Key Takeaways
- Cyber insurance demand is rising--prompting the potential for greater growth in the cyber insurance-linked securities (ILS) market.
- Several issues may constrain growth, including the lack of standardization in policy terms, limited investor education, and the lack of clarity surrounding the underlying drivers of risk.
- Evaluating the creditworthiness of cyber ILS requires a multifaceted approach, including a focus on regulatory risk, policy terms and conditions, and modeling requirements.
As the cyber insurance-linked securities (cyber ILS) market continues to grow, assessing the creditworthiness and risks associated with these innovative financial instruments is becoming increasingly important. In S&P Global Ratings' view, the main factors that may affect the credit quality of cyber ILS transactions are regulatory risk, policy terms and conditions, cedent risk, asset risk/collateral, and modeling requirements.
Cyber insurance demand continues to grow, with premiums reaching approximately $14 billion in 2023 and likely to rise by an average 15%-20% per year to about $23 billion by the end of 2026. As companies realize the importance of their digital assets, processes, and sensitive information, they're looking to insurers for cyber risk protection and risk management-related services. These services include crisis management, data recovery, and legal and regulatory communications.
The insurance industry has been improving its understanding and pricing of everyday attritional cyber losses, but the frequency of events and resulting losses continue to rise. This has led the sector to seek additional capacity to provide coverage in this area.
More recently, cyber catastrophe bonds have emerged as an alternative tool for (re)insurers to build capacity, effectively transferring a quotient of the risk from traditional cyber risk underwriters to investors. These bonds tap into the capital markets, offering access to a broader and more scalable investor base.
The industry still faces the challenge of modeling systemic risk--such as coordinated ransomware attacks or widespread malware that could simultaneously affect multiple businesses and regions. As a result of the complexity of the risks, as well as potential contagion and adaptations, few model providers are capable of modeling these risks, and the models are highly complex.
Along with the key considerations that may affect cyber ILS creditworthiness, we explore here the uncertainties in cyber risk modeling, given the evolving nature of cyber threats and data limitations. Understanding these factors is critical for investors and market participants to gauge the resilience and reliability of cyber ILS structures amid increasingly complex risks.
What Are Cyber Catastrophe Bonds?
Cyber catastrophe bonds, or cyber insurance-linked securitizations (cyber ILS), offer insurers and reinsurers a way to transfer the financial impact of severe cyber incidents to capital markets, helping them manage escalating risks in an interconnected digital world.
Cyber ILS address risks associated with large-scale cyber attacks, such as ransomware outbreaks, cloud outages, data breaches, or systemic disruptions caused by malicious activities. Unlike natural disaster risks, which are physical and geographically bound, cyber risks are digital, man-made, and often global in reach, making them more difficult to model and predict.
Chart 1
The cyber ILS structure acts as the reinsurer of the insurance entity, which then issues bonds, the funds for which serve as loss-absorbing capital and provide the insurer additional protection against potential losses. The principal balance of the security is typically written down, and future interest payments are forgone if losses from events exceed a threshold, or attachment point.
Unlike other catastrophe bonds, cyber attacks are caused by threat actors with nefarious motivations, and involve models capable of accounting for complex human behavior.
The conditions that prompt a write-down are typically determined by indemnity triggers (based on losses exceeding a certain dollar amount) or parametric/index triggers (based on agreed upon criteria). Unlike traditional reinsurance, these bonds tap into the capital markets, offering access to a broader and more scalable market with the potential for lower counterparty risk.
Overview Of The Cyber ILS Market
The cyber ILS market is growing rapidly. Depending on the continued growth in this market, cyber ILS issuances could surpass issuances in the well-established natural catastrophe ILS market (approximately $50 billion outstanding) within the next 10 years.
Since January 2023, there have been 10 cyber ILS issuances from five cedents totaling over $800 million. The largest issuance was $210 million (see table 1). Coupon rates to investors are 9.5%-13.25%, reflecting the potentially higher risks of these bonds.
