By Michael Loney

March 21 - (The Insurer) - Rating agencies AM Best and S&P Global Ratings both expect further growth for cyber cat bonds in 2025, but warn that the lack of standardisation in policies may hinder development.

In a report released on March 17, AM Best highlighted additional activity during 2024 to build out the nascent cyber ILS market.

This includes Beazley issuing two more iterations of its PoleStar Re bonds for a total of $370 million, bringing the outstanding size of the 144A cyber cat bond market to nearly $800 million at year-end 2024.

Beazley last year also obtained $290 million of coverage through a cyber industry loss warranty.

“The outstanding cyber cat bonds appear to have emerged unscathed from the CrowdStrike incident, which serves as a useful point of discussion to home in on precisely which exposures are covered and, in this case, to what extent accidental, non-malicious cyber incidents are covered,” the report said.

AM Best also highlighted that coverage terms are still being refined to narrow the scope of coverage.

“To that end, clear definitions and contract wording will be crucial,” the report said. “With improved modelling and understanding of potential cyber loss scenarios, further deals are expected, and the cyber catastrophe bond market is expected to grow in 2025 and beyond.

“Fuelling this growth is the demand for cyber solutions that is expected to grow as the cyber peril is of increasing concern to businesses globally.”

Rival rating agency S&P issued a report the same day outlining the potential for greater growth in the cyber ILS market.

S&P said that this comes against the backdrop of rising cyber insurance demand. The rating agency estimated that global premiums reached $14 billion in 2023 and expects them to rise by an average of 15% to 20% per year to $23 billion by the end of 2026.

“The cyber ILS market is growing rapidly,” the S&P report said. “Depending on the continued growth in this market, cyber ILS issuances could surpass issuances in the well-established natural catastrophe ILS market (approximately $50 billion outstanding) within the next 10 years.”

However, like AM Best, the S&P report warned about the lack of standardised policy terms in the cyber ILS market.

“Several issues may constrain growth, including the lack of standardisation in policy terms, limited investor education, and the lack of clarity surrounding the underlying drivers of risk,” it said.

S&P believes that clear definitions of covered events, triggers and precise loss calculation methods “would help avoid confusion and ensure consistency”.

One example is that loss determination periods may be based on the reporting period, involve waiting periods, or involve a time limit.

Another source of ambiguity is that losses and how they are aggregated if they are linked to the definition of the "event” may vary widely among different policies or be loosely defined.

“This ambiguity could call into question the extent of loss and the ultimate loss payout, which can hurt the credit quality of the bonds,” the report said.

TEN ILS ISSUANCES FROM FIVE CEDANTS SO FAR

Since January 2023, there have been 10 cyber ILS issuances from five cedants totalling more than $800 million. S&P said that coupon rates to investors are 9.5% to 13.25%, reflecting the potentially higher risks of these bonds.

Eight of the 10 issuances have used indemnity triggers, one an industry loss index, and one a parametric trigger.

“Unlike other catastrophe bonds, cyber attacks are caused by threat actors with nefarious motivations, and involve models capable of accounting for complex human behavior,” the S&P report said.

Natural catastrophe risks have been modelled for several decades and are reasonably well understood. In contrast, cyber risks are less well understood and are rapidly evolving, which S&P said leads to greater uncertainty in pricing and exposure limits.

“The average exposure limit for outstanding cyber cat bonds is around $110 million, compared with $168 million for natural catastrophe bonds. Additionally, cyber events carry a higher risk of contagion and correlated losses,” the report said.

S&P added that a cyber bond's contract may specify the reporting window for cyber events and loss claims, which may significantly affect what losses will be covered.

“Research indicates that approximately 35% of cyber losses are reported in the first three months following the event, 75% in the first year, and over 90% within two years,” the report said. “Confirming a cyber event occurrence may require independent reviews, especially in cases involving nation-states.”

The rating agency said that the investor base for cyber ILS is still relatively limited, with few lead investors participating in each transaction.

While attracted by compelling returns, most investors have taken small allocations but generally do not view these investments as a primary means of diversifying risk, given the possibility of write-offs, S&P said.

In addition, investors could find their collateral locked up for extended periods because cyber loss claims can be slow to fully develop after the incident is reported. This may make it difficult for investors to redeploy capital.

“Considering these factors, cyber ILS investors appear to be primarily interested in transactions related to extreme (but remote) cyber risks structured as per-occurrence excess-of-loss coverage, rather than providing coverage for attritional losses related to smaller cyber incidents,” the S&P report said.

“A transaction based on frequency, rather than severity, may not offer the risk/return benefit to their portfolios,” it added.

S&P outlined a number of concerns for cyber ILS market growth, including the potential for positive correlation between cyber losses and capital market volatility, silent cyber losses, large accumulation risk, cyberattack contagion, the dynamic nature of cyber risk, and the limited historical loss data to assess these risks.

The rating agency suggested that to enhance stakeholder participation (re)insurers may have to focus on standardising policy terms; simplifying language to avoid legal jargon; improving the modelling and quantification of cyber risks; dispelling misconceptions about what is covered; increasing transparency regarding the attribution of cyber incidents; and providing granular coverage that aligns with investor risk preferences.

S&P said an example of a common misconception about coverage is that cyber insurance would always pay out if there is a cyberattack on critical national infrastructure when actually most policies exclude such incidents and events caused by nation-states, or those acting on behalf of a nation-state.

“While recent high-profile incidents have remained manageable, they underscore the challenges in predicting loss frequency and severity given the many factors that can affect the duration of IT outages, spillover effects, and liability exposure,” the report said. “They also highlight the need for ongoing innovation in the cyber ILS market.”