The All Risk Cyber (ARC) Challenge report from Lockton Re argues that cyber reinsurance products should be divided into distinct first and third-party risks, as well as systemic risks.
The report said that that splitting cyber perils "will enable more effective risk transfer to reinsurers, and further down the value chain (retro/ILS) capacity in a more targeted and scalable fashion."
Patrick Bousfield, senior broker and chair of the Lockton Cyber Centre, Lockton Re, said that currently cyber reinsurance products were offering “three for the price of one” and that splitting up coverages could have a “transformational effect” on capacity.
He added: "The current market suffers from a finite supply of reinsurance capacity and a key reason for this is the divergence of appetite between reinsurers comfortable with short tail (first party) and long tail (third party) risks.”
Lockton Re described reinsurers' current strategy of dealing with current cyber policies as "a game of whack-a-mole with ever evolving cyber perils creeping up, and old ones coming back to haunt loss development."
Many insurers are heavily reliant on quota share reinsurance, but reinsurance capacity is limited due to concerns about the potential aggregation risk they face.
The division of coverage could extract third party liability emanating from cyber insurance policies out of cyber reinsurance treaties in order to place it with casualty or liability focused reinsurance products.
Cedants could continue to purchase cyber standalone treaties on the first party and catastrophe specific exposures. First-party claims include data breach response, business interruption or cloud outage.
Oliver Brew, London cyber practice leader at Lockton Re, said “Separating first party cyber reinsurance where possible can increase participation, making it easier to build new capacity aligned with varied reinsurance appetites.”
The report says that the separation of first- and third-party risk would allow clients to utilise two pools of intellectual knowledge and capacity amongst reinsurers.
It could also help to bring in ILS capacity looking for shorter-term exits than long-tail exposure would permit, Bousfield added.
The report also notes that the use of exclusionary language is intended to limit the market’s exposure to unmanageable catastrophic risk: firstly, critical infrastructure and secondly, war.
Bousfield described the focus on cyber war wordings to minimize aggregation risk as a case of “looking at the symptom not the disease".
Lockton Re says that there is an evolving category of cyber catastrophe insurance product, which specifically addresses systemic risks.
Like for physical property catastrophe risk, this makes it easier for reinsurers to accept specific types of catastrophe risk, within understandable parameters.
He explained that cyber cat exposure – which would scoop up war events - is highly likely to come from first-party claims, and could be carved out from this coverage by using specific event loss triggers, for example.
The report concludes by highlighting the importance of capturing risk data in a "more accurate manner that is better aligned to separate perils".
