Cybersecurity Storm: Reinsurers Should Consolidate
Healthcare has suffered a lot on the cyber security front this year. The recent UnitedHealth hack was said to be the most serious one to date, in that space, costing healthcare providers an estimated billion dollars per day.
This number seems to be an overestimation. Play the first 30 seconds of the video below to verify it's a “B” for a Billion dollars each day.
Forbes has a more reasonable number. They say it's $100m, citing a player in the assurance business.
A digital health advisory firm has it in its best interests to come up with an estimate that is not shocking, so that might lower the actual risk. The billion from Becky at CNBC logically sounds high. The true cost probably lies somewhere between 100m and a billion. We might never know what the true cost was.
This hack lasted for 14 days so the true costs lie somewhere between $1.4 bn and $14 bn. CNBC said it's in its 4th week, so the most over-the-top estimate would be $28 bn.
This is just one breach event. Let us, for digestive purposes, accept $14bn and assume all of these losses were insured. Of course, they were not. It's a complex interaction of business interruption risks and cyber security risks. The question is do our insurers and reinsurers have enough capacity to undertake this level of business and risks?
Cybersecurity insurance is still in its infancy stages, as of 2022 the market size was only $7 bn. But it's going fast, as the needs of the economy for insurance related to this rises fast.
Another mind-boggling number is the number of hacking attempts that JP Morgan faces per day. That number is 45 billion. That’s 520,833 attempts per second. If this number is true, it means the bank is being attacked on an industrial scale by agents that have invested heavily in this undertaking. Of course, most of the attempts will be simple nodal attacks, not full system attacks, but they are attacks nonetheless, it only takes one of those 45 billion attacks to be successful for the hackers to identify an exploitable vulnerability.
Now, this level of risk is something that you want to take care of if you are Mary Erdoes. The first layer of taking care of this is self-insurance. You reduce risk by employing a lot of technologists. That is why JP Morgan says they employ more technologists than Amazon or Facebook.
For a bank that has 3 trillion assets in its custody, the next layer of taking care of this is some sort of insurance. Of course, there is FDIC for deposits, but for business interruption and 3rd party lawsuits, you might want to buy some insurance. It's only prudent to do so as a business manager. Not doing so is failing to exercise due care. Let's say you want to index your insurable value to the level of business you have, proxied by your assets under custody, and you only want to cover 1% of that amount. For a bank of JP Morgan’s size, that 1% translates to $ 30 bn to cover.
Do our current insurers have the capacity to assume that as standalone businesses?
The purpose of these two exposure examples (United Healthcare and JP Morgan) is to showcase how cyber security risks have grown so large in the last couple of years. These examples lie on the extreme end, in the most affected sectors. Banking is a prime target because of direct access to funds and healthcare is a target because of the datasets. Health records are sold for $60 each, way higher than credit cards ($15 each) and social security numbers ($5 each). Other sectors beyond this are equally affected, they are just not glamourized.
The chart above is in trillions. It's yet another mind-boggling number, that you are left to wonder, “Who comes up with these estimates”. Nonetheless, it is relevant. You get the idea of the need to insure against some of the risks bundled under cybercrime. You get to appreciate the demand side. Take 2025 estimated cost of 9.2 trillion for example, and apply say 3% premium to coverage ratio, you get gross premiums of $276 bn. That's the global demand.
Of course, not all losses can be insured. Most losses in most cases will be uninsured. Some are not insurable. For example, whenever the perpetrator in a cybercrime is identified as a state-sponsored actor, insurance companies have a clause that excludes that from the risks they insure. There are numerous other cases where the risks are just not insurable.
However, even after all sorts of adjustments, we still get an idea of how big the issue is and how companies want to buy insurance for this, over and above their cybersecurity spending.
The Supply Side
How the insurance industry is structured is that people and companies that need insurance approach brokers who in turn approach underwriters who asses the risk, price it, and offer a policy contract. Underwriters are helped by actuaries in assessment and pricing risk. These (i.e. the insurer) will have a portfolio of policies they wrote and sold, and they collect premiums.
Because the portfolio can be very concentrated, they also need to buy insurance on that, in case so many claims overwhelm them. That's where reinsurers come in. They sell insurance to insurance companies. So, in most cases, your reinsures are the big boys.
The below chart is for 2022, older but shows how big they are, with MunichRe at 51 bn gross premiums written.
This level of business is small given the level of demand that is wanting to be served. The total for the top 10 is $251 bn gross premiums written. It will be disingenuous to directly compare this to the $276 bn we calculated above, but there is a point somewhere along that axis. The point is, as the estimated costs of cybercrime skyrocket, so will the need to insure for whichever part of cybercrime can be insured against, and the willingness to insure rise as well, and these will eventually be more prominent than current business lines combined.
What this means is that cyber-insurance will be on pace to be the most dominant insurance market (business line for insurers) soon. It will dwarf other business lines.
