Enhancing cyber insurance strategies: exploring reinsurance and alternative risk transfer approaches

Abstract

Cyber reinsurance is crucial in fostering sustainable growth and enhancing risk transfer strategies within the cyber insurance sector. Approximately 50%–65% of global cyber insurance premiums were ceded to the reinsurance market in 2022. While current reinsurance capacity is adequate to meet prevailing market demands, significant increases are needed to safeguard international commerce and close the cyber protection gap. This study analyzes the management of cyber risk accumulation by cyber reinsurance. The research creates and analyzes a dataset of semi-structured interviews with twenty cyber reinsurance market participants. The findings indicate that due to the highly volatile nature of cyber risks, cyber reinsurers enforce stringent capacity provision criteria on primary insurers. It is highlighted that reinsurers diversify their aggregate and cyber risk accumulation across various factors. This study offers an in-depth analysis of cyber insurance within the reinsurance framework, detailing collective strategies for implementing ILS and PPPs to mitigate barriers. These measures aim to enhance cyber capacity within the market, ensuring that cyber insurance remains accessible and affordable.

Introduction

In 2022, it was estimated that 50%–65% of the global cyber insurance premiums, valued at approximately $12 billion, were ceded to the reinsurance market (A reinsurer is an insurer that specializes exclusively in insuring other insurers). Figure 1 presents a clear classification of the position of a reinsurer within the risk transfer value chain.) [1]. It contrasted with only 25% of general non-life insurance premiums typically flowing into reinsurance [2]. This underscores the critical role of reinsurance in fostering the expansion of the cyber insurance market. This research involves creating and analyzing a dataset of interviews with cyber reinsurance experts to understand how cyber reinsurance manages cyber risk accumulation and explores alternative risk transfer solutions to provide additional capacity. The study presents a comprehensive analysis of cyber insurance within the reinsurance domain. It highlights the strategies reinsurers use to minimize potential losses, by designing treaties and diversifying their cyber risk accumulation across various factors such as geography, technology, and industry sectors.

Background

Cyber insurance serves an essential function as a risk transfer mechanism for companies seeking to enhance their cyber resilience [3]. The current provision of capacity by reinsurers is sufficient to sustain the cyber insurance market, but it falls short in terms of promoting growth and increasing protection for companies [4]. In such a situation, a reduction in capacity leads to the hardening of the cyber insurance market [5]. The impact of hardening is a shortage of available cover options and rigorous underwriting, which is an additional obstacle for companies in obtaining suitable cyber risk coverage [6]. Cyber insurance market hardening also hinders the wider acceptance and penetration of cyber insurance across all industries [7]. In addition to limited capacity, cyber (re)insurers face particular challenges in accurately assessing, pricing, and managing cyber risks [8]. The complex and evolving nature of these risks further complicates the underwriting process of cyber insurance policies [9]. Consequently, these challenges significantly hinder the growth of robust and socially beneficial cyber insurance markets [10].

In the challenging cyber insurance market, various obstacles affect the availability, affordability, and effectiveness of cyber insurance coverage. Affordability becomes a concern, as higher premiums make it difficult for organizations, notably smaller businesses or those with limited resources, to obtain adequate cyber insurance coverage [11]. Enforcing stricter underwriting criteria requires organizations to implement robust cybersecurity measures and risk management practices before coverage is granted [12]. This poses challenges for organizations with less advanced security systems, as they must invest more in enhancing their cybersecurity to meet underwriting requirements [13]. Furthermore, insurers may reduce coverage limits, potentially exposing organizations to higher losses. Insurers exercise caution by limiting the coverage offered for cyber risks, potentially leaving policyholders inadequately protected [6]. Policy restrictions and exclusions further complicate matters, as insurers impose limitations and exclude specific cyber risks from coverage [14]. This introduces uncertainties and vulnerabilities for policyholders because specific attack methods or emerging threats may not be covered [15]. Capacity constraints also arise as insurers reach their limits in accepting additional cyber risks, and reinsurers may not provide additional capacity. This exacerbates the shortage of coverage options, further restricting organizations from seeking cyber insurance. These challenges hinder organizations' ability to obtain sufficient and affordable cyber insurance coverage, impeding their effective management and transfer of cyber risks [4]. Addressing these challenges is vital to ensuring that organizations can navigate the ever-evolving cyber risk landscape with appropriate protection.

Problem statement

Cyber risk presents a distinct and complex challenge for insurers and reinsurers, characterized by its potential for widespread and significant portfolio-level losses [16]. Major cyberattacks can impact multiple policyholders simultaneously, necessitating cyber insurers to have access to substantial capital [17]. Cyber reinsurers are integral to providing the capacity to manage these risks [18]. However, unlike other insurance lines dealing with large-loss events, such as natural disasters, cyber reinsurers face unique difficulties in efficiently deploying capital. Contrary to natural catastrophes, in which geographic diversification can mitigate risks, the systemic nature of cyber risks makes such diversification less effective [19]. Systemic risks extend beyond singular issues, encompassing a broad scope that can profoundly impact individual risks and other market participants, submarkets, and even the entire economic system [20, 21]. Cyber incidents can potentially affect a critical mass of policyholders simultaneously, leading to significant losses that can strain reinsurers’ resources [22]. This challenge necessitates cyber reinsurers to effectively manage and price cyber risk to ensure sufficient capital availability for potential losses. In response to these challenges, Munich Re reported that the cyber insurance industry collaborates with governments to establish a cyber insurance backstop [23]. A governmental backstop would guarantee that the government would step in as a last resort in the case of a catastrophic and unmanageable systemic risk. Such systemic risks could impact a significant proportion of a portfolio and even question the solvency of the entire insurance industry [24].

The International Association for the Study of Insurance Economics, or The Geneva Association, is a non-profit organization advancing insurance research. The Association has addressed several critical issues in their publications, emphasizing the importance of effective cyber risk management [25, 26]. They highlight that such management requires a comprehensive understanding of dependencies and the development of sophisticated models to quantify potential losses [27]. Insurers and reinsurers have a vital role in enhancing cyber resilience by promoting best practices, investing in cybersecurity measures, and fostering a culture of risk awareness [26]. These efforts are crucial for expanding the cyber insurance market. Cyber reinsurance and insurance-linked securities (ILS) could play a central role in mitigating risks by spreading exposure and enabling insurers to maintain coverage for catastrophic scenarios [22, 27].

Objective of the study

The “Call for Action” by Falco et al. [28] emphasized the need for research on how reinsurers diversify and assess their aggregated cyber risks. This study acknowledges the critical responsibility of reinsurers in the risk transfer value chain. It presents a comprehensive qualitative analysis of their specific functions in cyber insurance. It is centered around the research question: How do reinsurers perceive and manage their cyber risk accumulation, and can alternative risk transfer solutions provide additional capacity? Following a research ethics process, this research conducts 20 semi-structured interviews with nine cyber reinsurers and seven cyber reinsurance brokers to explore the reinsurance industry’s perspectives and alternative risk transfer options concerning cyber risks. This study also analyzes how public–private partnerships (PPPs), ILS, and captives can enhance market capacity through alternative risk transfer approaches. It includes an assessment of PPPs’ effectiveness in cyber risk management, highlighting key challenges, and proposing integrated solutions. Additionally, it evaluates the role of ILS and captives in augmenting cyber insurance capacity, identifying impediments in their application, and suggesting practical approaches for their optimization in the industry. This analysis concisely explains the interplay between primary insurers, reinsurers, and alternative risk transfer mechanisms in addressing cyber threats. Figure 1 shows that the reinsurer is in a central position to coordinate cyber risk transfer and capacity provision.

