Beazley, a UK insurance company contracted with Lloyd’s of London, has launched the market’s first cybersecurity catastrophe bond, intended to protect insurers from massive cyber payouts. Risks of these crippling payouts have increased exponentially in proportion to the rise in cybercrime. The catastrophe bond will cover a total payout of USD 45 million (£37 million) for claims exceeding USD 300 million.
A catastrophe bond covers major events that fall outside premium coverage. It’ll cushion the cyber insurance industry against an increasingly volatile cybersecurity environment that its clients find themselves in. The cyber catastrophe bond is the outcome of a three-year project involving multiple firms, including Gallagher Re and Fermat Capital Management.
Speaking to the Financial Times, Beazley CEO Adrian Cox stated that the new financial instrument will give cyber insurance firms access to a wider pool of capital: “What that taps into is a pool that is trillions rather than hundreds of billions, and is a pathway for us to be able to hedge and grow.”
Cyber Catastrophe Bond to Ease Insurance Burden
Last year, Lloyd’s announced a policy change that will leave catastrophic events, like cyberattacks, out of its coverage. Now, the Beazley catastrophe bond may help provide some protection from cyber risks. This is also the first time an insurer has established a liquid insurance-linked securities (ILS) instrument to cover cyber catastrophe incidents.
Catastrophe bonds work much like ordinary bonds. Investors take out the bond on floating interest rates and pay back the principal sum at the end of the bond duration. Like all bonds, the rewards balance out the risks. But in certain events — like extreme weather events — investors could lose some or all of their investments.
The cyber catastrophe bond eases the pressures on insurers by adding more market actors to contribute to the capital pool. These kinds of bonds act as a form of secondary insurance or “reinsurance” for underwriters. Institutional investors looking for returns pour billions of dollars into these ILS instruments, providing large insurance companies with a form of reinsurance.
Cyber Insurance Industry Teetering in the Face of Cyberattacks
The Beazley catastrophe bond, though much anticipated, is the first instrument to deal with the ever-evolving threat of cybercrime. Recently, Zurich Insurance CEO Mario Greco stated that cybercrime could soon become uninsurable. However, Beazley’s Cox doesn’t share Greco’s pessimism and says that the cyber insurance industry can be resilient enough to absorb shocks if adequate safeguards are implemented.
To become more resilient, cyber insurance companies will need accurate risk assessments. While all insurance companies do risk assessments, it’s especially difficult for cybercrimes. This is due to the scale of recent attacks and their increasing sophistication. To make matters worse, many of these breaches go unreported, leading to a void in accurate statistical data. A miscalculation in premiums and risk assessment can mean bankruptcy for a large insurance firm.
Cyber insurance is a global issue. Cybercriminals are finding ways to attack vulnerable networks and businesses with increasing confidence in an interlinked world. This has hurt cybercrime insurance. The US cost of cybercrime insurance doubled between 2016 and 2019. Despite this, the US Government Accountability Office has outlined the difficulties with cybercrime insurance, such as limited historical data and lack of standardized definitions. The result of this has been that cyber insurance companies are increasing premiums but lowering overall coverage.
SMBs Hit the Hardest
A potentially overlooked commercial class in terms of cyber insurance is small to medium businesses (SMBs). These businesses need to help themselves by maintaining resilient network security. With mounting premiums for cyber insurance, business owners must decide between insurance, in-house cybersecurity personnel, or high-quality antivirus and malware toolkits.
New research has indicated that cybersecurity budgets are stretched thin for small business owners. The research shows that, in 2023, business owners will cut back 50% on cybersecurity budgets, from €117,000 to €58,000. This is a concerning level of cutbacks for an area in dire need of resources, given that 79% of SMBs experienced a cyberattack in 2022. Since 32% of SMBs don’t even have a disaster recovery plan in place, a serious priority readjustment is needed in the industry.
Even if SMBs have their priorities straight, they can’t afford to get the best insurance policies, in-house personnel, and software toolkits like large enterprises. They’ll have to be picky and choose cost-effective security precautions. These invariably include implementing multifactor authentication, conducting employee awareness training, and telling employees to maintain strong passwords.
For safer data storage, SMBs can look into cloud storage options. Despite many breaches, cloud storage services are cheaper and more secure than in-house storage. Additionally, cloud storage providers tend to have more powerful security precautions, and you can take advantage of this at a much better price than storing sensitive information in-house. Having said that, remember that the liability rests with the original data owner in case of a data breach.
Cyber Insurance Needs to Evolve—Quickly
The industry’s failure to standardize definitions has left insurers with no means of assessing business network security before issuing quotes. For example, the industry has no information regarding ransomware payments. This is a sorry state of affairs where insurance companies are at a loss to respond to the rise in cybercrime, which seems to be evolving at a clip faster than can be accurately quoted.
With all this in mind, Beazley’s catastrophe bond couldn’t have come at a better time.
The catastrophe bond serves the useful purpose of making cyber insurance more affordable for all business entities, providing a level of safety for insurers to issue better policies. Without these kinds of financial innovations, cyber insurance would continue its death spiral of lower and lower coverage accompanied by higher and higher premiums, potentially to the point where business owners may be forced to take a chance without it.
Yet, this doesn’t leave the business owners off the hook. Given cybercriminals’ recent onslaught, SMBs will do better by allocating their budgets to cost-effective security protocols to defend against threats as soon as they arise.