Cyber ILS: The Next ILS Risk Class

March 2021

Learn more

Insurance linked securities (ILS) are an asset class comprised of catastrophe bonds, collateralized reinsurance instruments and other forms of risk-linked securitization. Their value is affected by an insured loss event (Source:

Insurance Linked Securities are currently dominated by natural catastrophe risk (Nat Cat). However, recent loss affected years have shown that a reliance on peak Nat Cat can lead to high percentage draw-downs and large volumes of trapped collateral. Similar returns to Nat Cat can be derived from other classes with similar characteristics. If blended with Nat Cat risk, they can be used to develop better diversified portfolios with lower exposure to any one event or class, which would also lower capital exposure to any one event, while producing similar gross returns and improved net returns in the long run. In order for investor performance to continue to develop in a positive trend, it is necessary for ILS managers to improve their risk profiles. As ILS managers look for new opportunities, cyber risk should be a key consideration for expanding the ILS market. 

In the whitepaper, Cyber Catastrophes Explained, cyber catastrophes are defined as: 

  • An infrequent cyber event that causes severe loss, injury, or property damage to a large population of cyber exposures.
  • A cyber event that starts with a disruption in either a service provider or a technology, and unfolds by replicating this disruption whenever possible. 

Nat Cat has traditionally dominated the ILS market due to its inherent characteristics, including only deep tail correlation to financial markets and short tail of loss development. Additionally, the market boasts well developed and transparent third party pricing models and a wealth of availability of investor educational material. Nat Cat is favorable for the ILS market due to the substantial and growing need for capacity from (re)insurers and its consistent definition of risk and event. It has also proven itself in its positive risk and reward transaction metrics and is accessible due to the availability of transactions through the risk and reward profile from insurance, reinsurance and retrocession. 

In many ways cyber risk has many parallel characteristics to Nat Cat and therefore is an ideal peril to be incorporated in ILS portfolios. In the early days of the market there was less consistency in coverage and risk definition, and modelling agencies tended to provide only a ‘black box,’ leaving underwriters of the risk with little transparency into the methodology or numbers derived from the model. However, the cyber insurance market has rapidly matured, it is growing at 21.2% CAGR with substantial new wholesale capacity required to meet the demands of a growing consumer base across all geographies. Additionally, similarly to Nat Cat, cyber risk exhibits limited correlation with major global financial markets performance except in the deep tail. It should also be noted that cyber risk is a short tail class with clarity and standardization in the definition of risk covered. 

In order for the market to develop, third party models will need to provide a stable and transparent pricing methodology which can be simply implemented as the core of the underwriting process. The model will need to be effective at the insurance, reinsurance and retrocession levels, and provide accuracy and functionality across the range of data types (both aggregated and detailed data can be modeled). A modeling vendor must be transparent and provide the user with the ability to educate both themselves and their investors. 

Kovrr provides a stable and transparent pricing methodology which can be simply implemented at the core of the underwriting process.  The model is effective at the insurance, reinsurance and retrocession levels, and has been developed to provide accuracy and functionality across the range of data types (Both aggregated and detailed data can be modelled)

Quantifying risk frequencies in the cyber landscape is more difficult than traditional arenas of insurance due to the dynamic and constantly changing cyber threat environment. 

Kovrr continuously collects frequency data from diverse sources, avoiding single vendor bias, to have most up to date technologies and service provider distributions, representing real life cyber attacks and failures . Additionally, Kovrr collects severity data beyond cyber insurance claims. Our model relies on highly granular cost components per coverage and accordingly data is collected on incidents response costs, regulatory fines, data restoration, crisis management costs, business interruption, etc. Furthermore, Kovrr conducts digital assets mapping by partnering with various security vendors and business intelligence sources.

An initial Cyber ILS market entry for managers could come from participation in Industry Loss Warranties (ILWs) based on a calculation of market loss statistics for defined geographic regions. For natural catastrophe risk, individual policy exposures can be grouped by geographic zones. Similarly, cyber risk can be aggregated using CRA-Zones. Geographic location is still important when assessing cyber catastrophe risk, however, two additional elements must be taken into account to properly assess cyber risk aggregation - industry sector and company size. The CRA-Zones framework defines the minimal elements needed to provide a view of aggregated cyber exposure. CRA-Zones allow for analysis across multiple portfolios of risks and monitoring of exposure trends. Market loss statistics can be grouped by CRA-Zone. 

CRA-Zones were designed by Kovrr during their participation in the fourth cohort of Lloyd’s Lab, the insurance technology accelerator operated by the Lloyd’s of London re/insurance market. The framework has been designed with input from Lloyd’s market syndicates, cyber risk experts and cyber insurance industry professionals, who provided mentoring over the course of the program.

While ILW and retro markets are typically the last to develop, at this point reinsurers are already  carrying significant risk. If ILS funds choose to first underwrite ILWs, then they will only need high level aggregate data. Some modelers can already help in cases with less detailed data, such as in indemnity retrocessions, and data can be enriched to augment any missing details about each company. Less experienced managers may prefer developing knowledge of the market through the provision of ILW transactions before moving on to indemnity transactions, whilst managers already experienced with cyber risk, and therefore with the confidence to risk select between issuers and coverage, may be happier to invest in indemnity transactions. 

Cyber risk has now matured into a class of risk which has similar characteristics to those which made property catastrophe a natural fit for existing ILS investors. A major catalyst in the development of this market has been the stability in the provision of detailed third party models. As modelers evolved from a black box approach to a more transparent and educational approach, investors and fund managers have gained confidence in the data in order to enter a new class of business. Adding greater cyber risk diversification to ILS portfolios will maintain gross margin whilst improving long term performance net of claims activity, therefore generating more efficient performance. As the cyber market grows rapidly and looks for greater provision of capacity, Cyber ILS seems to be a perfect fit for ILS managers and investors to consider participation in the cyber market. 

John Butler

Advisory Board Member

Yakir Golan