Significance of the study

This study contributes to bridging the gap between cyber insurance, reinsurance, and ILS by providing a comprehensive analysis of the cyber reinsurance market, which offers researchers a valuable opportunity to gain insight into the reinsurance part of the risk transfer value chain. The outcomes of this study will serve as a foundational framework for comprehending the challenges encountered by reinsurers and the strategies they adopt to manage cyber risks effectively. In addition, the reinsurance industry and regulators will benefit from a consolidated perspective of the practices employed by other reinsurers in this line of business and their overall perception of cyber risks. Such aggregated insights can enhance risk management practices and foster a collective understanding within the reinsurance sector. This research offers valuable insights for policymakers to discern the ongoing endeavours in cyber risk transfer and the measures taken to mitigate these risks. By deriving recommendations from the results, policymakers can extend support to the insurance industry to overcome its challenges.

The remainder of this paper is organized as follows. The section “Related work” describes related work on cyber insurance. The section “Cyber risk transfer market” outlines the current cyber risk transfer market, and the section “Method” discusses the research methodology employed in this study and the processes involved. The section “Results” presents an intricate account of the results obtained through thematic analysis and semi-structured interviews. Further discussion is provided in the section “Discussion,” while the section “Conclusion” concludes the paper.

Related work

Cyber insurance is a rapidly expanding area of security and risk management research that underscores the critical importance of addressing cyber risk [5]. This literature review focuses on academic papers related to cyber reinsurance and cyber ILS, as well as research papers relevant to cyber insurance.

Falco et al. [28] propose a cyber risk and insurance research agenda to accelerate progress in cyber research and emphasize the need for greater collaboration across disciplines. The authors listed six broad interdisciplinary questions in their agenda, including risk transfer through cyber insurance. This also included interviews with reinsurers to understand the cyber accumulation scenarios they envision. Tsohou et al. [29] conducted a thorough analysis of the existing literature on cyber insurance, encompassing both research and practical aspects of the present landscape and emerging trends. One of their significant findings highlights a disparity between the increasing demand for cyber insurance and limited market capacity, which they attribute to intricate and time-consuming underwriting processes, particularly concerning significant risks. Nobanee et al. (2023) [30] conducted a bibliometric review of cyber insurance literature from 2002 to 2021, using Scopus and VOSviewer to analyze 503 articles. They identified trends, leading papers, and authors, noting a significant increase in research interest since 2009. The study revealed the most influential works and highlighted research gaps, suggesting a need for further comprehensive studies on the impact and global understanding of cyber insurance.

Quantitative research on cyber reinsurance and cyber ILS

Braun et al. (2023) [31] explored the feasibility of cyber ILS by assessing investor preferences and economic viability. The researcher found that investors favor short maturities, high multiples, low model risk, and funded formats for cyber ILS. The cost of transferring cyber risk through ILS was higher than traditional cat bonds, indicating a need for better cyber risk models. The study concludes that while there is potential for a cyber ILS market, its growth depends on improved understanding and modeling of cyber risks. Eling et al. (2023) [32] analyzed the U.S. cyber insurance market to understand the effects of the 2017 Base Erosion and Anti-Abuse Tax (BEAT) reform on the supply of cyber insurance. Using difference-in-difference analysis and empirical tests, they found that insurers exposed to BEAT experienced significant drops in the growth rate of cyber premiums and market shares, highlighting the unique impact of BEAT on cyber insurance. The study also identified that heavy tails, uncertain loss distributions, and significant information asymmetry in cyber risks contribute to higher reinsurance prices, affecting the overall supply and pricing dynamics in the market. Also, focusing on the U.S. cyber insurance market Xie et al. (2020) [8] analyzed the offerings and performance. This research analyzed the determinants of cyber insurance participation, the amount of coverage offered, and the performance of current cyber insurers. Specifically, insurers with more intensive use of reinsurance were found to have a higher number of cyber covers. Furthermore, reinsurance has a significant impact on the coverage offered. These results show that sustainable development of the cyber reinsurance market is essential for the comprehensive growth of the overall cyber insurance market.

In their study, Cole and Fier (2021) [29] analyzed the interconnections among cyber insurance market participation, market trends, and company-specific characteristics concerning performance utilizing a cyber dataset. Focusing on the reinsurance sector, researchers have observed that insurers involved in the cyber market exhibit distinct traits. Specifically, these insurers appeared larger, wrote a higher proportion of commercial and long-tail lines, displayed increased diversification, and demonstrated a higher utilization of reinsurance. This finding underscores the crucial role of reinsurers, as these larger insurers are highly dependent on reinsurance’s capacity to manage the complexities and risks associated with their expansive and diversified cyber insurance portfolios. Skeoch and Ioannidis (2024) [6] conducted Monte Carlo simulations of an artificial cyber insurance market, addressing the information asymmetry between market participants. Their study indicates that when loss expectations are not shared, the limited participation of reinsurers could lead to higher premiums and a lower overall capacity in the cyber insurance market. This finding is partially consistent with the information asymmetries from Eling et al. (2023) [32].

Qualitative research on cyber reinsurance and cyber ILS

Johansmeyer and Mican (2022) [33] conducted a study to understand the ILS market's interest in cyber re/insurance, engaging with 24 ILS funds representing 78% of the market. They used interviews to gather insights on the funds' perceptions and readiness to trade in the cyber (re)insurance sector. The study found a general openness to cyber re/insurance, with 71% of respondents expressing interest and some already engaged in transactions. Key barriers included pricing, structure, and modeling reliability, but there was a willingness to overcome these if the economics were favorable. Cremer et al. [27] investigated how re/insurers perceive cyber risk in a mixed methods study of the cyber insurance war exclusions clause. The authors used a thematic analysis approach to examine the war exclusion clauses of 41 cyber insurers and supplemented the results with semi-structured interviews with cyber (re)insurance experts. As a result, the study highlights weaknesses in the current insurance landscape, the importance of cyber war risks, how the insurance industry addresses them, and how they are currently perceived. Regarding the perception of cyber risks, Johansmeyer, T. (2024) [34] examined whether these risks correlate with financial markets and affect the availability of capital for cyber re/insurance. The author used a mixed-methods approach, combining historical data analysis and interviews with ILS market participants. The study found that while some ILS managers view cyber risks as correlated with financial markets in extreme cases, others see little to no correlation. Despite these differing views, there is potential for growth in the cyber ILS market, as many participants are willing to invest, viewing cyber risks as diversifying like property-catastrophe risks. This suggests that managing perceptions of correlation could enhance capital inflows into the cyber (re)insurance market.

Mott et al. (2023) [5] focus on the relationship between the cyber insurance market and ransomware, offering perspectives on the potential impact of cyber insurance on enhancing cybersecurity. Through interviews and workshops involving 96 professionals from diverse cyber-related domains, the authors identified ransomware as a leading catalyst for hardening the cyber insurance market. The results demonstrate that cyber insurance can serve as a governance mechanism to bolster cybersecurity practices within organizations. However, despite its potential benefits, this research reveals that the hardening market poses challenges that hinder the broader adoption and penetration of cyber insurance. Also, with a cybersecurity aspect, Johansmeyer examined the role of cyber model vendors in bridging the cyber insurance protection gap through qualitative interviews and literature reviews. The findings indicate that these vendors substantially enhance the accuracy of cyber risk assessments, enabling insurers to better understand and price risks. Despite these benefits, the study also identified challenges, such as the rapid evolution of cyber threats and the necessity for continuous model updates. Johansmeyer, T. (2024) [35] explored the role of cyber model vendors in addressing the cyber insurance protection gap through qualitative interviews and literature reviews. The researcher found that these vendors significantly improve the accuracy of cyber risk assessments, aiding re/insurers and ILS in better understanding and pricing risks. However, the study highlighted challenges such as the rapid evolution of cyber threats and the need for continuous model updates.

