Cyber ILS: Loss Development Patterns and Collateral Release

// Report

Part 3 of the Cyber ILS Series (Click for Part 1 or Part 2)

Introduction

This is the third and final instalment of our Cyber ILS series.

In this series, we confront some big topics which potential investors typically may consider when assessing cyber ILS as an asset class. The content for the series has been written with the assumption that readers have some foundational knowledge of property catastrophe ILS including the underlying subject business, namely property insurance. Through these articles, we aim to challenge, if not remove, some of the preconceptions around cyber ILS by comparing it to property cat ILS. This includes an examination of the similarities in the underlying lines of business along with ways in which they differ.

This third instalment explores the loss development pattern of cyber portfolios and highlights key factors for consideration. Many investors new to cyber insurance have concerns about losses developing over extended timeframes and volatility in ultimate loss picks during this development phase.  Are these concerns justified and to what extent are there ramifications for collateral release mechanisms within cyber insurance-linked securities? How do paid and incurred loss development patterns for cyber insurance compare to property insurance?

The Importance of Policy Forms

Cyber liability insurance is almost always written on a claims-made-and-reported policy form. Readers may already have familiarity with claims-made policy forms due to their prevalence in casualty and specialty lines of business. A claims-made policy form offers coverage for claims made against the insured during the policy period. These policies typically come with a reporting requirement: “as soon as reasonably practicable.”

A claims-made-and-reported policy form offers coverage only for claims made against the insured during the policy period (just like the claims-made form) and reported to the insurer during the policy period. In a claims-made-and-reported form, the reporting period is tightly defined, rather than “as soon as practicable.”  Immediately, we confront an important difference from property lines of business which invariably use occurrence based policy forms (often referred to as “LOD” or “losses-occurring-during”). For this form type, it is the occurrence date of the loss which matters, not the date on which the claim is made against the insured and reported to the insurer.

A simple example illustrates the importance of the form type when considering loss development. Assume an insured purchases an annual cyber insurance policy incepting 1^st January and has done so each year without any breaks in coverage. Now assume the insured suffered a cyber-attack in 2022 in which the threat actor managed to exfiltrate sensitive data belonging to clients of the insured. In our example, assume the breach remained undetected until 2024 when it is picked up by the insured’s cybersecurity team. In the days which follow (still in 2024), the insured receives a service of suit from some of its clients alleging damages from the data leak. The insured could claim under the cyber liability coverage afforded under its insurance policy. But it would be claiming under the 2024 policy, not the 2022 policy. If the insured delayed for too long and reported the incident to its insurer in 2025, there would be no coverage at all (not even under the 2025 policy)[1].

What this means in practice is that loss frequency is known to the insurer quickly. The possibility for pure IBNR claims (incurred but not reported) to emerge later (i.e., after the policy period) are removed entirely. When we talk about incurred loss development in cyber liability, what we are really concerned about is IBNER (incurred but not enough reported). As with any line of business, initial reserve picks may be inaccurate (due to lack of information) and may creep upward over time. The converse is also true: initial reserve picks may be too high and ultimate losses may fall over time. As more details of claims emerge over time and any legal judgments become clear, uncertainty tapers off and the ultimate loss quantum becomes clear.

First-Party and Third-Party Considerations

In Part 1 of this series “Cyber ILS: An Investible Asset Class,” we separated out the distinct coverage types within commercial cyber insurance products and noted that they fall into one of two categories: first-party or third-party coverages. This fact is important once again as we consider loss development patterns. As we see in other lines of business, third-party claims may involve legal proceedings which must play out before the ultimate insured loss position becomes known. This can extend the paid and incurred loss development tail of these claims.

The graph below shows an illustrative incurred loss development pattern for a US cyber insurance book, taken from Envelop’s data warehouse within its CyberTooth model. We see that first-party claims have historically been much shorter tailed than third-party claims. It is important to consider that first-party claims represent the bulk of historical industry losses which shortens the combined tail when averaged over both first- and third-party coverages. 75% of historical cyber insurance losses in Envelop’s data warehouse are attributed to first-party coverages.

[1] In practice, the insurer may grant a short grace period, following the end of the policy period

Insurance vs Reinsurance

The preceding sections focus exclusively on cyber insurance not reinsurance. ILS investors will assume the risk in the form of securitised reinsurance instruments. A discussion of loss development patterns, therefore, would not be complete without mentioning some features of reinsurance which can extend the development tail. A full treatment of this subject is beyond the scope of this series, but we draw attention to some of the most notable aspects below.

• Excess of Loss Structures
  The first of these is the obvious, yet important, impact that excess of loss structures have on the shape of loss development patterns. By way of example, consider a simple aggregate excess of loss reinsurance structure with subject losses falling beneath the attachment point of the contract. Then, towards the end of the contract term, some new subject losses are reported, tipping the aggregate total over the attachment. In this example, we would witness a step change as the reinsurance contract recoveries suddenly go from zero to non-zero. There is nothing special about cyber reinsurance in this regard; this would apply in the same way for any underlying line of business. The converse consideration is also true; reinsurance contracts which sustain a heavy loss burden may exhaust quickly, thereby bringing an early close to loss development.