Table 1
Cyber cat bond issuance (since Jan. 1, 2023) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
Issuer | Cedent | Risks/perils covered | Size (mil. $) | Date | ||||||
PoleStar Re Ltd. (Series 2024-3) | Beazley | Cyber risks | 210 | September 2024 | ||||||
PoleStar Re Ltd. (Series 2024-2) | Beazley | Cyber risks | 160 | May 2024 | ||||||
Cumulus Re (Series 2024-1) | Hannover Re | Cloud outage | 13.75 | April 2024 | ||||||
East Lane Re VII Ltd. (Series 2024-1) | Chubb | Cyber risks | 150 | December 2023 | ||||||
Matterhorn Re Ltd. (Series 2023-1) | Swiss Re | Cyber risks | 50 | December 2023 | ||||||
PoleStar Re Ltd. (Series 2024-1) | Beazley | Cyber risks | 140 | December 2023 | ||||||
Long Walk Reinsurance Ltd. (Series 2024-1) | AXIS Capital | Cyber risks | 75 | November 2023 | ||||||
Beazley cyber cat bond (Cairney III) | Beazley | Cyber risks | 16.5 | September 2023 | ||||||
Beazley cyber cat bond (Cairney II) | Beazley | Cyber risks | 20 | May 2023 | ||||||
Beazley cyber cat bond (Cairney) | Beazley | Cyber risks | 45 | January 2023 | ||||||
Source: Artemis.bm. |
Investor interest in cyber ILS
The investor base for cyber ILS is still relatively limited, with few lead investors participating in each transaction. Attracted by compelling returns, most investors have taken small allocations but generally do not view these investments as a primary means of diversifying risk, given the possibility of write-offs.
In addition, investors could find their collateral locked up for extended periods since cyber loss claims can be slow to fully develop after the incident is reported, which may make it difficult for investors to redeploy capital. Considering these factors, cyber ILS investors appear to be primarily interested in transactions related to extreme (but remote) cyber risks structured as per-occurrence excess-of-loss coverage, rather than providing coverage for attritional losses related to smaller cyber incidents. A transaction based on frequency, rather than severity, may not offer the risk/return benefit to their portfolios.
Key concerns for cyber ILS market growth
Stakeholders in the cyber ILS market are concerned about the potential for positive correlation between cyber losses and capital market volatility, silent cyber losses, large accumulation risk, cyber attack contagion, the dynamic nature of cyber risk, and the limited historical loss data to assess these risks.
Some of the elements that (re)insurers may have to focus on to enhance stakeholder participation include:
- Standardizing policy terms;
- Simplifying language to avoid legal jargon;
- Improving the modeling and quantification of cyber risks;
- Dispelling misconceptions about what is covered. For example, a common misconception is that cyber insurance would always pay out if there is a cyber attack on critical national infrastructure when, in fact, most policies exclude such incidents and events caused by nation.-states, or those acting on behalf of a nation-state;
- Increasing transparency regarding the attribution of cyber incidents (i.e., underlying actors and their connections); and
- Providing granular coverage that aligns with investor risk preferences (e.g., differentiating between cyber-related perils, or between attritional and catastrophic cyber losses).
While recent high-profile incidents have remained manageable, they underscore the challenges in predicting loss frequency and severity given the many factors that can affect the duration of IT outages, spillover effects, and liability exposure. They also highlight the need for ongoing innovation in the cyber ILS market.
Differences between cyber ILS and natural catastrophe ILS
Cyber ILS structures are generally modeled in the industry similarly to traditional natural catastrophe structures. Specifically, the structures involve transferring risk from insurers to the capital markets through collateralized reinsurance contracts via a special purpose vehicle.
Both cyber and natural catastrophe bonds are issued with agreed attachment points, where payments are made based on specified trigger points if the threshold is exceeded. Both types of bonds use models to estimate expected losses and determine the issuance spread.
Most notably, the primary risks differ significantly. Cyber risks involve losses from events like ransomware, denial of service, cloud outage, and business interruption, while natural catastrophe risks relate to weather-related and other natural events. Notwithstanding the impact of climate change, natural catastrophe risks have been modeled for several decades and are reasonably well understood. On the contrary, cyber risks are less well understood and are rapidly evolving, leading to greater uncertainty in pricing and exposure limits.
The average exposure limit for outstanding cyber cat bonds is around $110 million, compared with $168 million for natural catastrophe bonds. Additionally, cyber events carry a higher risk of contagion and correlated losses.
Evaluating The Creditworthiness Of Cyber ILS
Regulatory risk
The regulatory landscape for cyber risks is evolving, with significant variations across jurisdictions. For instance, while ransom payments may not be illegal in many countries, payments to sanctioned organizations, such as terrorist groups, are typically prohibited.