Relation to existing literature

This research paper presents a novel focus on the cyber reinsurance and ILS market, distinguishing it from previous studies. The paper employs thematic analysis through semi-structured interviews with representatives from reinsurers and reinsurance brokers. It contributes to the literature on cyber risk management and cyber insurance by offering a comprehensive analysis of the risk transfer value chain from the reinsurance perspective. A unique aspect of this paper is examining how reinsurers perceive and manage the accumulation of cyber risks and how alternative risk transfer solutions provide additional capacity. This perspective on cyber reinsurance offers valuable insights into the domain aspects of cyber insurance and risk management. As a benchmark for future comparative analyses, this study significantly enhances our understanding of reinsurance in the context of cyber insurance.

Cyber risk transfer market

Cyber reinsurance market

The cyber insurance market faces structural challenges. High cession rates and a limited supply of non-proportional structures may not sufficiently support the evolving risk landscape [36]. To address rising claims activity and underlying rate increases, reinsurers have begun to limit their exposure by lowering loss ratio caps on proportional treaties and raising attachment points for aggregate stop-loss programs [37]. These adjustments, intended to reduce exposure, have resulted in less efficient reinsurance structures compared to previous models [36]. Consequently, cedants are seeking alternative structures and soliciting new capital in the market [27].

Traditional reinsurance risk transfer predominantly occurs through standalone cyber contracts. The market composition is approximately 10% multi-line, 80% proportional, and 5% non-proportional standalone cyber [38, 39]. Reinsurers favor proportional treaties (quota share treaties) because they reduce capital requirements and provide commission support for the significant investment needed to develop robust underwriting processes for cyber insurance. However, the non-proportional cyber reinsurance market could be under pressure due to the limited number of specialist reinsurers, resulting in a lack of capacity, especially for larger programs where multiple cedants are involved [40, 41].

Overall, the reinsurance market remains tough, and reinsurers’ ability to transfer part of their risk through retrocession is limited [42]. Most cedings are concentrated among the largest global reinsurers and the Lloyd’s market [36]. In summary, while the cyber insurance market shows promising growth and potential, it faces significant structural and capacity challenges. Overcoming these issues could require innovative approaches and continuous development of reinsurance structures to cover the rapidly changing risk landscape adequately.

Cyber ILS market

The cyber cat bond market is experiencing significant growth, highlighted by numerous noteworthy issuances reflecting the sector's evolving landscape. Reinsurers and insurance companies are actively addressing cyber risks and related exposures. The following data, is presented in chronological order:

• Beazley stands out with a series of cyber cat bonds under the Cairney name, reflecting a strategic layering of risk transfer solutions. The original Cairney bond, valued at USD 45 million, was issued in January 2023, followed by the Cairney II bond, a USD 20 million issuance in May 2023. The Cairney III bond, valued at USD 16.5 million, was issued in September 2023. The Cairney series was issued as private bonds (as opposed to 144A transactions (Rule 144A refers to the type of placement or offering of securities, particularly relevant in the context of catastrophe bonds. Most cat bond transactions are issued under Rule 144A, making them more liquid compared to alternatives like cat bond lite or privately placed cat bonds. Although Rule 144A governs the resale of securities, it typically involves broker-dealers or investment banks initially purchasing the cat bonds and then reselling them to qualified institutional buyers (QIBs). This rule enhances liquidity by allowing QIBs to trade these securities among themselves, which benefits the overall cat bond market [43] Artemis. “Rule 144A Catastrophe Bond.” https://www.artemis.bm/glossary/rule-144a-catastrophe-bond/ [accessed 06.10., 2024)..)]. The trigger type of the series is indemnity [44].

• AXIS Capital’s Long Walk Reinsurance Ltd issued a bond in November 2023 with an issuance volume of USD 75 million. This issuance was the first 114A cyber catastrophe bond. The trigger type of the bond is indemnity [45].

• Polestar Re Ltd (Series 2024–1) followed in December 2023, building on Beazley’s earlier initiatives in the cyber cat bond market. The bond has an issuance volume of USD 140 million. The bond was issued as a 144A transaction, and the trigger type is indemnity [46].

• Swiss Re's participation is demonstrated through the Matterhorn Re Ltd bond, a USD 50 million issuance based on an industry loss index (namely Cyber Loss List/US Cyber Industry Loss [43]) of CyberAcuView and PERILS. The format in which the transaction took place was 144A [47].

• Chubb's engagement in the market is marked by the East Lane Re VII Ltd bond, valued at USD 150 million, in December 2023. The bond was issued as a 144A transaction, and the trigger type is indemnity [48].

• With its Cumulus Re (Series 2024–1) cloud bond in April 2024, Hannover Re has taken out USD 13.75 million in protection against major cloud outages. Cumulus Re was issued as a private bond with a parametric trigger [49].

• PoleStar Re Ltd (Series 2024–2) and (Series 2024–3) are additional bonds from Beazley. These were issued in May 2024, in the amount of USD 140 million, and in September 2024, in the amount of USD 210 million. The 114A format and indemnity triggers are maintained in both of these bonds [50].

The cyber cat bond market is marked by significant issuances from cyber insurers and reinsurers.

Method

This study employs a mixed-methods approach to analyze the reinsurance industry’s perception and evaluation of cyber risk within the broader framework of risk transfer. It also evaluates how reinsurers manage their aggregated cyber risk while exploring alternative risk transfer methods such as PPPs, ILS, and captives. Given the dynamic nature of cyber risks, a significant requirement remains for an increased focus on qualitative research to bridge gaps in knowledge. The existing research lacuna becomes evident through the “Related works” section, which emphasizes the need for reinsurer interviews to better understand cyber risk aggregation and liability for interdependent industries or interdependent cyber incidents. For the visibility of such information, interviews can be used to provide information on cyber insurers' design and risk management practices [51]. In addition, the experiences and perspectives of experts can help gather qualitative data on perceptions of cyber risk in reinsurance, which can be used by academia.

Collecting qualitative data through semi-structured interviews is central to this research. These interviews, conducted online via video conferencing tools, are designed in line with the methodological recommendations of Bampton and Cowton [52] and Newcomer et al. [53]. This approach is particularly advantageous, as it allows for open-ended questioning, enabling industry experts to express their insights and provide detailed responses freely [54]. The relevance and effectiveness of semi-structured interviews in cyber insurance have been evidenced by prior studies such as those by Cremer et al. [14] and Woods and Böhme [12], among others. Semi-structured interviews offer a practical approach to collecting primary data from expert knowledge, enriching the research with in-depth, field-specific insights [55].

Cyber experts from reinsurers and reinsurance brokers were chosen for the semi-structured interviews. This approach is not arbitrary; it stems from acknowledging that these entities play a central role in the functioning of the reinsurance market [56]. Reinsurers, who represent the supply side of the cyber reinsurance market, are essential. They extend their financial capacity to primary insurers, enabling them to underwrite more substantial contracts and address more considerable risks [57]. In addition to financial backing, reinsurers engage in risk diversification through retrocession and capital market tools, such as the ILS [58]. On the demand side, the study involves reinsurance brokers who embody the aggregated customer perspective. Their role as crucial intermediaries between primary insurers and reinsurers is essential in the industry [59]. They ensure that reinsurance protection is adequate and reasonably priced for their clients [56]. The selection of these interviewees proved to be a crucial aspect of the study. It enables the collection of comprehensive insights, particularly regarding how cyber reinsurers perceive and manage cyber risks. This approach provides a balanced view of the market's supply and demand sides. It ensures an in-depth understanding of the cyber reinsurance sector.

