Articles - The Role of Cyber Catastrophe Bonds

 By Daniel Sacks, Analyst at Lane Clark & Peacock 
  

 Put simply, cat bonds are a form of insurance-linked security (ILS) that creates risk-linked securities that transfer specific risks from insurers (or other entities) to capital market investors. Therefore, a cyber catastrophe bond covers the risk of a cyber catastrophe. For more on insurance-linked securities, see our previous blog here.

 
 Cyber catastrophe bonds are relatively new to the ILS market, having been issued for the first time in 2023. Insurers including Beazley, Hannover Re, Chubb, Swiss Re, and AXIS Capital have collectively issued around $900 million in cyber catastrophe bonds(1).

  

 Why are they important for the economy ?
 Cyber catastrophe bonds are becoming increasingly important, given the growing frequency and severity of cyber-attacks. Ninety per cent of all organisations are undertaking some digital transformation(2), which increases the interconnectedness of systems worldwide. This makes them more prone to cyber-attacks targeting their systems. Despite investments in cyber resilience, the risks don’t seem to be getting any smaller. Cyber-attacks have cost British businesses $55 billion in lost revenue over the last five years, or 1.9% of revenue on average(4). There is also an increasing trend in losses; claim sizes grew 17%, and large claim frequency grew 14% in 2024H1(5). The knock-on effect has been double if not triple-digit percentage increases in average premiums over recent years.

  

 The increase in high severity claims has become more prevalent with the rise in state -sponsored cyber-attacks (6). Some see the insurance market as being so tough that cyber-attacks will soon become uninsurable(7).Therefore, the growth in cyber catastrophe bonds provides a helpful source of additional capacity.

  

 What are the challenges with cyber catastrophe bonds?
 One problem with cyber cat bonds is the potentially high degree of correlation between losses, because of global digital interconnectedness. Cyber-attacks on a system rather than an individual company can lead to accumulations of losses worldwide, causing payouts on multiple cyber catastrophe bonds simultaneously.

  

 Unlike natural catastrophe bonds, there are no real geographic bounds in the digital world, meaning that, if a portfolio is too heavily invested in this market, the total capital at risk and the likelihood of a significant loss in value becomes ever more likely. This is the view that some investors, are taking(8).

  

 In our view, the trend of direct insurers ceding cyber risk through ILS is beneficial for the market . The complexity of cyber catastrophe bonds necessitates clear and transparent risk modelling, which can become difficult the further from the risk a cedant is. A greater understanding of underlying risks also allows an investor to diversify their portfolio of cyber catastrophe bonds better to reduce cross-contamination, especially from single-point-of-failure attacks.

  

 CyberCube, a cyber risk modeller, published a detailed analysis into the correlations between selected cyber catastrophe bonds. Their modelling suggested that the conditional correlation between each pair of bonds (for losses to principal) ranged from 0.25 to 0.54(9). This means that, should part of the principal be lost on a cyber bond, other bonds are more likely to also lose some of their principal. The correlation is higher still if one cyber cat bond loses all of its principal. The correlations were lower for peril-specific bonds (eg for bonds just covering outages).

  

 What next?
 The market for cyber cat bonds was still rather small compared to over $15 billion in gross written premiums for cyber insurance in 2024 (3), leaving plenty of room for growth.

  

 In some ways, the cyber catastrophe bond market currently mimics the early stages of its older sibling, natural catastrophe bonds, whereby coverage is for a broad range of risks under a single umbrella rather than specific perils, like outages or malware attacks. There has been some shift to the latter with the Cumulus Re 2024 cloud outage cyber cat bonds from Hannover Re. Together, it seems that the market is heading in a strong direction of growth in policies and premiums, and technical developments in modelling and specified perils, which is much needed to facilitate continued digital transformation.