States like North Carolina and Florida have specific bans on ransomware payments, highlighting the need for clear policy terminology regarding loss causes and measurements. As regulations continue to shift, the interaction between the policy terminology and modeling becomes increasingly important.
This potential evolution may highlight ambiguities in potential loss payouts, calling into question the modeled results and, ultimately, the creditworthiness of the securities.
Policy terms and conditions
We view the lack of standardized policy terms at the cyber ILS level as a credit risk factor. Clear definitions of covered events, triggers, and precise loss calculation methods would help avoid confusion and ensure consistency. For example, loss determination periods, which define the period during which losses may be reported and covered, may be based on the reporting period, involve waiting periods, or involve a time limit.
In addition, losses and how they are aggregated can be a source of ambiguity if they are linked to the definition of the "event," which may vary widely among different policies or be loosely defined. This ambiguity could call into question the extent of loss and the ultimate loss payout, which can hurt the credit quality of the bonds.
This may be compounded if the cyber event is not discovered until some time had passed--for example, malware that infiltrates a system but isn't discovered for months.
Cedent risk
Cyber ILS are reliant on the cedent's underwriting guidelines and principles, as well as on the data the cedents provide to assess risk. Data quality and completeness are a key component of the risk assessment. Claim payouts may also depend on cedent claim handling and reserving processes.
A heterogenous portfolio of cyber policies doesn't necessarily present additional credit risk because the terms and conditions of the reinsurance agreement provide the construct of the payout, regardless of the policy coverages of the underlying portfolio. Nevertheless, it may present underwriting quality risk, with additional modeling and assumptions that could increase uncertainty regarding modeled outcomes.
Equally, cyber bond terms differing from underlying insurance coverage is not necessarily a stopping point in considering cyber risk. However, differing definitions regarding what may constitute an event may create ambiguity.
Asset risk/collateral
Scheduled payments on the ILS are dependent on cash flows from collateral and premium payments. As a result, asset volatility and devaluation can heighten default risk.
Evaluating collateral arrangements--such as total return swaps and repurchase agreements--and counterparties as part of a weak-link analysis would assess the elements presenting the greatest risk of default. In addition, evaluating the ILS structure would help ensure clarity in obligations and payment requirements.
Modeling Considerations For Cyber ILS
Importance of model evaluation
In our view, a modeling framework to assess associated risks is essential for understanding a bond's creditworthiness and the likelihood of triggering payouts. However, there is not yet an industry standard on what modeling framework to use or how to make or communicate model changes. Modeling in the cyber ILS space is currently driven by third-party providers.
The technical aspects of the cyber ILS models, and their ability to accurately quantify the loss impact from catastrophic cyber events, are key considerations in determining loss probabilities and, therefore, the risk of default. The methodology and assumptions third-party models use determine how well the risk of loss and the ultimate payout for bondholders can be quantified. If a model underestimates the impact of a covered cyber event, it may also underestimate the likelihood of payout.
Trigger types
The conditions that prompt a write-down are typically determined by indemnity triggers or parametric/index triggers (see table 2):
- An indemnity-type trigger ensures that the bond will pay out when the insurance company's actual losses reach the bond's attachment point.
- A parametric trigger establishes the parameters by which the bond would pay out. These parameters could, as in the case of the Cumulus Re 2024-1 issuance, be based on the interruption of cloud services in certain U.S. regions by named cloud service providers that exceed the specified time period.
- An index trigger pays out based on an index reaching a predetermined level, such as a specific amount of losses incurred by an industry.
To date, eight of 10 market issuances have used indemnity triggers, one an industry loss index, and one a parametric trigger.
