Cyber ILS: Building Diversified Portfolios

Part 2 of the Cyber ILS Series

By David Ross, EVP of ILS & Capital
18 March, 2025

Introduction

In this series, we confront some big topics which potential investors typically may consider when assessing cyber ILS as an asset class. The content for the series has been written with the assumption that readers have some foundational knowledge of property catastrophe ILS including the underlying subject business, namely property insurance. Through these articles, we aim to challenge, if not remove, some of the preconceptions around cyber ILS by comparing it to property cat ILS. This will include an examination of the similarities in the underlying lines of business along with ways in which they differ.

In this second instalment we focus on the topic of diversification – both diversification within a cyber portfolio and relative to other asset classes. Is it possible to build a diversified cyber ILS portfolio? How would an investor go about doing this and what access points are available in the market today? When we discuss diversification in this context, we are focusing on the tail of the loss distribution. Specifically, when losses are severe, do all the constituent deals in a portfolio experience losses simultaneously, or can some deals turn a profit to offset the losses?

Diversification within Cyber

Claims that it is possible to build a diversified portfolio of cyber risk are often met with scepticism. The root cause of this scepticism is usually related to the way in which cyber risk is not physically contained within geographical boundaries, thereby leaving open the theoretical possibility of a severe systemic cyber-attack spreading worldwide. This is in contrast to property catastrophe risk, where we can identify and isolate mutually exclusive buckets of risk by region or peril, and to a high confidence level state that a single event will be contained to one and only one of these buckets.

By way of example, consider a portfolio consisting of two property cat bonds, A and B. A covers only Florida situs risk (all natural perils) and B covers only New York situs risk (all natural perils). Although possible, it is unlikely that the portfolio would sustain a loss from both A and B in a single event. One might choose to adopt an exposure management framework which identifies separate US southeast and US northeast risk buckets. A would be recorded and reported under the former, with cat bond B falling under the latter. This is intuitive and readily communicates the presence of diversification.

In this series, we present an alternative lens through which to visualise diversification; one which is better suited to cyber risk. We borrow this approach from graph theory. We conceptualise companies as a network of nodes. Nodes are connected via edges. If two nodes are connected via an edge, it denotes the potential for a single cyber event to spread from one node (company) to the other. Edges can be weighted differently; the more heavily weighted an edge between nodes, the higher propensity for an event to spread between companies.

We should note that this construct is not unique to cyber; the same construct could be applied to property cat risk too. In a property cat context, nodes would be individual insured buildings within a portfolio and the heaviest edges would be assigned to nodes in close geographical proximity to each other. The network of nodes and edges would look different depending on the peril. For example, hurricane would require a different edge weighting between nodes than quake.

To take this construct from mere theory to application, we need to identify the variables which determine the weightings of inter-nodal edges. These variables are the levers available to build diversification into a cyber portfolio. For cyber risk, the following (not exhaustive) levers apply:

1. Extent to which technology is shared
2. Dependence on common third-party service providers
3. Business relationships
4. Extent to which industries are related
5. Similarity of organisational structure
6. Similarity of culture
7. Commonality of oversight and regulation
8. Commonality of legal framework
9. Appeal to the same threat actors

If two companies (nodes in the network) have any of these variables in common, then we would logically conclude there is a higher propensity for event spread (a heavier edge between the nodes). Some of the variables are difficult to define, let alone observe from external data sources. Instead, we appeal to higher level factors which correlate strongly with those variables. These higher level factors are selected precisely because they are definable and observable. The most material higher level factors (as supported by historical loss data) are as follows:

1. Geography
2. Industry vertical
3. Insured segment (nano, micro, small, medium, large … etc.)

We define edges between nodes as a function of these factors as one part of a mathematical model to quantify the risk in a cyber portfolio.

It is possible, and indeed cyber risk professionals often do, enumerate risk buckets within each of these factors in the same way that property cat analysts do for region and peril (as described in our earlier example). We can easily quantify, for example, how much exposure there is within a cyber insurance portfolio pertaining to technology companies vs healthcare. Data tables like this are useful in the sense that they impart a flavour of diversification inherent within the portfolio, but they do not intrinsically quantify the contagion risk. For this, spread models based on graph theory offer a robust solution when backed by the right data for calibration.

Envelop Risk incorporates graph theory into its contagion models. Some commercially available cyber models offer different approaches. However, all recognise the diversifying elements of geography, industry vertical and insured segment with the result that model output (e.g. modelled expected loss, exceedance probability curves … etc.) implicitly reflects those elements.