The strategic selection and invitation of cyber experts for interviews in the German reinsurance market represent a methodological? approach aimed at tapping into one of the world’s largest reinsurance markets. The German reinsurance market is recognized internationally for its size and significance [60]. Therefore, a primary search for participants was conducted in this country. The process began with identifying suitable candidates through the German Federal Financial Supervisory Authority (BaFin), which oversees reinsurers and primary insurers operating in Germany. Publicly available information from BaFin was vital in identifying 24 reinsurers, with data on the business sectors, the headquarters' home country, and company addresses [61]. Furthermore, 18 international contacts were generated through the Cologne Research Centre for Reinsurance [62]. Moreover, reinsurance brokers who had published their cyber insurance reports were also taken into account, in addition to the contact information received. This comprehensive approach ensured a well-rounded representation of cyber experts’ companies, reflecting the diverse and dynamic nature of the cyber reinsurance market.

Formal interview invitations detailing qualifications, research objectives, and relevant contextual details were sent to the identified companies. Upon accepting the interview request, participants received a preliminary briefing document 48 h prior to the interview. This document delineated the interview proceedings, the thematic domains under discussion, and anticipated commitments. The interviews were facilitated by Microsoft Teams or Zoom software, with the explicit consent of industry experts to record proceedings. Approximately 72 hours post-interview, an initial version of the interview transcripts was disseminated to experts for their perusal and input. These inputs could encompass additions, alterations, or deletions, culminating in the final version that experts would eventually endorse. From the initial pool of 42 companies contacted, a subset of 20 participants (represented by 9 reinsurer and 7 reinsurance broker) ultimately availed themselves of the interviews. The semi-structured interview sessions took place from November 2023 to January 2024. Each interview lasted one hour. The topic questions were as follows.

1. What requirements must primary insurers fulfill to obtain cyber capacity from reinsurers?

2. What information and data exchange exists within the cyber reinsurance life cycle between reinsurers and primary insurers?

3. Explain your perspective on cyber risk aggregation and liability for interdependent lines of business or interdependent cyber incidents in the context of reinsurance.

4. How do reinsurers diversify and assess their exposure to cyber risks?

5. Do you include the expert opinions of other stakeholders (e.g. cybersecurity and consulting) in your assessment?

6. Can PPPs offer a solution for cyber capacity? What are the barriers to PPPs addressing cyber risks, and how should such a solution be designed?

7. How do ILS impact cyber risk capacity in the market? Are there barriers that impede the additional capacity of the ILS, and if so, what would be necessary to solve them?

8. What impact do captives have on cyber capacity?

The interviewees received assurance that the recorded data would undergo an anonymization process. This process ensured the removal of any information that could reveal the interviewee’s identity or its affiliated company. Table 1 in this paper summarizes the expertise and experience of cyber experts who participated in the interview sessions. The experts, who operate internationally, come from the following reinsurance markets: Germany (11), the UK (5), Switzerland (2), the USA (1), and Bermuda (1). For a more comprehensive and intricate overview, refer to Section 1 in the " Appendix.

The research process commenced with the transcription of each interview, followed by coding eight specific questions using MAXQDA 2024 software [63]. This initial coding step allows efficient data retrieval during the subsequent analysis phase. Initially, the interview transcripts were marked, associating them with their corresponding questions from the interview guide, facilitating the systematic organization and presentation of all responses to their queries. Subsequently, the analysis adopted a thematic approach characterized by its inductive nature [64]. This process is illustrated in Figure 2. The researchers opted for this method to derive themes directly from the interview material, devoid of the constraints imposed by pre-existing theoretical concepts (Cho and Lee 2014). This approach was selected to maintain objectivity and impartiality in data analysis. By embracing inductive analysis, a predetermined coding framework was avoided, ensuring that the findings remained authentic and were driven by the raw data itself. This strategic choice proved particularly valuable in the research field, where the aim was to uncover new insights and uncharted patterns concealed within primary data [65].

Results

The following subsections present the results as a summary of the thematic analysis of respondents' answers to the semi-structured interviews. Each subsection is organized to address one of the listed questions and its corresponding thematic results. In this context, it should also be noted that reinsurers and reinsurance brokers have different perspectives on the insurance market and how it works. These nuances of the answers will be discussed in the section “Nuances in the responses of reinsurers and reinsurance brokers.” Table 2 shows the percentage of the complete dataset that each subsection of the results constitutes, based on the word count.

Requirements that primary cyber insurers must fulfill to obtain capacity from reinsurers

Three main themes emerged in analyzing the requirements that primary insurers must meet to gain access to cyber reinsurance capacity. These issues are closely interconnected, making it difficult to separate them clearly. The first theme is transparency. Reinsurers greatly value developing an in-depth understanding of how primary insurers model and aggregate cyber risks. This process includes defining the risk appetite and understanding the specifics of the business plan. It also encompasses policy-level data, experience data, and detailed insights into cyber risks. The design of insurance products and the determination of pricing are also crucial. Primary insurers must elaborate on how their cyber insurance products are structured, encompassing conditions, limits, and exclusions. The methodologies used for pricing and the underlying criteria are equally important as they lay the foundation for risk assessment. In this regard, reinsurers emphasized that clear and transparent communication about underwriting and risk management is essential. The ability to select and diversify risks is also an important aspect. Primary insurers must demonstrate their ability to differentiate between good and bad risks. A diversified portfolio ensures a balanced risk distribution across geographical locations, sectors, and company sizes. In this context, most reinsurance brokers believe that there is no definitive line between what is necessary and what is desirable. However, a more comprehensive provision of data can lead to more favorable terms and increased capacity. This high level of transparency is demanded due to the cyber market’s dynamic and constantly evolving nature.

The second theme relates to primary insurers’ personnel. It underscores how important it is for reinsurers that primary insurers have the appropriate infrastructure and specialized teams to manage cyber risks effectively. Particularly in underwriting, i.e. risk assessment and policy design, reinsurers place great value on the experience and expertise of underwriters. It is emphasized from the reinsurance side that these professionals should have general and specific cyber insurance knowledge. It includes a deep understanding of the unique risks associated with cyber policies and up-to-date knowledge of trends and threat scenarios in cyberspace. Some reinsurers express concern about the current shortage of qualified cyber underwriters. They underline that the number of these professionals is limited, while the demand for them remains high. Many experts consider these underwriters essential for developing and sustaining a robust and expanding cyber insurance market.

The final key theme of this section focuses on service networks. Recognizing the challenge, primary insurers struggle to cover the full spectrum of cyber risks independently. Therefore, it is affirmed how important it is for primary insurers to demonstrate their ability to manage specific cyber incidents effectively. Reinsurers expect detailed information on claims handling and incident response. A fast and effective response to cyber incidents is considered essential. It requires specialized networks that can manage claims efficiently and professionally. The core capabilities of these networks include the ability to respond quickly to incidents, the implementation of suitable measures to minimize losses, and the precise documentation and assessment of loss events. The involvement of internal and external experts skilled in addressing the technical and legal aspects of cyber losses is of great importance.

It was evident from the interviews (including perspectives from both reinsurers and reinsurance brokers) that some reinsurers struggle to independently assess cyber risks. Instead, they tend to follow an experienced market leader and then set their internal risk management limits to align accordingly.

Information and data exchange between the cyber reinsurer and the primary cyber insurer

The study identifies risk management and policy design as one critical theme in the context of information and data exchange in cyber reinsurance. The research participants, especially the reinsurance brokers, highlight that cyber reinsurance demands a significantly higher granularity and variety of data than traditional insurance areas. This requirement for data collection extends to individual policy data, details of coverages and sub-limits, and specific information on risks. These risks include network security, privacy issues, and regulatory penalties. Additionally, the collection process includes unique data points, like information on cloud services and specific control mechanisms for managing cyber risks. Equally crucial is the regular exchange of data on portfolios and loss events, which should cover detailed information on policies, industry affiliations, geographical distribution, and the structure of insurance programs. The answers in the interviews showed that the availability of data plays a major role. It also showed that cyber reinsurers are less concerned about non-liability, but rather about large cyber catastrophe events with a long run-off.

Another theme of data exchange in cyber reinsurance pertains to the provision of portfolio and claims data for modeling and risk assessment processes. Reinsurance companies seek comprehensive information on the primary insurer's cyber portfolio, including detailed claims data. Distinguishing between losses directly attributable to the policyholder (first-party losses) and those caused by third parties (third-party losses), as well as between ransomware and non-ransomware losses, is particularly important. The availability of such precise data allows reinsurers to assess risk and offer appropriate reinsurance capacity more accurately. However, modeling and risk assessment in cyber reinsurance pose challenges, as historical data is often limited, and risks constantly evolve. Reinsurance companies generally expect primary insurers to utilize advanced models for catastrophe modeling, and the results of these models are often shared with reinsurers to create a common basis for risk assessment. During the renewal process of insurance contracts, there is an intensification in the exchange of information and data. In this stage, primary insurers are expected to provide up-to-date information about their portfolio, changes in underwriting strategy, and current claims data.

Aggregation of cyber risks

In the thematic analysis of the aggregation of cyber risks in reinsurance, three distinct subject areas were identified as particularly important. The first theme focuses on modeling cyber risks, which experts deem a critical and indispensable component of risk management in the insurance industry. A common agreement among interviewees is that, despite their limitations, models are essential tools for decision-making. However, the challenges of modeling cyber risks were also underscored. A significant issue is cyber threats' dynamic and ever-evolving nature, necessitating continual updates and adaptations of models to maintain relevance. This need for ongoing adaptation renders modeling a complex and often uncertain process. Interviewees noted the difficulty in developing effective and accurate models due to the regular emergence of new threats and attack vectors. A crucial insight from the interviews is the integral role of vendor models and external assessments in the modeling process, which industry leaders employ to benchmark risk aggregation potential. These external models provide a foundational assessment, yet each company ultimately conducts its risk evaluation, highlighting the importance of individual risk assessment and internal expertise.

The second topic theme explores cyber as both an insurance line and a hazard. Here, the risk perception of cyber threats emerged as a central theme. Experts presented diverse perspectives on the scope and severity of cyberattacks. While some highlighted the limited likelihood of large-scale cyberattacks and the importance of rapid I.T. system response and recovery capabilities, others emphasized the unpredictability and rapidly evolving nature of cyber risks. This unpredictability and evolution make cyber risks a unique and complex challenge. Another aspect of this theme was the industry-dependent exposure to cyber risks. Industries like retail, which handle vast amounts of personal data, face heightened cyber incident risks. Recognizing industry-specific vulnerabilities and shared technologies or service providers, leading to increased common risks, was also discussed. The evolution of the cyber risk profile, shifting from a focus on viruses to vulnerabilities in widely used software and services, necessitates ongoing adaptation in risk assessment strategies.

The last central theme identified in the aggregation of cyber risks in the reinsurance industry is portfolio diversification. Here, the discussion focuses on the strategies and challenges of managing insurance portfolios, including cyber risks. One key aspect emphasized in the interviews is the differentiation between independent and interdependent risks in different business areas. The experts explained that cyber risks are often modeled in isolation from other business lines, with the interviewee viewing the correlation between cyber and other risks very differently. This reflects the difficulty in adequately capturing the complex nature of cyber risks and their potential impact on different business areas. The discussion also extends to the emergence of accumulation clusters in portfolios caused by industry-specific risks and dependencies. This situation requires effective portfolio management and the modeling of such risk structures in order to understand and manage risk exposure adequately. Reinsurance experts emphasize the importance of sophisticated portfolio management, which can identify such risk concentrations and take appropriate measures. A more in-depth look at diversification is provided in section “Diversification of cyber risks.”

A critical side theme raised in the interviews concerns reinsurance strategies in the context of cyber risks. It is described that both proportional and non-proportional reinsurance treaties are used in cyber reinsurance, with all parties stating that approximately 90% of the treaties are proportional. Particular emphasis was placed on the increasing importance of event covers, which aim to aggregate and cover specific cyber events. These approaches reflect the constant adaptation and refinement of strategies to manage cyber risks in the insurance industry.

Diversification of cyber risks

The thematic analysis identified four crucial subject areas in diversifying cyber risks within the reinsurance domain. Similar to previous vital topics, the lines between these areas are not rigid but fluid. The first theme centers on geographical diversification. Despite the global nature of cyber risks, as the internet transcends geographical boundaries, experts underscore the significant role of geographical factors in risk diversification. This stems from varying legal and regulatory frameworks across countries, which can markedly influence the impact of a cyber event. For instance, the experts noted the differing legal implications of data breaches, with strict data protection laws in the U.S. potentially leading to different legal consequences compared to countries with less stringent regulations. Additionally, the national language is believed to impact the creation of standardized malware, making geographical diversification a vital consideration for reinsurers in cyber risk assessment. It underscores the necessity for a region-specific approach in evaluating risks. One interviewee suggested that large technology companies, such as Microsoft, use geographic diversification to provide services 24/7 worldwide. This strategy enables companies to continuously work on solving problems or averting threats in the event of a cyber incident. This would make large, non-liability events more manageable and calculable.

The second theme is the diversification of cyber risks across different sectors and company sizes. All surveyed reinsurers emphasized the distinct vulnerabilities and cyber risk approaches inherent to different industries, advocating for a sector-specific perspective to achieve effective risk diversification. This approach extends to companies of diverse sizes—small, medium-sized, and large corporations—each characterized by unique technology usage, cloud service preferences, and cybersecurity budgets, shaping their risk profiles. Spreading risks across various sectors and company sizes is crucial for maximizing risk diversification effectiveness and ensuring a balanced risk distribution.

The third theme revolves around diversification by technologies and service providers. According to the interviewees, diversifying across different technologies and providers, including various operating systems and cloud services, is fundamental in assessing and mitigating cyber risks. The primary objective here is to reduce risk exposure by leveraging a wide array of technologies and providers, underlining the importance of not solely relying on a single technology provider. Geographical diversification of technology further amplifies this principle, signifying the importance of utilizing varying I.T. systems and service providers across different global regions. One of the research participants provided an example of this concept:

“In the healthcare sector, cyber risks within the network of private providers in the United States may differ significantly from those encountered in more centralized systems, such as those prevalent in Germany or China.”

The last theme is diversification through setting limits and risk controls by reinsurers. All the reinsurance experts surveyed confirmed that they use strict limits and capacities to assume cyber risks. A growing focus on smaller commercial and private segments aimed at better overall risk control has been observed in recent years. Avoiding substantial individual risks effectively manages the portfolio's overall risk. Reinsurers diversify their portfolios by participating in various products with different degrees of involvement, such as quota shares or excess loss insurance. This approach spreads risk across different contracts and market segments, leading to a more balanced risk distribution and enabling reinsurers to better control and manage their overall cyber risk exposure.

In addition to these key themes, the analysis also addressed challenges in diversifying cyber risks. Experts highlighted the complexity of diversification due to the global nature of the internet and the extensive interconnectedness of companies and services. Many companies operate internationally with partners across different countries, making geographical diversification of cyber risks intricate. The global reach of cyberattacks, capable of affecting multiple countries and companies simultaneously, presents a significant challenge for risk diversification, as it elevates the likelihood of concurrent events in various segments or regions.

