Corvus Interview: The State of Cyber with Ian Newman

The following interview was originally published as part of Corvus’s quarterly Cyber Risk Aggregation report, known as the Nutcracker Report. We deliver these insights on trends in the aggregation of cyber risk to a select group of reinsurers, reinsurance brokers, and program managers. If you’d like to receive the report in the future, please send your inquiry to flock@corvusinsurance.com.

Gallagher Re is among the most forward-looking reinsurance brokers in the cyber space. Back in 2018, before ransomware became synonymous with cyber risk and the market endured severe hardening, the Gallagher team, including Ian Newman, Head of Global Cyber, foresaw massive growth for the market. They even coined a term, “PC&C” (Property, Casualty & Cyber), to indicate that cyber would grow to compete with the rest of P&C insurance in importance such that it deserved its own letter in the acronym. They’ve recently released a white paper, Cy-Fi: The Future of Cyber (Re)Insurance, which updates and further explains their views on the future of cyber. In a word: they remain bullish.

We sat down with Mr. Newman to get more of his thoughts on innovation in cyber, managing aggregations of risk, and more:

First, please introduce yourself to our readers.

Hi, I’m Ian Newman and I am lucky enough to run the global cyber team at Gallagher Re.

We understand that you are a former property catastrophe reinsurance broker. When and why did you make the switch to cyber reinsurance?

I enjoyed the decade I did in property catastrophe but was after a new challenge. When I came across cyber around nine years ago, I didn’t know the first thing about the market. After researching the area, it seemed like an extremely exciting space with massive potential for growth. In the long term, I could see there being many similarities with property catastrophe – in that, cyber systemic risk would ultimately become as big a driver of volatility and capital as catastrophe.

Another attraction was brokers’ approach to cyber. They tended to rely on generalists rather than specialists and we saw this as a great opportunity. Cyber is one of the most dynamic classes in reinsurance and we believed that those who understood the class the best, from original product to final capital, would come out on top. So that is what we set out to do. We hired a team with a diversified skill set to help us understand this evolving risk: direct and reinsurance brokers, cyber experts, underwriters, actuaries, and cat modelers. We also invested significant time and effort in data augmentation and cyber models.

You coined the term “PC&C” four years ago because of the growth your team foresaw in cyber insurance and cyber reinsurance. Is that pace of growth still on track, and what are your team’s latest projections?

I feel more confident in that prediction than ever and, as you know, that was the central topic of our recent white paper. I continue to believe strongly that cyber will be as large as property, therefore the market must adapt materially to accommodate the growth of intangible assets. We focus on the opportunities and challenges around cyber as a class, but additional consideration needs to be given to cyber as a peril, as cyber risks become more prevalent in other lines.

What’s the biggest challenge for the cyber insurance industry today?

The obvious answer at this moment is warfare – but that is being covered heavily elsewhere and a single paragraph could not do this complicated topic justice. I would like to focus on capital, which is a longer-term challenge for the market. In a class that is predicted to grow so rapidly, how does the industry continue to meet demand? We are seeing this today with restrictions in capacity throughout the insurance chain and many buyers of insurance unable to get cover.

Please explain the “premium problem” in cyber insurance today and how it has impacted the market dynamics within the line recently.

While it seems slightly strange to talk about premium as a ‘problem’, premium is to a degree causing the capacity crunch in cyber. In the insurance industry, we often see premium used as a proxy for exposure, and hence when business plans are finalized, they are often done on a premium as opposed to a probable maximum loss/total insured value (PML/TIV) basis. We need to realize that there must be a separation of premium from exposure to allow carriers to plan accordingly. Otherwise, existing practices will continue, and every time rates increase, carriers will look to cut the amount of business they write to remain within their strict business plans.

If you are looking to shed aggregate (in a market where you are seeing huge amounts of new business) you can afford to push rates harder, which in turn means you need to cut more aggregate. This issue is exacerbated with reinsurers, as not only do they often use a similar business planning process, but the relative demand for reinsurance continues to rise with nearly 50% of all premiums being passed on to the reinsurance community (up from 40% in 2021).

How do you explain the disconnect between dire headlines about cyberattacks and zero-day vulnerabilities and relatively light cyber losses linked to those major events?

Cyber is a class that, due to its relatively late arrival to the industry, is poorly understood and greatly feared by many senior stakeholders. Some of this is justified, as cyber is an area where at first glance it is challenging to identify the size of any event. This is also caused by a high degree of skepticism. Therefore, any large headlines attract a lot of attention from the broader economic community and often result in actions rooted in misinformation.

Which aggregations of cyber risk attack vectors are of most concern to reinsurers and insurers?

The growing dependency on cloud service providers and related solutions is probably what first comes to mind when aggregation risk is brought up, but we don’t necessarily see this increased uptake as something (re)insurers should fear. Rather, with some of the more widespread cyber events disproportionately impacting those who have services based ‘on premise’, we may even see a reduction in aggregate risk for all but the highest return periods as cloud adoption grows.

In reality, the aggregation risk landscape for cyber is more complex than cloud providers alone. The good news is that we’re becoming better at identifying and analyzing these risks as (re)insurers and vendor models are increasingly utilizing technology solutions to ensure exposure is within appetite across portfolio optimization and catastrophe modeling.

Which techniques from property catastrophe risk modeling do you see being transferable to cyber insurance and cyber reinsurance? Do they include insurance-linked securities?

When it comes to quantifying cyber risk, property catastrophe is a closer comparison than casualty (where the scope for a systemic loss is limited). If we think about the key tail risks, we will adopt the same principles even if the disaggregating factors are different.

Unlike property catastrophe, cyber is a man-made risk. It does not recognize geographical boundaries and there is no seasonality. However, there are many cyber-specific factors that we can use to quantify this risk and manage PMLs, such as single points of failure, specific vulnerabilities, or overall cyber posture of underlying risks. There is still a long way to go, but there has been significant progress in the modeling over the past 24 months. We expect to see a continuation in improvements and investment, both internally and externally, as our understanding develops.

Models are key for ILS. Some have argued that we need more confidence around expected loss. However, even for property catastrophe, there remains inherent uncertainty around the models, which continue to be adjusted. If we look back a few years, we can see how much the models have changed – and yet the ILS community was and remains comfortable to trade with them (as a matter of fact, the first ILS trade was executed without any modeled output). Therefore, as with property catastrophe, we must use the models as a guide and ensure we understand their output as accurately as possible to help us deliver a loss estimate that we can have some confidence in.

In the meantime, we should all focus on education, data gathering, process improvement, and consistency of approach to quantify this complex risk.  We have done a significant amount of work in the ILS space and therefore expect to see an unlocking of this part of the market over the next 18 months.

What do you think of personal cyber insurance? Do you buy any yourself? 

Will we one day all buy personal lines cyber insurance? Probably. If you buy contents insurance, why would you not buy something which you are statistically far likelier to be a victim of, with more severe consequences?

Do I buy it? I’m slightly embarrassed to say no. At the moment, the personal cyber market is offering similar solutions to credit monitoring and identity restoration services. I expect products to broaden in scope, akin to what happened in the commercial market over the past ten years. When that happens, I’ll be first in line.

Cyber Insurance in 2030: what’s the one (hypothetical) headline that encapsulates where the market will be?

Bigger – a lot bigger.