Geographical Diversification in Action

By way of a real-world example, the exhibit below shows the number of organisations impacted by the MOVEit cyber-attack which was one of the most significant cyber-related events of 2023. The attack exploited a flaw in the MOVEit managed file transfer service, used by many organisations to securely transfer sensitive files. Hackers were able to exploit a previously unknown vulnerability (a zero-day vulnerability) to access the databases of MOVEit customers. The software vendor, Progress Software, released a security update to fix the vulnerability soon afterwards.

The exhibit below shows the impact concentrated in the US and Canada, with much reduced spread beyond North America. Geographical proximity is an observed correlation, but not causal in nature. The true underlying risk factor and source of the contagion was the shared software.

MOVEit Cyber Attack – affected organisations (as of December 20, 2023)

Diversification of Cyber Risk Relative to Other Asset Classes

Given the brief history of cyber insurance (circa 25 years), we have insufficient data to examine empirical correlation between cyber losses and major asset classes such as stocks and bonds. We can, however, apply logic and reason to assess the nature of this correlation.

In the extreme tail of the distribution, there are realistic disaster scenarios in the cyber world that would have a causal effect on stocks and bonds. Points of failure exist within digitised networks that could, in theory, produce insurance losses for thousands of policyholders, should these points ever succumb to a large-scale cyber-attack. A successful attack directed at a major cloud provider would be an example of such a scenario. The consequences for both cyber losses and financial markets would be extensive if disruption were prolonged.

There are analogies in the world of property cat, where one could posit events in the extreme tail of the severity distribution that would directly cause material drawdowns in stocks and bonds. A magnitude 8 earthquake in the San Francisco Bay area or a Saffir-Simpson Category 5 hurricane into Manhattan would be two such examples.

We assert that cyber and elemental events on a scale large enough to affect financial markets are rare. We have a lengthy period of observation to be confident of this assertion for property cat events (although the picture looking forward is muddied by climate change). For cyber events, we have a shorter period of observation, but there are many other factors to give us comfort here:

• A vulnerability that could lead to a catastrophe is only as worrisome as the pace at which it can be weaponised by malicious actors before patches are deployed. Known vulnerabilities can be scanned and patched quickly and usually are by well-resourced enterprises such as major cloud providers with impressive cyber posture.
• Threat intelligence is far more sophisticated than many observers realise with an active community of cybersecurity professionals reporting on new, emerging, and existing threats and threat actors via structured reporting formats that can be interrogated and assimilated. This intelligence enables businesses to prepare in advance and ward off potential attacks. (Re)insurance companies themselves are playing an active role in this area by providing threat-monitoring services to their policyholders, preferring to manage risk real-time rather than silently watching threats unfold once risks are bound.
• Exclusionary language in insurance policies removes several sources of systemic risk that should logically reduce correlation with other financial asset classes. War exclusions, first borrowed from other insurance classes, have been tailored to address the nuances of cyber insurance. The Lloyd’s Market Association (LMA) has promulgated standard exclusions which exclude or materially limit coverage for state-on-state cyber operations. Other insurers have adopted identical or similar exclusions in their own policies, as the market coalesces around best practice in this area.
• Critical infrastructure exclusions are prevalent in insurance policies, encompassing disruption to utilities, other electrical and mechanical services and, in many cases, core internet infrastructure and other telecommunication service elements. Consequently, many realistic disaster scenarios would not be covered under cyber insurance policies – power outages induced by a cyber-attack would be one example of this.

All this serves to mitigate catastrophic risk potential which should dilute correlation with major asset classes such as stocks and bonds.

Cyber is an anthropogenic peril. Cyber threats are motivated by human considerations, often financial, political, or ideological in nature, depending on the threat actor. These same motivations are often intertwined with financial markets in complex ways, and it would be naïve to assume that returns from cyber (re)insurance and other asset classes move completely independently of one another. This point notwithstanding, the case for strong correlation between cyber and major asset classes is not present. We may see this in the extreme tail of the distribution, as we would do for property cat. But, otherwise, the thesis of diversification is valid.

The bar chart below shows a selection of recent cyber events and their impact on the S&P 500 index. The chart shows that there were no material movements in this US stock index following these cyber events (over a 7-day or 30-day time horizon).

Past major event impact on S&P 500*

Access to Risk and Implications for Diversification

Market observers have long since prognosticated that capital markets would begin to support cyber risk at scale. Prior to 2023, involvement had been limited to a small number of private collateralised reinsurance transactions with limited information in the public domain. 2023 was a pivotal year in the maturation of the cyber ILS market and investors now have much broader access via a multitude of instruments and channels.