Inclusion of expert opinions from other stakeholders in the assessment

The thematic analysis revealed small interconnected subject areas with distinct characteristics, although some did overlap. To communicate the themes of these findings, the results are summarized in Table 3.

To enhance academic rigor and clarity, the results from sections “Requirements that primary cyber insurers must fulfill to obtain capacity from reinsurers” to “Inclusion of expert opinions from other stakeholders in the assessment” are summarized in the Fig. 3.

Private–public partnership as a solution for cyber capacity

Three key themes have emerged in exploring the opportunity to provide a cyber capability solution for PPPs and the barriers they face in managing cyber risk. The first theme centers on the viability of PPPs for addressing the complexities and challenges inherent in cyber capacities. The interviewees highlight the promise of PPPs in offering effective solutions for scenarios where the risks are too substantial or uncertain for the private sector to shoulder independently. For instance, an interviewee cited the potential usefulness of PPPs in extreme situations such as cyber warfare or major infrastructure breakdowns, underscoring their role in such critical circumstances. Furthermore, conversations during the interviews reveal a perception that PPPs combine the resources and expertise of the public and private sectors, thereby creating a more robust and agile framework to confront cyber threats. This collaborative approach is considered particularly crucial, given the escalating sophistication and frequency of cyberattacks, which often exceed the isolated capabilities of individual organizations.

PPPs could provide alternative capacity, particularly in areas where the private sector lacks the resources or appetite to cover significant risks. They offer a mechanism to pool resources, share risks, and leverage the strengths of both public and private entities. This is especially relevant for catastrophic risks, where the involvement of the state can help to stabilize markets and provide the necessary backstops. Interviewees noted that integrating insights from government, insurance, cybersecurity, and technology sectors is essential to building a comprehensive approach to risk management. By pooling expertise and resources, PPPs can address the complexities and uncertainties of modern cyber threats more effectively.

The second topic addresses the barriers and challenges to the establishment of PPPs. The political willingness and regulatory complexities involved in establishing PPPs are a significant concern. One interviewee pointed out, “PPPs often fail due to a lack of political will,” indicating that political support and alignment are crucial for the success of such partnerships. However, it highlighted a concern that implementing PPPs might result in the private insurance industry’s inability to insure such risks sufficiently. According to certain interviewees, this potential shortfall could be a significant loss of trust in the private insurance system. Another challenge lies in defining the scope and limits of PPP intervention. The global nature of cyber risks, transcending national boundaries, adds to the complexity of implementing country-specific PPPs. Most respondents who discussed the difficulty in creating clear and universally acceptable definitions for cyber events triggering PPP intervention highlighted this aspect.

Additional barriers include market distortion, where government involvement might disincentivize companies from purchasing private insurance due to the expectation of government bailouts. The uncertainty around risk models, particularly in cyber insurance, also presents a challenge. Interviewees noted that the lack of confidence in these models' outputs can hinder the effective implementation of PPPs. Moreover, there is hesitance from both governments and insurers; governments may be reluctant to intervene in areas manageable by the private sector, and insurers fear increased regulation.

The third theme focused on solutions for the establishment of PPPs. The experts recommend some possible strategies to establish the PPPs in the realm of cyber capacities. First, they highlight the importance of establishing clear frameworks and guidelines. One interviewee emphasized that “PPP should have clear guidelines and structures,” underscoring the necessity for well-defined roles and responsibilities within the partnership. Another proposed approach is to draw from existing models in other sectors, such as natural disaster pools (e.g. Flood Re or Pool Re), and tailor them to address cyber risks. Furthermore, the identification of inclusivity as a fundamental factor deems it crucial for the success of PPPs to involve a wide range of stakeholders, including technology companies, cybersecurity experts, and governmental agencies. This all-encompassing approach ensures a comprehensive understanding of cyber risks and enhances the effectiveness of response strategies.

Establishing PPPs also requires incentivizing participation, perhaps through minimal coverage options or registration programs that encourage broader involvement. Experts suggested that flexible frameworks, similar to terrorism pools, could handle various types of risks and incidents. By addressing these challenges with innovative and collaborative solutions, PPPs can enhance their capacity to manage the complex landscape of cyber threats.

Insurance-linked securities as a solution for cyber capacity

Concerning ILS, three main themes have been identified that are comparable to those noticed in PPPs. The first theme examines whether ILS provides a solution for augmenting cyber capacity. Respondents agree that the additional capacity created by ILS could enrich the cyber insurance market. Initial transactions have generated growing interest from investors and customers, signaling the potential for ILS to provide much-needed additional capacity in the cyber insurance market. However, the transformative impact of ILS on cyber capacity has been limited so far. While the market is witnessing an influx of new capital, this has not significantly changed the overall capacity or dynamics of the cyber insurance market. Despite the potential, the implementation and realization of ILS in cyber risk management are in the early stages, and the market is still exploring the best ways to leverage this mechanism.

Cyber ILS remains in its early stages, showing promise but facing challenges in establishing itself as a robust alternative to traditional reinsurance. Although early transactions have piqued the interest of both investors and customers, signaling potential, the transformative impact on overall cyber capacity has yet to be realized. The market's influx of new capital is encouraging, yet it has not significantly altered the landscape of cyber insurance capacity or dynamics.

The second theme concerns the various barriers and challenges faced in adopting ILS in cyber risk management. A primary concern is the lack of investor understanding and confidence in cyber-related ILS products, compounded by the nascent stage of models used to assess cyber risks. The complexity of these risks and the novelty of the concept contribute to investor hesitancy. Additionally, there is apprehension about the potential correlation of cyber events with broader market movements. Investors are wary of significant cyber events impacting stock markets and increasing volatility, which reduces the attractiveness of these instruments. Moreover, the complexity of structuring suitable ILS products for cyber risks, especially considering first and third-party liabilities, poses a significant challenge. Another issue that needs addressing is developing products that do not tie up capital for extended periods (third-party liability) and offer efficient investment vehicles. Interviews confirmed that investors have not been interested in tying up capital for many years due to liability losses.

Investors' limited understanding of cyber risks, compounded by immature models, undermines their confidence in cyber ILS products. Cyber risks' dynamic and multifaceted nature further complicates modeling efforts, posing a significant barrier. Additionally, the lack of clear event definitions and the perceived correlation with broader financial markets contribute to investor hesitancy. Investors are cautious about the potential impacts of major cyber events on stock markets and the associated volatility. The disconnect between buyer and investor expectations in terms of product structure also remains a barrier, as does the need for products that do not lock up capital for extended periods, especially in the context of third-party liabilities.

The third theme addresses possible solutions for positioning ILS as a sustainable extension of cyber capacities. In order to effectively integrate ILS into cyber risk management, several strategies must be applied, according to the experts. Firstly, improving the models for cyber risk assessment and developing clear, comprehensive event definitions are crucial. This would help price the risks accurately and structure the ILS products more effectively. Secondly, educating investors about the nuances of cyber risks and the potential returns from cyber ILS can help attract more capital to this area. Additionally, diversifying investment portfolios to include cyber risks alongside traditional natural catastrophe risks can enhance the appeal of ILS to investors. Another strategy involves adopting flexible and innovative approaches in product design. For instance, introducing clauses to commute capital and allow for the release of funds in specific scenarios could make these instruments more attractive to investors. This innovation also includes focusing on products that efficiently use capital and understanding the unique nature of cyber risks, such as distinguishing between first-party and third-party events. Incremental growth and adaptation are also key, as the market is likely to see gradual growth in ILS for cyber risks, accompanied by a learning curve for insurers and investors. Lastly, improving transparency and information standards on the part of the insurers can significantly benefit the ILS market, as a more informed understanding of the risks involved can lead to better structuring and pricing of ILS products.

From the interviewee's perspective, to overcome these barriers, the industry must focus on enhancing modeling techniques to improve accuracy and reliability in cyber risk assessments. Establishing clear event definitions will also play a critical role in aligning expectations and facilitating underwriting. Education efforts aimed at increasing investor understanding of cyber risks and potential returns from cyber ILS are essential. Encouraging diversification of investment portfolios to include both cyber and traditional risks can further attract investor interest. Moreover, developing innovative product structures, such as parametric covers and flexible capital release clauses, could increase the attractiveness of ILS. Incremental market growth, informed by learning and adaptation, is expected, and enhancing transparency and data sharing among insurers can support better pricing and structuring of ILS products.

Impact of captives on the cyber capacity

Only 25% of respondents in this section were able to provide a precise overview. Regarding the impact of captives on the cyber insurance market, respondents confirmed the growing presence of traditional insurance companies. However, the reinsurance market is unclear about the extent of this competition and its impact, although respondents agreed that it is taking premiums out of the market. The emergence of captives in cyber insurance responds to the inadequacies or high costs of the traditional cyber insurance market, indicating a necessity-driven market development. It has been confirmed that companies joining or setting up captives do not receive the desired level of coverage, find it too expensive, and prefer to bear the risk themselves. This also indicates that companies are confident enough to manage their own cyber risk. One interviewee stated that their company does not work with captives, considering them volatile and having more confidence in their cyber insurers. The consensus is that captives will continue to grow, but their impact on the broader insurance and reinsurance markets is seen as limited. While captives will continue to evolve, respondents are skeptical about their potential to influence the overall market.

To enhance academic rigor and clarity, the results from sections “Private Public Partnership as a solution for cyber capacity” to “Impact of captives on the cyber capacity” are summarized in Tables 4–6, categorized by barriers, causes, and/or solutions.

Nuances in the responses of reinsurers and reinsurance brokers

In general, the responses from reinsurers and reinsurance brokers were identical. However, there were a few nuances that are discussed in this section for the purpose of completeness. These fine differences result from the different perspectives that reinsurers and reinsurance brokers have on the insurance market. In addition, depending on the question and the position of the interviewee, each party was able to go into greater detail.

Reinsurance brokers showed a deeper knowledge and understanding in the question to the sections “Requirements that primary cyber insurers must fulfill to obtain capacity from reinsurers” and “Information and data exchange between the cyber reinsurer and the primary cyber insurer.” Almost all of the aspects listed were mentioned by the brokers. The answers showed that they operate with several cyber reinsurers that have different requirements and processes. As a result, the answers were more comprehensive and the statements (e.g. “a more comprehensive provision of data can lead to more favorable conditions and increased capacity”) had more substance.

With regard to results “Aggregation of cyber risks” and “Diversification of cyber risks,” reinsurers had a greater share of points. Reinsurers were therefore able to go into much greater detail on these two questions. This was reflected in the formation of the topics. Reinsurers’ answers often opened up new topic categories, which were then consolidated by repeated answers from other reinsurers. Reinsurance brokers also contributed, but their answers were usually not as specific.

Regarding the questions on ART, it was found that the interviewees from the reinsurance sector had a greater connection to PPP. This was evident in the answers to 5.6 (Private Public Partnership as a solution for cyber capacity). Here, the reinsurers showed a greater level of detail about the problems and solutions. The challenges addressed were mostly followed by proposals for solutions and concrete ideas for implementation. In the area of ILS for the answers 5.7 (ILS as a solution for cyber capacity), on the other hand, the reinsurance brokers were able to go into more detail. The brokers were able to show precisely that a significant barrier is still the understanding of investors, but that this is slowly being overcome through better understanding.

Discussion

This research presents a comprehensive analysis of the specific function of reinsurers in cyber insurance and alternative risk transfer approaches to provide additional capacity. The study reveals the stringent standards demanded of primary cyber insurers, highlighting the critical need for transparency in their underwriting and risk management processes. This transparency is indispensable for navigating the complex and dynamic cyber market, necessitating explicit, comprehensive communication strategies. Moreover, the study affirms the critical importance of specialized underwriting expertise in the cyber insurance sector, identifying an urgent need for professionals with in-depth cyber insurance knowledge and pointing out a significant gap in the availability of such experts. Furthermore, the research highlights the vital role of service networks in managing cyber incidents, stressing the need for efficient claims processing and responsive mechanisms, which necessitates the development of specialized networks adept at addressing the unique challenges of the cyber environment. Another key finding of this study is the diversification of cyber risks through geographical, sector-specific, and technology- and service-provider factors. This multi-layered approach shows that diversification is possible, particularly via the geography of cyber risks. Including expert opinions emphasizes the indispensable role of cybersecurity experts and advanced models and tools in assessing and mitigating cyber risks, collectively deepening the understanding of the cyber reinsurance landscape and its evolving complexities.

A significant theme that emerges is the predominance of proportional cyber reinsurance, coupled with the evolving role of event covers, in managing cyber risks. In both the interview findings and industry data, proportional reinsurance, such as quota share treaties, are highlighted as the dominant form of risk transfer in the cyber insurance market. These treaties account for approximately 90% of cyber reinsurance agreements, according to the interviews, with the industry data closely aligning, showing that 85% of standalone cyber contracts are proportional. However, the limitations in the non-proportional reinsurance market emphasize the need for continued innovation and capacity-building to ensure that insurers can effectively manage the complex and evolving risks associated with cyber events. By leveraging a combination of proportional treaties, event covers, and enhanced non-proportional reinsurance capacity, the industry can better protect against the financial impact of cyber incidents and support the continued growth of the cyber insurance market.

This study also analyzed the implementation and efficacy of alternative risk transfer solutions to augment traditional capacity. The findings indicate that PPPs should be crucial in managing sophisticated cyber threats, particularly in cyber warfare scenarios or major infrastructure outages. These partnerships, which pool resources from the public and private sectors, face challenges. The second theme from the findings emphasizes these challenges, such as political willingness and regulatory complexities. A lack of political support can significantly hinder the establishment and success of PPPs. Moreover, the global nature of cyber risks complicates efforts to create universally acceptable definitions for triggering PPP interventions, which is crucial for coordinated responses. Additional barriers include potential market distortions and uncertainties in risk models, which may cause reluctance among governments and insurers to fully engage in PPPs. Inclusivity is identified as essential for the effectiveness of PPPs. Engaging diverse stakeholders such as technology companies, cybersecurity experts, and governmental agencies is necessary to ensure a comprehensive understanding of cyber risks and develop effective response strategies. By incentivizing participation and adopting innovative solutions, PPPs can enhance their ability to navigate the complex landscape of cyber threats, thereby improving their overall capacity to protect critical infrastructure and maintain national security.

As another alternative transfer solution, the research identifies ILS as the most pragmatic and effective instrument for bolstering the cyber market’s capacity. The strategic introduction of ILS stands out as a promising solution with the potential to substantially broaden cyber capacity. Enlarging overall cyber capacity will lead to more favorable coverage options for policyholders who can more effectively address the evolving landscape of cyber risks. However, challenges are noted, such as investor understanding and confidence and developing suitable ILS products for cyber risks. This early-stage market requires further research into improving risk assessment models and investor education. The cyber catastrophe bond market is experiencing significant growth, marked by several notable developments that reflect the sector’s evolving landscape. For example, the current market size is approximately USD 660 million, underscoring the insights shared by industry experts.