• Hours Clauses
  Cyber reinsurance deals may be written on an occurrence basis, allowing for aggregation of individual insurance claims into a single event before being subject to the reinsurance contract terms. There is typically language in reinsurance contracts which defines a protocol for events which commence before expiry of the reinsurance contract and continue beyond the end of the contract term. These events are typically considered in full, as if all individual losses comprising the event were sustained within the contract period. This is not unique to cyber as a line of business; we see the same language in property reinsurance. This wording serves to elongate the development tail slightly. However, extreme examples, where the event continues over extended periods of time, are cut off early. In other words, the period over which a cedant may aggregate individual losses is capped. The terms are set in out in the reinsurance contract’s “hour’s clause.” We see this in both property and cyber reinsurance contracts alike.

• Risks-Attaching Coverage
  Cyber reinsurance deals may be written on a risks-attaching basis. In these cases, insurance claims would be within the reinsurance coverage if, and only if, they were covered under insurance policies written during the reinsurance contract term. A simple example can quickly illustrate how this could impact loss development patterns. Imagine a risks-attaching reinsurance contract incepting on 1^st Jan 2024 and expiring on 31^st Dec 2024. The cedant writes an annual insurance policy incepting on 31^st Dec 2024, expiring on 31^st Dec 2025. Any insurance claims falling under this policy would be subject to the reinsurance contract by virtue of the fact they attach to a policy that was written by the insurer during the reinsurance coverage period. Once again, there is nothing special about cyber in this regard. Risks-attaching reinsurance is common to many lines of business and is prevalent within proportional structures such as quota shares. Loss development patterns for risks-attaching contracts are generally longer than losses-occurring or claims-made contracts, all other factors being equal.

The key takeaway from this section is that structure is important. As ILS investors will want their profit and loss positions to be determined sooner, rather than later, they will push for shorter development profiles in the risk coverage. This makes some structures more appropriate than others in the design of ILS instruments.

Collateral Release Mechanisms in Insurance-Linked Securities

There is a natural tension in all ILS transactions between the protection buyer’s desire to ensure that collateral remains available while the ultimate loss amount under the reinsurance contract is determined (and subsequently paid out), and the investor’s desire to withdraw excess collateral as soon as possible. This tension exists regardless of the ILS instrument and line of business under consideration, whether it is a protection buyer sponsoring a cyber insurance-linked bond or a buyer ceding property cat risk under a collateralised reinsurance deal. The cause of the tension is the fact that ultimate losses cannot be known with certainty in the immediate aftermath of the insured events; it often takes some time for ultimate losses to become known. Worst case scenario for the sponsor / protection buyer would be to release the collateral too early and then experience adverse loss development with no clawback provisions. A bad outcome for the investor would be to have the collateral trapped needlessly for extended periods of time, with no ability to redeploy it on other deals, thereby suffering dilution of returns.

Somewhere between these two extremes we seek a compromise. A natural starting point would be to evaluate the effectiveness of the compromises we encounter in property cat ILS transactions to see if they can be used or repurposed for cyber ILS deals. In the paragraphs below, we focus the discussion on collateralised reinsurance transactions.

Buffer Loss Tables

Many collateralised reinsurance transactions make use of buffer loss tables to govern collateral release. In short, once an event is known, an ultimate loss value is assigned to it by the protection buyer. A buffer (multiplier) is then applied to the loss to inflate its value, recognising the uncertainty in the buyer’s estimate. Over time, the size of the buffer tapers off according to a predetermined table of factors, recognising that the buyer’s ultimate loss will become increasingly clear in time. Eventually, all buffers are removed. At any point during this process, if any collateral is unimpaired by the buffered loss, then it is contractually released to the investor without delay. Depending on the contract language, subsequent deterioration in the ultimate loss estimate can obligate the investor to replenish the collateral pool, a process known as clawback. All the while, any remaining collateral is ringfenced for the protection buyer’s benefit, typically sitting in cash-like assets in a trust account (managed by a reputable trustee) or backed by a letter of credit issued by a credit-worthy counterparty (typically a bank). After a stipulated length of time following expiry of the reinsurance term, the investor typically has the option or obligation to commute all liabilities under the contract according to a defined procedure. Any excess collateral is then released concurrently with commutation. Some contracts have automatic commutation once collateral is released.

Modifying Mechanics

We can modify these mechanics in a few ways to accommodate cyber insurance risks.

1. We may recognise that a complex cyber event may take some time to evaluate. The protection buyer may not be able to opine on an ultimate loss amount by the end of the reinsurance term, especially for an event which occurs towards the end of the term. We can address this by including a grace period following the end of the reinsurance term, during which the buyer has the option to hold all the collateral.
2. We may choose to elongate the buffer loss schedule so that buffer factors taper off more slowly. This would implicitly recognise the longer-tailed nature of some cyber losses or help foster a cyber ILS market that would rather play it safe to begin with and err on the side of caution. More innovative solutions may apply different buffer factors to first-party claims than third-party, recognising inherent differences in their respective development tails. