Part 1 of the Cyber ILS Series
By David Ross, EVP of ILS & Capital
10 February, 2025
Introduction
Contrary to popular belief, cyber ILS has been around for nearly a decade, though the first transactions were limited to a few private collateralised reinsurance deals. Some of the initial deals were one-off purchases by cedants tentatively testing investor appetite, while others sustained as recurring transactions. Insurance market participants have predicted for some time that the cyber ILS market will grow substantially from these modest beginnings, both in terms of average deal size, overall market size, instrument types and distribution. The market has seen a noticeable uptick in this growth over the last 24 months, with 2023 ushering in the first cyber bonds and collateralised sidecars. While deals of the past were typically supported by a small investor pool, the most recent cyber bonds have been more widely syndicated, demonstrating a growing comfort level among investors.
In this series, we confront some big topics which potential investors typically may consider when assessing cyber ILS as an asset class. The content for the series has been written with the assumption that readers have some foundational knowledge of property catastrophe ILS including the underlying subject business, namely property insurance. Through these articles, we aim to challenge some of the preconceptions around cyber ILS by comparing it to property cat ILS. This will include an examination of the similarities in the underlying lines of business along with ways in which they differ.
What is Cyber Insurance?
This first instalment of the series focuses on the foundational question to which any investor will need a compelling and transparent answer: what is cyber insurance?
Cyber insurance can trace its roots back to the late 1990s when the first cyber liability policies were geared towards the information technology industry engaged in the management of systems and networks for consumers and businesses. Since then, policies have expanded to include first-party coverages and are now offered across all industry verticals to a diverse range of insureds on every continent. There is often a misconception that cyber coverage is ill-defined or amorphous. The reality is very different. Cyber insurance policy forms have matured over time with the transition to affirmative cover and increasingly standardised coverages offered by carriers in their products.
Below are the most common coverage areas one might expect to find in a commercial cyber insurance policy. We focus on commercial lines cyber (rather than personal lines), as commercial policies still account for the vast majority of premium and risk limit in the market (circa 85% of the worldwide total). Some insurers may use different nomenclature for certain coverage areas, group them under broader headings, or split them into finer categories. Not all insurers will offer all coverage areas and may pursue product differentiation in their insurance offering.
Common Coverage Areas
| Coverage Area | Coverage Type | Description | |
| Core Coverages | |||
| 1 | Incident Response Expenses | First-party |
This covers costs incurred by the insured during the initial impact of a data breach or network security breach. Examples of services covered include: · Legal Costs: the cost of engaging a privacy lawyer to advise on mitigating the loss and impact of a data breach. The privacy lawyer acts on behalf of the insured and provides advice during this initial period. Insurers commonly provide a hotline number that goes direct to the selected firm. · Notification Costs: the cost to notify all required individuals in the event of a data breach, depending on national or state regulation (US focused). · Credit Monitoring: the cost to provide credit monitoring services for affected individuals when required by regulation. · Investigation: the cost to have an IT forensic investigator come into the insured’s locations and investigate how, when, and why the cyber event occurred. · Crisis Management (Including Public Relations): the cost to set up a call centre if required, as well as working with the media and customers of the insured in the event of a data breach. |
| 2 | Privacy and Network Security Liability (Cyber Liability) | Third-party |
· Covers the cost of investigations, defence and damages from liability claims made against the insured by various parties. · These will arise out of privacy breaches (loss of personal data) or network security events/security failure. |
| 3 | Regulatory Fines and Penalties | Third-party |
· The cost to defend claims, as well as fines and penalties, by regulators (where allowed). · Includes the cost to defend and settle due to non-compliance (where allowed). · Fines can be levied by various governmental agencies at national or state level. |
| 4 | PCI Damages, Fines and Penalties Assessment and Damages | Third-party |
· Covers costs incurred from assessments, fines or penalties imposed by banks or credit card companies due to non-compliance with the payment card industry data security standard (PCI DSS). · This coverage applies after breach of payment card data from the insured. |
| 5 | Business / Network Interruption and Loss of Income | First-party |
· Covers loss of income and extra expense incurred by the insured to avoid or minimise the business shutdowns after a computer or network outage. · Triggers can range from an IT security breach, through to full system failure (any unplanned outage). · Coverage is provided excess of an hourly waiting period (typically 8-24 hours). |
| 6 | Data Damage / Recovery Expenses | First-party |
· Covers the cost of reimbursing the insured for its expenses in reinstating its digital assets (such as data or software) following loss or damage to them. · These can be triggered by a range of events, including exfiltration of data, ransomware, or employee error. |
| 7 | Ransomware and Extortion | First-party |
· Covers costs incurred by the insured to pay a ransom demand to recover access to its computer system, or to stop intentional leaks of exfiltrated data. · Triggered by a security breach involving deployment of malicious code. · Coverage written on a reimbursement basis to manage compliance risk. |
| Ancillary Coverages | |||
| 8 | Cyber Crime | First-party |
· Covers electronic theft or the transfer of funds from the insured. · Cause of loss can be diverse, including various forms of social engineering and funds transfer fraud. · Cover can be provided for insured’s own money or that of their clients (third-party theft). |
| 9 | Dependent Business Interruption and Loss of Income | First-party |
· A type of supply chain coverage, often framed as an extension to core business / network interruption cover. · Responds to events at an insured’s service providers. IT service providers are commonly included. Coverage to non-IT service providers is occasionally granted. |
| 10 | Technology Liability | Third-party | · Covers the cost of investigations, defence and damages arising from a claim in respect of an error and/or omission in professional services provided by the insured. Also known as Technology E&O. |
| 11 | Reputational Harm | First-party |
· Covers the cost to run a media and marketing campaign to retain or acquire customers in the event of a breach. · Can also be extended to cover any actual loss of income suffered from the loss of customers. |
| 12 | Media Liability | Third-party | · Covers the cost of investigations, defence and damages arising from defamation, breach of privacy or negligence arising from the insured’s dissemination of multimedia content. |
| Rare Coverages | |||
| 13 | Property Damage | First-party |
· Covers the cost to repair or replace physical assets and property of the insured, where an indirect or direct network security incident has caused physical damage to them. · This is typically a policy exclusion, but affirmative coverage may be granted in some policy forms. |
| 14 | Bricking | First-party | · Covers the cost to repair hardware, where an indirect or direct network security incident has caused physical damage to the insured’s computer systems, including data centres. |
Key Similarities
Standardisation in Coverage Areas
Across both lines of business, there is a degree of standardisation in coverage areas. This standardisation provides structure to the insurance offering. The benefit for (re)insurers is that risk can be controlled at the coverage area level by introducing structural features such as sub-limits, deductibles, coinsurance percentages, exclusions … etc. Insured losses can also be attributed to coverage areas thereby enabling a direct mapping between exposures and losses.
Core Coverages
Across both lines of business, some coverage areas are considered core. For commercial property, we would expect to find separate sections for buildings, business personal property and business interruption in most policies (regardless of industry vertical or geography). Similarly, in commercial cyber insurance, we expect to find separate sections for the core coverages stated in the table above.
Structure and Model Calibration
The structure established by the coverage areas provides a foundation for quantitative analysis. Loss models can be calibrated from the aforementioned exposure and loss data. With sufficient data, one can parameterise models at the coverage area level, allowing for correlations between coverage areas within the same policy.
Catastrophe Exposure
Some coverage areas are intrinsically susceptible to catastrophe losses (defined as single loss events which cause an insured loss to more than one risk). By way of example, in commercial property, a hurricane could make landfall and cause damage to multiple insureds’ business premises, while simultaneously interrupting the business operations of these insureds. An analogy in cyber insurance would be a single strain of malware which could spread across the web, wiping data from multiple insureds’ computer systems. In this example, we would expect claims from initial response expenses, data restoration, business interruption and other coverage areas, impacting multiple insureds at the same time.
Individual Risk Exposure
Some coverage areas are less susceptible to catastrophe losses. We would expect a different risk profile for these coverage areas, dominated more by individual risk losses (not catastrophe losses). In commercial property, we might expect to find coverage for equipment breakdown (often included as an optional endorsement to the main policy). Natural perils are typically excluded from this coverage, thus removing much of the catastrophe exposure. An analogy in commercial cyber insurance would be cyber crime coverage, where social engineering is the dominant attack vector and which affects individual insureds, one loss at a time.
Common Risk Metrics
A corollary of the previous points is that both lines of business lend themselves to frequency-severity stochastic modelling approaches which consider both attritional and catastrophe losses. Indeed, commercially available models (and proprietary models built by underwriting companies) consider both loss types in tandem. The risk metrics investors are used to seeing in property ILS are readily available in cyber ILS too as byproducts from the modelling process. Expected loss, standard deviation, value at risk, tail value at risk, probability of attachment / exit / breakeven, exceedance probability curves and other risk metrics are commonplace within risk evaluation frameworks (both for individual deals and for entire portfolios) and with the same lingua franca.
Standard Exclusions
While not mentioned in the table of coverage areas, it is worth noting that there are standard exclusions in most commercial cyber insurance policies, just as we would expect to find certain exclusions in most commercial property policies. War is typically excluded in both lines of business[1]. Infrastructure losses (including disruption to utilities, core internet infrastructure and telecommunication service elements) are another standard exclusion in commercial cyber. These exclusions remove major sources of systemic loss from the insurance product.
[1] There is a separate cyber war line of business for companies wanting to hedge this risk. This is a growing segment of the cyber insurance market.
Key Differences
First- and Third-Party Exposures are Reinsured
Commercial cyber insurance products typically cover both first- and third-party coverage areas. Cyber is not unique in this regard. Homeowners property policies in the United States, for example, typically include Coverage E (Personal Liability), protecting the policyholder against financial judgments and defence costs incurred from cases brought by third parties. Coverage F (Medical Liability) is another common third-party coverage area in Homeowners policies. Reinsurance business protecting property books of business usually bifurcate these distinct loss types. Third-party exposures are usually reinsured into liability treaties whereas first-party claims would find their way into property reinsurance treaties. Consequently, property ILS investors can expect a more homogeneous risk profile consisting mainly of first-party exposures.
We are seeing a similar phenomenon develop in cyber insurance. There is already precedent for reinsurance deals protecting first-party losses only, with third-party losses remaining un-reinsured or reinsured elsewhere. Having said that, these deals are not commonplace yet, and it is still usual to find both first- and third-party exposures reinsured together. Cyber ILS deals will typically have exposure to both.
This has ramifications for the loss development tail of cyber reinsurance, as third-party claims typically take longer to adjust and to reach final settlement. Loss development will be explored further in the third instalment of this series.
Nature of Underlying Risk
Examining coverage areas prompts us to consider the nature of the underlying risk. In property insurance, there is a wide spectrum of perils at play, some of them man-made in nature (e.g., house fire), others elemental (e.g., hurricane, earthquake). However, cyber insurance exclusively involves man-made perils, predominantly those arising from the activities of threat actors. To understand cyber risk is to understand human incentives. Different threat actors (cyber criminal groups, nation states, hacktivists, … etc.) have different motivations and, in most cases, these are known. We know their intended targets, preferred attack patterns and likely attack vectors. Intelligence on these threat actors, methods and targets is actively reported via structured data disseminated by the cybersecurity community. Trends in this data can be spotted and models can be recalibrated accordingly, with machine learning techniques particularly well-suited to handling this workload in real-time and able to keep up with the pace of change.
By contrast, property insurance, with its risk profile (especially tail risk) often dominated by elemental perils, is different in nature. Elemental perils do not have, and are not subject to, incentives. We would contend that anthropogenic forces are easier to understand than the natural world.
No Analogous Concept to TIV
Exposure within property lines of business is linked to the concept of total insurable value (TIV). TIV is a ceiling on how severe a single loss can become (whether fully insured or not). By way of example, Coverage A within a homeowners policy (Dwelling Coverage) protects the structural elements of a policyholder’s home (walls, floors, ceilings … etc). “Value,” in this context, would be the rebuild cost of the home. If calculated accurately, the Coverage A TIV would be the maximum loss possible to the homeowner’s dwelling. We can introduce the concept of a damage ratio, where any given loss could be between 0% – 100% of the TIV, but no greater. Policies would typically offer Coverage A insurance up to the full TIV amount.