The emergence of captives in the cyber insurance market is increasingly seen as a response to the high costs and inadequacies of traditional insurance options. While only 25% of respondents could provide a detailed analysis of the impact of captives, there is a consensus on the growing presence of traditional insurance companies. Despite this growth, the reinsurance market remains uncertain about the extent of captives' influence, though it is acknowledged that they are drawing premiums from the market. Many companies setting up captives find them lacking in coverage and too costly, prompting them to manage risks independently. This trend suggests companies are becoming more confident in handling their own cyber risks. However, some industry professionals view captives as volatile and maintain greater trust in established cyber insurers. Although captives are expected to grow, their impact on the broader insurance and reinsurance markets is anticipated to be limited. While captives represent a necessity-driven development in risk management, their ability to reshape the entire market is viewed with skepticism.

This research encompasses certain limitations. Primarily, it analyzes reinsurers’ strategies for managing cyber insurance and explores alternative risk transfer methods to enhance capacity, drawing insights from semi-structured interviews with reinsurance experts. It should be noted that the opinions collected are from the perspective of cyber reinsurance professionals, and there are other points of view that have not been explored. For a more holistic understanding of cyber insurance, it is imperative to consider perspectives from diverse stakeholders throughout the risk transfer value chain. Methodologically, this study employed semi-structured interviews, allowing participants to offer in-depth and considered viewpoints. However, it is essential to acknowledge that the flexible nature of these interviews could introduce variability in question sequencing or potentially lead to the exclusion of specific queries, potentially impacting the consistency and reliability of the data collected. Moreover, given the rapidly evolving landscape of cyber threats, there is a risk that the insights gleaned from these interviews might become outdated, reflecting the dynamic and ever-changing nature of cyber risks and insurance.

This paper shows that the reinsurance industry is actively addressing cyber risks through extensive and interdisciplinary strategies despite facing a scarcity of resources. It also emphasizes that the cyber insurance market is not sustainable and robust without reinsurance. It highlights that the current capacity provided by reinsurers is sufficient to maintain the cyber insurance market as it stands. However, this capacity is inadequate for fostering market growth or enhancing the level of protection offered to companies. A key concern is that if the market becomes more stringent, the already limited capacity would further decrease. This reduction in capacity would lead primary insurers to offer less coverage to their policyholders but at higher conditions and prices. Such a scenario would result in policyholders facing increased exposure to cyber risks and experiencing more significant gaps in their coverage.

Therefore, the paper emphasizes the critical need to integrate alternative risk transfer solutions. These solutions are vital for sustainably expanding the capacity, ensuring that the market can maintain its current state and growth, and providing enhanced protection against cyber risks.

This study provides significant insights to the academic and research community regarding reinsurers’ management of accumulated cyber risks and the consideration of alternative risk transfer mechanisms. It outlines the requirements for primary insurers, including the essential data needed to enable adequate capacity provision. The paper also illuminates the processes involved in aggregating and diversifying cyber risk accumulation, identifying the various experts contributing to this area. A detailed examination of alternative risk transfer solutions is presented, highlighting the prerequisites for their sustainable establishment as a method for expanding capacity and analyzing their impact from the perspective of the reinsurance industry. For the cyber insurance sector and its regulators, this research offers a thorough understanding of the dynamics of risk transfer at the final stage of the risk transfer chain. It clarifies the fundamental requirements for establishing a presence as a cyber insurer and entering this specific insurance market segment. Cyber reinsurers, in particular, will benefit from aggregated insights into the strategies employed by their peers in managing cyber risks and an overview of their collaborations with other service providers in the cyber field. The study also discusses the assessment and implications of alternative risk transfer options, providing crucial information about integrating ILS into capacity provisioning. Policymakers receive a detailed analysis of the current structure of cyber risk transfer within the reinsurance sector. The research points out the precise challenges that hinder effective risk transfer and highlights the insufficiency of the current capacity to facilitate significant growth in the cyber insurance market. The possibility of a reduction in market capacity could harm the availability and pricing of cyber insurance. Therefore, the study emphasizes the need to explore avenues, such as PPPs, to enhance security within the insurance industry and encourage the development of additional capacity.

Conclusion

Cyber reinsurance is critical in driving sustainable growth and increasing protection for companies in the cyber insurance market. This research involves creating and analyzing a dataset of interviews with cyber reinsurance professionals to understand how cyber reinsurance manages cyber risk accumulation and explores alternative risk transfer solutions to provide additional capacity. The results show that cyber reinsurers place high requirements on primary insurers to provide capacity. In addition, the results show that reinsurers can diversify aggregate and cyber risk accumulation across different factors, especially geographically. Furthermore, the research highlights the necessity of specialized underwriting expertise in cyber insurance, identifying a critical gap in the availability of skilled professionals. The results also show that the alternative risk transfer solutions ILS and PPPs can provide additional capacity for the cyber insurance market. For both areas, clear definitions and the scope of insurance coverage are necessary to establish these instruments in the insurance industry and among stakeholders. The development of captives is viewed critically but is a strong indicator that cyber insurance is not able to provide adequate insurance coverage for all companies. For policymakers, the study clarifies the risk transfer chain of cyber risks and how to shape it. However, it also shows that the insurance industry's current efforts are insufficient to promote a sustainable and robust cyber market with adequate coverage.

This research focuses on the cyber reinsurance market and contributes to the literature on cyber risk management and insurance. It is characterized by the analysis of the reinsurance perspective within the risk transfer value chain. The findings of this research are intended to fill the gap in qualitative cyber reinsurance research. Currently, there has been limited research focusing on cyber risks from the perspective of reinsurance. The resesearch contributes semi-structured interviews with ILS managers or quantitative work on cyber ILS. These findings enhance the academic and research community by offering a more comprehensive insight into the perceptions of reinsurers and identifying the essential elements necessary for effectively provisioning capacity in the cyber insurance sector.

Additional research is required to enhance cyber insurance comprehension and better understand how it interacts with various alternative risk transfer options. The study reveals several areas of potential future work, including analyzing possible alternative risk transfer solutions to increase capacity. In this way, the cyber insurance market could benefit from increased capacity, which helps policyholders obtain adequate insurance coverage and promotes a sustainable cyber market. From a quantitative perspective, the results can help adjust cyber models to incorporate the impact of alternative risk transfer and reinsurance. Additionally, future research could analyze how to support captives in bearing their own cyber risk and achieve a more significant influence.

Having the appropriate cyber insurance capacity and the ability to manage cyber risks effectively is crucial to keeping pace with the constantly evolving cyber threat landscape. Consolidating research findings from various aspects of cyber insurance can aid the insurance industry in fostering the growth of a sustainable cyber insurance market. This step would, in turn, enhance market efficiency and penetration, ultimately bridging the cyber protection gap.

Author contributions

Frank Cremer (Conceptualization [lead], Data curation [lead], Formal analysis [lead], Investigation [lead], Methodology [lead], Project administration [lead], Resources [equal], Validation [lead], Visualization [lead], Writing - original draft [lead]), Barry Sheehan (Conceptualization [equal], Formal analysis [equal], Methodology [equal], Project administration [equal], Supervision [lead], Visualization [equal], Writing - original draft [equal]), Martin Mullins (Conceptualization [equal], Formal analysis [equal], Investigation [equal], Methodology [equal], Project administration [equal], Validation [equal], Writing - original draft [equal]), Michael Fortmann (Conceptualization [supporting], Formal analysis [equal], Methodology [supporting], Supervision [equal]), Stefan Materne (Conceptualization [equal], Supervision [equal]), and Finbarr Murphy (Data curation [equal], Funding acquisition [equal], Resources [equal], Supervision [equal]).

Conflict of interest

On behalf of all authors, the corresponding author states that there is no conflict of interest.

Funding

No funding.

Appendix

References