The demand is there, but the supply has not caught up. For the supply to increase, a lot has to happen.
- data will have to be shared and centralized around risk exposures, leaks, losses given a breach, etc.
- data will have to be shared between insurers and reinsurers.
- definitions of state actors and non-state actors, insurable risk, and on-insurable risks have to be clarified and agreed upon.
- etc
- and reinsurers will have to consolidate.
The purpose of this article is to emphasize the last bullet point.
Let's dig deeper.
Insurance companies can write policies for these rising cyber exposures as long as they can offload an increasingly big chunk of the risks to reinsurers. That is why the focus should be on the reinsurers.
Currently, insurers are ceding 45% of the premiums to reinsurers. This is a very high percentage.
Henry Skeoch and Christo Ioannidis, in a recent paper (Feb 2024) performed thorough market simulation on this and unearthed huge pricing inefficiencies, and inconsistencies, obviously associated with a nascent market. It's a mini Wild Wild West. The authors made an interesting remark followed by a fascinating question.
The fact that so much premium is ceded suggest also that insurance carriers are themselves nervous of the quantity of risks insured relative to the likelihood of losses. This begs the question as to why reinsurers would rationally increase capital allocations to the cyber-insurance market if the originating insurer is not comfortable with the risks.
The remark regarding the nervousness of insurers around this is spot on. The answer to the capital allocations question lies in the Catastrophic Bonds Market. These are Insurance Linked Securities. The 1st Cyber Cat Bond was issued in Nov 2023. It's the insurance sector approaching capital markets for support in its bid to expand beyond a point at which the “traditional reinsurance risk tolerances are reached”, to quote an Artemis article.
Alright! We have set the context and cleared any lingering doubts about the state of the industry regarding cyber insurance. The state of affairs is that of supply-side constraints, insurers are nervous and reinsurance companies have run out of capacity (already) before the huge demand storm approaches.
Cyber Cat Bonds — Great, but not the Ultimate Panacea
The innovation is very practical. It works. There is demand for these bonds. There are pockets of our society that want to be exposed to these types of risks, so they buy cyber cat bonds. Hedge funds made $45 billion in 2023 from cat bonds (mostly climate, not much cyber in the mix).
Cyber cat bonds are a capital markets instrument. Somebody still needs to do the underwriting, that is, to sell policies to those who are exposed to cyber risks, and collect premiums. Somebody also needs to issue the cat bond, either an insurer or a reinsurer.
Now, if insurers can directly approach capital markets for this capacity, do they need a reinsurer? If the reinsure has no capacity, and only exists as a middleman on the chain, charging a fee and offloading risks to capital markets, larger insurers might decide to sidestep the middlemen and approach capital markets directly.
Given the growing prominence of cyber security as the dominant, ever-present risk in the now-digitalized world, it would be catastrophic (pun intended) for reinsurers to be irrelevant as far as the biggest business line is concerned.
If insurance companies write so many cyber policies and offload directly to capital markets, they can become as big as the reinsures (in terms of GPW) within a short period and become too big to be reinsured by reinsurers.
To get the necessary size to support this growing line of business, and stay relevant, reinsurers must consolidate. They will probably consolidate because they will soon recognize the need to consolidate. The idea will be to combine the balance sheets, get bigger, have more capacity to pen bigger contracts, and directly write policies for behemoths like JP Morgan and United Healthcare that have exposures and needs that are too big to be insured by insurance companies.
Consolidate reinsurers will be better placed to aggregate risks from insurers and approach capital markets issuing large-size Cat Bonds (talk of $5bn, $10bn, not the current $75m, $415m). The size will bring along a lot of efficiencies. Get the Scale.
Scale
The emphasis here is on scale. The word scale is very important. Hyper-important.
Without scale, which can only be attained after consolidating, reinsurers can be quickly irrelevant on this one. They could still be relevant for other business lines, but clients (insurers and big corporates) will be interested in the biggest risk factor, first and foremost.
The same relevancy factors will be at play between insurance companies and their clients. If you cannot provide me with insurance against my biggest risk factor, then I have no use for you. This partly explains why insurers are writing cyber insurance policies when they are nervous about it. Their clients demand it. They have to supply. Other business lines don't go away, but more business will accrue to those players that provide holistic coverage of risks, including cyber, and most importantly cyber.
Now, we are probably in the 1st innings of these cybersecurity games. The real risks will appear when AI is deployed on both sides (hackers vs companies), at scale. It will be AIs fighting against AIs and human directors. As we are headed towards that point, incidences are going to multiply. Scale will be needed at every point, from enterprise security to insurers to reinsurers.
Reinsurers will eventually consolidate to create behemoths with Gross premiums underwritten above $100 bn. The faster the cyberstorm comes, the sooner we will witness consolidations.
Ciao!