We categorise the available instruments and channels in the table below and provide some brief commentary around each.

Access to Risk Matters when Discussing Diversification.

Investors will ultimately benefit as more cyber bond sponsors come to market, when more collateralised reinsurance trades occur, and when risk is transformed via new structures with differing risk profiles. With each new step, the universe of potential deals expands creating new degrees of freedom in portfolio construction. Some may choose to invest directly, while others will seek access through dedicated managers with cyber domain knowledge and portfolio management expertise. We expect to see growing interest in this latter category through specialist cyber underwriting companies (such as Envelop) offering origination, modelling, and portfolio construction capabilities.

Final Comments

We hope this second instalment of our series on cyber ILS has helped to explain how it is possible to build diversified portfolios of risk within cyber ILS. While the nature of diversification is different to property catastrophe, we can pursue cyber risk diversification across region, industry vertical and insured segment, all of which are important levers in portfolio construction. Access points are broadening as the market matures.

The next instalment will address the loss development tail of cyber risk portfolios. How do development patterns compare to property insurance? What does this mean for collateral release mechanisms in cyber ILS?

If investors or allocators, current or prospective, have any questions on the material in this series, please do not hesitate to contact a member of the Envelop Capital Markets team.

Legal Information

©2025 Envelop Risk Analytics Limited¹ (“Envelop”). All rights reserved.

This document has been prepared by Envelop on behalf of itself and its subsidiaries. Envelop and its subsidiaries are together referred to herein as the “Envelop Group”. This document is confidential and written only for the benefit of the intended recipients, being persons with sophisticated professional expertise in, and who are involved in a professional capacity (as a cedant, sponsor, adviser, services provider or asset manager) with, insurance-linked securities. Any person who accesses, views or receives this document must (a) not use, copy, publish, disclose, transmit, distribute or reproduce it, whether in whole or in part, without the prior written consent of Envelop; (b) not permit its disclosure to any other person; and (c) keep it confidential. No rights are derived from any information contained in this document. Envelop retains all copyright and intellectual property rights in this document and no licence is given to any other person to use or reproduce the information contained in or derived from it.

This document does not constitute or include any recommendation, offer, or a solicitation of an offer, to sell or buy any investment or type of investment including (without limitation) re/insurance, any insurance-linked securities, Lloyd’s capacity, Lloyd’s syndicate membership or, in each case, rights therein (“Investment”) and no person may treat it as constituting such. This document may not be used to make such an offer nor is capable of acceptance, and any agreement with any Envelop Group entity, special purpose arrangement or syndicate at Lloyd’s is subject to separate written terms and conditions fully negotiated and executed by the parties. The information in this document is provided as general information only. This document does not amount to advice nor expresses any views as to the suitability of any Investment or to the individual circumstances of any recipient and no intended recipient or any other person should rely on it. It is the obligation of any recipient or viewer of this document to obtain professional or specialist advice before taking, or refraining from, any action on the basis of the information in this document. This document is not directed at, or intended for distribution to or use by, any person or entity who is a citizen or resident of or located in any jurisdiction where such distribution, publication, availability or use would be contrary to applicable law or regulation or which would subject Envelop or its affiliates to any registration or licensing requirements in such jurisdiction.

This document may contain forward-looking statements, projections, valuations or statistical analyses that involve substantial risks and uncertainties, and may be based on certain assumptions and/or subjective assessment. Actual results and developments may differ materially from those expressed or implied in this document due to a variety of factors, and this document should not be relied upon as an accurate prediction of future performance. The information contained in this document is subject to updating, completion, modification and amendment without notice. Envelop Group entities have and undertake no obligation or duty to maintain or update the contents of this document. No Envelop Group entity makes any statement, representation, warranty, assurance, undertaking or guarantee in or in relation to this document, including that this document is accurate, complete or up to date, nor holds out any person as having any authority to do so. Under no circumstances shall any Envelop Group entity be liable for any loss (including direct, financial, indirect or consequential) relating to this document. Each of the recipient and any person viewing or accessing this document acknowledges that Envelop Group will not be liable for any loss or damage of any sort arising in connection with its or any other person’s use or reliance on this document or any information in or derived from it.

1. Envelop Risk Analytics Limited is a limited company incorporated in England and Wales with registered number 10531277 and registered office at 6th Floor Vintry Building, Wine Street, Bristol, BS21 2BD, United Kingdom