsurance,” although that would be a bit cynical even for me. The truth, though, is that insurers have focused on limiting downside protection and maximising reinsurance support. Given how new the sector is and the lack of historical insurance data, it’s a sensible approach.
Tightening the knot
While some remain sceptical, many cyber reinsurance underwriters have welcomed the deal flow from insurers. They see increasing rates on both original insurance and reinsurance as an opportunity to support profitable growth. However, the broader organisations that house cyber reinsurance underwriters have tended to be a bit more cautious. They’ve generally managed cyber reinsurance underwriter activity by limiting capital allocation, with such decisions often coming from the executive level.
Some larger reinsurers have allowed for annual growth, particularly given the rising reinsurance rate environment. Their expansion, though, has been at least somewhat offset by changes among their smaller peers. Some have exited the sector, while others have used increasing rates to reduce their overall positions in cyber. As a result, the four largest reinsurers have gained a much greater share of a market that’s not growing as fast as it once did.
Structurally, increased concentration risk for the sector could strangle future growth. The kink in the capital hose tightens without a way for reinsurers to access fresh capacity. And absent further allocations from their companies, they need access to a reliable market for retrocession (the practice by which reinsurers lay off risk to other reinsurers). It’s difficult to bring in enough new capital to satisfy pent-up retrocession demand given the size and concentration of the largest cyber reinsurers, making concentration risk one of the greatest impediments to this sort of risk transfer.
The four largest reinsurers of affirmative cyber represent close to 80 per cent of the total market. That’s up from an already high 60 per cent a year ago. Furthermore, the fourth and fifth largest reinsurers in the space exacerbate the problem, bringing the concentration level close to 90 per cent. For the purposes of risk transfer, the fact that so few companies make up so much of the premium share means that it’s harder for them to lay off risk with each other, because assuming risk from a large peer could significantly increase one’s own concentrations of the underlying risk. The rest of the market can’t provide much support, because they can’t marshal enough capital to put a dent in the needs of the larger players. What follows is a logjam of capital that affects every player in the market.
Loosening the kink
The economic implications of the kink in the reinsurance hose ultimately links to the consequences for defence. Reinsurance is a form of risk transfer, and risk that isn’t transferred is, of course, retained. Yes, that statement’s pretty obvious, but still bears mentioning. When a company retains risk, that means that a loss event – in this case, a cyber attack – hits its balance sheet. Shareholders bear the burden, with knock-on effects for employees, households, and other interrelated economic factors.
Unhedged exposure to outside threats in general, and cyber in particular, creates a defence need. Attacking commerce and industry by cyber means can be more effective than pursuing government targets as a strategy for a wide range of reasons, including states, individuals and organisations accommodated by states, and even unaffiliated and unaccommodated players. In addition to impacting the morale and behaviour of the community, unhedged cyber exposure, when exploited, can create political, social, and economic instability without the cost, commitment, and risk of retribution associated with traditional warfare or even other non-cyber asymmetric alternatives. Hedged (or generally transferred) cyber risk thus becomes a way not just for businesses to protect themselves, but rather a societal phenomenon that can increase the economic resilience of a nation (or other economic unit). And unhedged targets are likely to have far wider consequences.
Clearly, support for an orderly risk transfer market is of commercial value. The London market has demonstrated this for more than three centuries. Yet, that’s really just the first component of a holistic view of market and national security, in which a lack of economic protection can affect the very safety of the population that comprises a market – and that’s an expanding population in today’s increasingly economically interdependent world. Consequently, access to cyber insurance (and thus reinsurance) could be of strategic significance worldwide, given the influence that large business risks can have on economic and security considerations. A mechanism for releasing the flow of reinsurance capital could be as important as most other defensive cyber strategic measures.
Tom Johansmeyer is in the MA in Global Diplomacy programme at SOAS, with keen interests in cyber, political violence, and natural disasters. By day, he leads PCS, a Verisk business, which provides insurance industry data on major loss events, from cyber attacks to hurricanes. Based in Bermuda, Tom is also an avid cyclist and swimmer who hasn’t driven anything with a motor since 2007.