Cyber ILS market poised for growth, but must overcome key risk challenges: S&P

As the cyber insurance-linked securities (ILS) market continues to expand, analysts at S&P Global Ratings have identified key factors influencing cyber ILS credit quality, including regulatory risks, policy terms, cedent risk, asset collateral, and modelling challenges.

In a new report released by S&P, analysts project that, depending on continued market growth, cyber ILS issuances could surpass the well-established natural catastrophe ILS market, which has approximately $50 billion outstanding, within the next 10 years.

Since their introduction to the ILS market in January 2023, there has been 10 cyber catastrophe bonds, with the largest issuance reaching $210 million, which clearly indicates that the market is continuing to grow.

As a reminder, you can read about every cyber cat bond transaction, including the first private cat bond deals and the more recent 144A cyber cat bonds, by filtering Artemis’ Deal Directory by peril to view only cyber cat bond transactions.

“As a result, assessing the creditworthiness and risks associated with these innovative financial instruments is becoming increasingly important,” said S&P Global Ratings credit analyst Ron Joas.

Adding: “In our view, the main factors that may affect the credit quality of cyber ILS transactions are regulatory risk, policy terms and conditions, cedent risk, asset risk/collateral, and modeling requirements.”

“Stakeholders in the cyber ILS market are concerned about the potential for positive correlation between cyber losses and capital market volatility, silent cyber losses, large accumulation risk, cyber attack contagion, the dynamic nature of cyber risk, and the limited historical loss data to assess these risks,” S&P explained.

It’s important to highlight, that unlike natural catastrophe risks, where modeling frameworks have been refined over decades, cyber risk is less understood and is consistently evolving, which is leading to greater uncertainty in pricing and exposure limits.

Moreover, S&P also notes that in order for cyber ILS to continue expanding, re/insurers may have to focus on certain elements in order to enhance stakeholder participation.

These include: standardising policy terms to create consistency across issuances, simplifying language to avoid legal ambiguities and ensure clarity in coverage, as well as enhancing cyber risk modeling to improve pricing accuracy and risk assessment, along with increasing transparency in cyber event attribution, particularly in identifying responsible actors and their motives, and providing granular coverage options to align with investor risk preferences.

In terms of some of the key considerations that may affect cyber ILS’ creditworthiness, S&P flags regulatory risk as a major factor, as the legal landscape for cyber threats varies significantly across jurisdictions.

A key example is how some US states, such as North Carolina and Florida, have specific bans on ransomware payments, while payments to sanctioned entities, including terrorist organisations, are typically prohibited worldwide.

Another challenge that analysts highlight, is the lack of standardized policy terms across the cyber ILS market.

“We view the lack of standardized policy terms at the cyber ILS level as a credit risk factor. Clear definitions of covered events, triggers, and precise loss calculation methods would help avoid confusion and ensure consistency. For example, loss determination periods, which define the period during which losses may be reported and covered, may be based on the reporting period, involve waiting periods, or involve a time limit.

“In addition, losses and how they are aggregated can be a source of ambiguity if they are linked to the definition of the “event,” which may vary widely among different policies or be loosely defined. This ambiguity could call into question the extent of loss and the ultimate loss payout, which can hurt the credit quality of the bonds.”

Furthermore, S&P also emphasizes the importance of robust modeling frameworks to accurately assess risk and determine loss probabilities in cyber ILS transactions.

“The technical aspects of the cyber ILS models, and their ability to accurately quantify the loss impact from catastrophic cyber events, are key considerations in determining loss probabilities and, therefore, the risk of default. The methodology and assumptions third-party models use determine how well the risk of loss and the ultimate payout for bondholders can be quantified. If a model underestimates the impact of a covered cyber event, it may also underestimate the likelihood of payout.”

S&P also affirms how scenario analysis and stress testing are essential for improving cyber ILS risk assessment, helping to quantify financial losses, assess systemic cyber risks, and validate modeling frameworks amid limited historical data

Given the lack of comprehensive historical data, stress tests based on past systemic cyber attacks could help assess whether a cyber bond structure can withstand real-world incidents.

Additionally, statistical validation and back-testing frameworks will be critical for ensuring the reliability of cyber catastrophe models. However, the scarcity of historical data on large-scale cyber events remains a significant hurdle for back-testing risk projections, highlighting the ongoing need for innovation and transparency in cyber ILS risk assessment.

Despite these challenges, it appears that S&P sees significant long-term potential for cyber ILS as demand for cyber insurance continues to grow.

Remember you can filter Artemis’ Deal Directory by peril to view only cyber cat bond transactions.