retail and healthcare sectors, including big names such as Target, UPS
and Anthem. There is reportedly a wave of cyber-related litigation
Concurrently, there is a relative lack of data required to
produce a robust, well-balanced, competitively priced insurance
product. Hackers and cyber criminals are ever more advanced and
unpredictable in their attacks and, unlike nat cat, cyber knows no
It is not seasonal. Cyber losses do not lose force when they make
landfall. They cannot be extinguished as a wildfire might be. Pricing
is decreasing and cyber losses are arguably not uncorrelated from the
financial markets, thus removing the investment motivation.
Research undertaken by the Institute of Insurance Economics found
that in 2018 global annual losses from cyber risk were $600 billion
with only $6 billion insured, but it is fair to say that an uncontrolled
and undisciplined collaboration between cyber insurance and ILS
could result in catastrophic cyber insurance losses and at the same
time scare off the third party capital providers that are so vital to
the growth of the insurance industry. It cannot be long until we
see a cyber cat bond—but an ultra-prudent underwriting approach
is a must.
With the opportunities created by advances in technology come
certain challenges. Two such challenges are in the areas of cryptoasset
enforcement and intangible asset valuation.
The BMA introduced the Digital Assets Business Act 2018 (DABA),
which provides for the licensing and supervision of digital assets—
cryptocurrencies—business activities in Bermuda, and the Companies
and Limited Liability Company (Initial Coin Offering) Amendment
Act 2018 (the ICO Act), which amends the Bermuda companies
legislation to create a framework for the regulation of ICOs, more
broadly now referred to as tokens.
While the legislative regime in Bermuda for DABA and ICO
entities is robust, there are challenges ahead when things do not go
according to plan. Not only are cryptoassets difficult to insure but it
is well publicised that the Securities and Exchange Commission in the
US, the Financial Conduct Authority in the UK and the Monetary
Authority of Singapore have all taken enforcement action against
cryptoasset entities in a variety of perimeter issues (ie, performing
They also include notification costs, a head of damage caused by
legislation such as the California Security Breach and Information Act
2003, which requires Californian businesses to notify affected parties of
unauthorised cyber breaches resulting in a loss of personal data.
Third party coverage
Common third party liability coverages indemnify for damages and
defence costs arising from third party claims caused by data breaches
from network security, distribution of private data arising from such
data breaches, electronic media defamation and invasion of privacy,
funds fraud, and cyber terrorism.
The marriage of cyber and ILS
Would third party capital and cyber insurance make a good union?
Demand for cyber insurance is increasing, while third party capital
provides a resilient platform from which the insurance industry can
increase efficiency and grow in size, scope and geography.
However, ILS makes sense in the natural catastrophe class because
investors are attracted to the diversified returns, uncorrelated to the
shocks of financial markets, that nat cat events offer.
Those events are geographically confined and there is a wealth of
historical weather and catastrophe data to work with. In addition,
natural disasters are seasonal (although it remains to be seen what
increasing impact climate change will have on the nat cat high
severity/low frequency model) and therefore somewhat predictable.
Can the same be said of cyber? Cyber insurers have already
been struck by waves of losses caused by data breaches in the US
“It cannot be long until we see a cyber
cat bond—but an ultra-prudent
underwriting approach is a must.”
SHUTTERSTOCK / ANEES ALANGADAN