In cyber insurance, there is no analogous concept to TIV. A company must determine the correct cyber limit to buy, often in conjunction with its agent or broker. There is nothing to prevent, at least in theory, a very severe loss blowing right through the top of the insurance tower, with the insured then forced to retain the balance. While this is a different mindset to property insurance, cyber is not unique in this regard. The same could be said for many other specialty and casualty insurance lines. This reality does not prevent or impede the ability to build and calibrate quantitative models using exposure and loss data.
Final Comments
We hope this first instalment of our series on cyber ILS has helped to shine a light on the coverage areas typically found within a commercial cyber insurance policy. As discussed, there are parallels in property insurance as well as some important differences. The key takeaway is that the cyber product has definition and structure and is amenable to a data-driven assessment.
The next instalment will tackle issues of diversification. Is it possible to build a diversified portfolio within cyber ILS? What access points are available and how mature are the ILS product types?
If investors or allocators, current or prospective, have any questions on the material in this series, please do not hesitate to contact a member of the Envelop Capital Markets team.
Legal Information
©2025 Envelop Risk Analytics Limited[2] (“Envelop”). All rights reserved.
This document has been prepared by Envelop on behalf of itself and its subsidiaries. Envelop and its subsidiaries are together referred to herein as the “Envelop Group”. This document is confidential and written only for the benefit of the intended recipients, being persons with sophisticated professional expertise in, and who are involved in a professional capacity (as a cedant, sponsor, adviser, services provider or asset manager) with, insurance-linked securities. Any person who accesses, views or receives this document must (a) not use, copy, publish, disclose, transmit, distribute or reproduce it, whether in whole or in part, without the prior written consent of Envelop; (b) not permit its disclosure to any other person; and (c) keep it confidential. No rights are derived from any information contained in this document. Envelop retains all copyright and intellectual property rights in this document and no licence is given to any other person to use or reproduce the information contained in or derived from it.
This document does not constitute or include any recommendation, offer, or a solicitation of an offer, to sell or buy any investment or type of investment including (without limitation) re/insurance, any insurance-linked securities, Lloyd’s capacity, Lloyd’s syndicate membership or, in each case, rights therein (“Investment”) and no person may treat it as constituting such. This document may not be used to make such an offer nor is capable of acceptance, and any agreement with any Envelop Group entity, special purpose arrangement or syndicate at Lloyd’s is subject to separate written terms and conditions fully negotiated and executed by the parties. The information in this document is provided as general information only. This document does not amount to advice nor expresses any views as to the suitability of any Investment or to the individual circumstances of any recipient and no intended recipient or any other person should rely on it. It is the obligation of any recipient or viewer of this document to obtain professional or specialist advice before taking, or refraining from, any action on the basis of the information in this document. This document is not directed at, or intended for distribution to or use by, any person or entity who is a citizen or resident of or located in any jurisdiction where such distribution, publication, availability or use would be contrary to applicable law or regulation or which would subject Envelop or its affiliates to any registration or licensing requirements in such jurisdiction.
This document may contain forward-looking statements, projections, valuations or statistical analyses that involve substantial risks and uncertainties, and may be based on certain assumptions and/or subjective assessment. Actual results and developments may differ materially from those expressed or implied in this document due to a variety of factors, and this document should not be relied upon as an accurate prediction of future performance. The information contained in this document is subject to updating, completion, modification and amendment without notice. Envelop Group entities have and undertake no obligation or duty to maintain or update the contents of this document. No Envelop Group entity makes any statement, representation, warranty, assurance, undertaking or guarantee in or in relation to this document, including that this document is accurate, complete or up to date, nor holds out any person as having any authority to do so. Under no circumstances shall any Envelop Group entity be liable for any loss (including direct, financial, indirect or consequential) relating to this document. Each of the recipient and any person viewing or accessing this document acknowledges that Envelop Group will not be liable for any loss or damage of any sort arising in connection with its or any other person’s use or reliance on this document or any information in or derived from it.
[2] Envelop Risk Analytics Limited is a limited company incorporated in England and Wales with registered number 10531277 and registered office at 6th Floor Vintry Building, Wine Street, Bristol, BS21 2BD, United Kingdom
