The CybEx mutual: Three hurdles to overcome
In true hard markets, when there is not a scrap of capacity to be found for a given type of risk, new mutuals can play an important role in securing the coverage clients are crying out for.
Therefore, as capacity returns and prices fall in cyber, it feels like an odd time for a new cyber mutual to be in the works.
Sources confirmed to this publication that Tony Ursano’s Insurance Advisory Partners (IAP) is working with Chubb and Goldman Sachs to form a mutual insurer for cyber risk, exclusively for Fortune 1000 companies.
CybEx would provide capacity in the high excess layers, attaching at the $250mn mark and providing from $100mn to $250mn of limit – depending on what the members of the mutual decide.
Entry will require an upfront payment of $13.5mn to capitalize the pool, and it is understood that IAP is targeting 100 firms to join – which would provide an equity base of $1.35bn. It is understood that work is already underway to get Fortune 1000 companies signed up.
Chubb will take fees for assisting the mutual with elements such as underwriting, claims and reinsurance buying, although the sums here are understood to be modest.
Credit has to go to Ursano and the team for the creativity and the boldness of setting up a new piece of infrastructure to bring bigger limits to the maturing cyber market. And certainly with blue chip names like Chubb and Goldman Sachs in tow, it has given itself the best chance of success.
But at a point when cyber rates are falling, and capacity is most plentiful in the high excess layers, the mutual plans have the wider cyber market somewhat perplexed.
Here are three hurdles CybEx faces if it is to launch successfully.
1. Is CybEx a solution looking for a problem?
In the maturity curve of insurance products, cyber is still in its adolescence. Currently, very few insureds buy in excess of $250mn – and brokers suggest that the wider demand simply isn’t there for that level of tail-end protection.
Note that MGM Resorts International went on record to say it felt its insurance coverage was “sufficient” following a cyberattack in September. Its cyber placement is understood to provide $200mn of limit.
Some observers speculated that if the mutual chose to offer cover for property damage as the result of a cyberattack, those sort of attachment points and limits could make sense.
Equally, it could be argued that no insured would think twice about buying BI limits as high as this on their property program – and cyber risk certainly carries that BI severity potential.
Parallels have been drawn with the excess casualty market of the mid-1980s, which saw a mass retrenchment of the general liability market amid runaway loss cost inflation. Brokers were unable to find any capacity in the space, full stop – and insureds were left holding risk net. This led to the formation of XL and Ace as policyholder-led mutuals to address the demand for cover.
However, this is a wholly different market. Sources indicate that carrier appetite for cyber risk is growing, particularly in excess layers – and there is no capacity constraint as it stands.
It is true that for the cyber market to be sustainable and relevant long term, providing big limits similar to that seen in property (and getting the reinsurance support for those limits) will be an important piece of the puzzle. CybEx is in part trying to stimulate that demand at those higher attachment points.
However, it is not clear that clients themselves are looking for that level of coverage right now – despite the huge economic losses which can theoretically be generated as the result of a large-scale cyberattack.
Convincing clients of the value of extreme tail coverage for cyber is imperative for that step-change in the maturity of the market to happen.
2. CybEx appears expensive
Sources told this publication that the pricing being ventured for CybEx coverage is around the 2%-2.5% rate-on-line mark. This compares to the more typical 1%-1.5% available for this high excess cover in the open market.
It’s worth noting that the board of the mutual will determine the pricing, with Chubb on hand to provide underwriting expertise to aid that decision.
It’s not clear how the mutual’s pricing will eventually track alongside the wider market. But with excess layers typically the most competitive on price and coverage, and rate declines in cyber market showing no signs of slowing, it is hard to see how there are not more compelling options out there for large companies.
Notably, the $1bn xs $1bn limit Berkshire Hathaway offered at the height of the cyber hard market was not taken up – although this was priced at a Berkshire-style 15% rate on line at the time.
Additionally taking the $13.5mn down payment into account, on the surface this looks like an expensive risk transfer mechanism for high-end excess coverage.
The significant expense upfront also points to the likelihood that CybEx will eventually convert to a stock company in order to provide liquidity and a return on initial investment to its members.
3. The question of aggregation
The inherent aggregation risk within cyber is well documented, as have been the various attempts by carriers to get a handle on it.
Cyber is more often than not written as part of a diversified portfolio – a small but potentially volatile part of a wider book which carries other, non-correlating risks. And even then, reinsurers are wary of the claims accumulation potential at a given cedant.
Monoline balance sheet start-ups have been slow to gain traction. Cyber reinsurance start-up Cyber Re, which started fundraising in mid 2022, is yet to launch despite the clear need for fresh capital in the cyber reinsurance space.
CybEx will carry that same concentration challenge. It will be down to IAP to build diversification within the mutual through the make-up of the members themselves to combat that – this structure will not work if its members are solely (or majority) tech firms, for example.
It’s arguable that for these Fortune 1000 companies, the alternative for this tail risk is to host it in a captive – which would in theory hold greater concentration risk – or just continue to run it net.
A glance at the financial metrics of some of the smallest of the Fortune 1000 suggest that many of the companies in the wider cohort may believe they are resilient enough to withstand the financial consequences of a cyberattack.
But for CybEx to be successful, all its members will need to be convinced of their fellow parties’ cyber hygiene and risk controls.
All in all, this is a bold innovation in a market which eventually needs to be able to offer big limits if it is to remain relevant for the long term.
CybEx is forcing that change, and, if successful, will prove that there is demand out there for that extreme tail-risk coverage which parallels that of the property market.
However, there are hard yards to go ahead of its launch. And the cyber market will be watching with interest.