Table 2
Trigger types | |
---|---|
Indemnity | Based on actual incurred losses by cedents. Widely used in natural catastrophe bonds, this is the primary trigger currently being used in cyber ILS. |
Parametric | Based on parameters defined in the policy, such as the occurrence of an event combined with exceedance of a specific level of losses experienced from the event. Currently only one cyber ILS issuance uses a parametric trigger based on cloud outage and the period of interruption (Cumulus Re/Hannover Re). |
Index | Based on an index, typically industry wide (e.g., Matterhorn Ltd./Swiss Re – cyber industry insured loss from Perils AG). |
Modeled loss | Based on loss as modeled: Once event has happened, specific actual parameters are used to model the loss. Used for natural catastrophe bonds where post event models perform well at replicating the loss based on the parameters. This trigger has not yet been used for cyber ILS. |
Attachment points, probabilities, and timing of loss claims
The attachment point, or the threshold loss at which the bond begins to pay out to the insured, is a key factor to evaluating the creditworthiness of ILS. If losses fall below this point, no payout occurs and consequently, the bond holders face no write off. Conversely, if losses meet or exceed the attachment point, bondholders become liable for losses up to the bond's notional amount. The specific events triggering the payout are defined by the bond's terms and are dependent on the bond's payout structure (e.g., loss-based or event-based).
Attachment probability refers to the likelihood that a catastrophic cyber event will trigger a payout. The probability must be modeled to encompass all factors that could lead to losses exceeding the attachment point at a given confidence interval.
A cyber bond's contract may specify the reporting window for cyber events and loss claims, which may significantly affect what losses will be covered. Research indicates that approximately 35% of cyber losses are reported in the first three months following the event, 75% in the first year, and over 90% within two years.
Confirming a cyber event occurrence may require independent reviews, especially in cases involving nation-states. Different reporting windows may apply based on an event's severity, further complicating loss assessments and delayed detection may disqualify an event from coverage. Once a cyber event is reported, depending on the bond contract terms, the loss calculation may follow a specific timeframe that can vary based on the event's size and complexity.
Modeling approaches
Assessing the creditworthiness of cyber ILS also depends on the approach taken to modeling. We think that proper evaluation of credit risk for cyber ILS requires models that are robust enough to capture loss distributions, including remote tail events and risk accumulation, and are based on credible telemetric data (the data and analysis collected from networks and systems to monitor security threats and activity).
At the same time, we think the model must be flexible and transparent enough to account for changes in the nature and extent of losses and allow for stress and sensitivity testing of key assumptions--without which, losses may be underestimated and the creditworthiness of the security may be overstated.
A parametric approach using Monte Carlo simulations is effective for modeling potential cyber loss scenarios because it incorporates uncertainty, rare events, and complex dependencies. This approach can generate low-probability high-impact events scenarios that could lead to payouts by sampling from statistical heavy-tailed distributions.
Stochastic frameworks can model correlated behaviors, such as multiple organizations being affected by a single cloud outage. Other modeling frameworks may use analytical methods to aggregate frequency and severity, but these are often more complex than running simulations.
To assess the robustness of a modeling framework, it's essential to evaluate the large-loss events covered by the catastrophe bond, along with attack frequency, severity, event reporting, and loss evaluation (see chart 2). The effectiveness of the model will depend on its alignment with the underlying catastrophe bond terms.
Chart 2
Data utilization in modeling frameworks
The calibration of modeling frameworks is dependent on historical data. As a result, we think thorough assessment of data coverage, reliability of source, timeliness, quality, and limitations is critical.
Cyber catastrophe bonds typically cover accumulation events affecting multiple companies, such as those relying on the same cloud provider or payment processor. The historical data for systemic cyber events is limited.
Notable incidents like NotPetya in June 2017 and MOVEit in May 2023 highlight the potential for significant economic losses--each estimated at more than $10 billion. The NotPetya cyber attack that spread across more than 65 countries was a wiper malware designed to cause damage and destruction to data and systems. MOVEit involved a ransomware attack and affected more than 2,000 organizations in health care, finance, and government.
WannaCry is another notable ransomware attack. It occurred in May 2017 and resulted in an estimated $4 billion in economic losses that spread to more than 150 countries due to a vulnerability in Microsoft Windows.
Cause of losses
Most cyber attacks with accumulation risk are caused by a service provider (such as a cloud or internet) or payment processor outage, mass data breaches, or mass ransomware. A failure of a service provider causes business interruption for its customers, which translates into financial losses.
Losses depend on the length of the business interruption and company reliance on that service provider. Additionally, poor company preparedness to mitigate cyber risk contributes to higher losses. If such an outage is related to a malicious ransomware event, cyber extortion payments and forensic costs could increase losses.
Losses caused by mass data breaches are mainly due to data exfiltration. A software vulnerability exploited by an attacker could affect many organizations. Financial losses depend on the number of records affected and their sensitivity, as well as on regulatory fines and penalties the companies may incur. Poor hygiene, such as lack of patches, will increase the loss impact. Moreover, if the data breach is combined with a ransomware attack, then financial losses can be catastrophic.
Correlation analysis
Models capture correlation risks when aggregating portfolio-level risks. But these risks are more challenging to capture than single occurrences and can be difficult to assess--irrespective of the models.
Systemic cyber attacks can affect multiple organizations simultaneously, and understanding interdependencies within industries and geographical regions is crucial. In our view, an important aspect of this is the cedent being able to provide data that helps the model capture these relationships.
Event clustering is another important consideration. Correlated behavior can lead to multiple incidents occurring simultaneously or in close succession, increasing portfolio loss severity and potentially triggering a bond payout that covers multiple cyber events. This also highlights the importance of understanding the information in the policies to assess the suitability of the model for the analysis of a specific bond.
Understanding supply chains is vital to assessing correlated behavior because vulnerabilities in third-party software and suppliers' systems can amplify the financial consequences of large-scale cyber attacks. A single attack on a key software vendor might trigger losses across several industries. Such losses could lead to correlated claims and highlight the need for modeling to take into account third-party vulnerabilities and the terms of the policies.
Scenario analysis, stress testing, and validation
Scenario analysis helps quantify incremental financial losses associated with specific cyber events, as well as the downstream impact of a cyber event or a large-scale system disruption. Given the rapid evolution of cyber threats, scenario analysis can also help model new or emerging risks, depending on the flexibility of the model.
Modeling depends on a robust dataset. Given that cyber is an emerging risk, the data may not fully encompass all potential causes of loss. Scenario analysis helps address this limitation.
Stress testing is the analysis of adverse but possible scenarios, including extreme events (low probability, high impact). Such analysis shows how a bond would perform in a stressed environment and helps identify cases in which the bond could not withstand catastrophic events.
Validation of the modeling framework plays a significant role in accurately assessing a bond's risk. Given the models for catastrophe bonds are predominantly parametric, statistical validation, combined with a back-testing framework, ensures model soundness and reliability. However, limited historical data on cyber catastrophic events is a challenge for comprehensive back-testing.
Finally, testing may happen outside of models. Specifically, for cyber catastrophe bonds, using real-world cyber incidents, such as past systemic cyber attacks, can help determine whether a bond can withstand an observed past event, and assist in determining the creditworthiness of the ILS.
Related Research
- Cyber Insurance Market Outlook 2025: Cycle Management Will Be Key To Sustaining Profits, Nov. 27, 2024
- Quarterly Cyber Focus: A More Balanced Insurance Market And Cyber Risk Pools, May 9, 2024
- Global Cyber Insurance: Reinsurance Remains Key To Growth, Aug. 29, 2023
- Cyber Risk In A New Era: The Future For Insurance-Linked Securities In The Cyber Market Looks Uncertain, Aug. 24, 2022
- Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market, July 26, 2022
- Cyber Risk In A New Era: Reinsurers Could Unlock The Cyber Insurance Market, Sept. 29, 2021
This report does not constitute a rating action.
Primary Credit Analysts: | Ron A Joas, CPA, New York + 1 (212) 438 3131; ron.joas@spglobal.com |
Cristina Polizu, PhD, New York + 1 (212) 438 2576; cristina.polizu@spglobal.com | |
Patricia A Kwan, New York + 1 (212) 438 6256; patricia.kwan@spglobal.com | |
Charles-Marie Delpuech, London + 44 20 7176 7967; charles-marie.delpuech@spglobal.com | |
Secondary Contacts: | Sudeep K Kesh, New York + 1 (212) 438 7982; sudeep.kesh@spglobal.com |
Maria Mercedes M Cangueiro, Buenos Aires + 54 11 4891 2149; maria.cangueiro@spglobal.com | |
Manuel Adam, Frankfurt + 49 693 399 9199; manuel.adam@spglobal.com | |
Olivier J Karusisi, Paris + 44 20 7176 7248; olivier.karusisi@spglobal.com | |
Paul Alvarez, Richmond +1 2023832104; paul.alvarez@spglobal.com | |
Martin J Whitworth, London +44 2071766745; martin.whitworth@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.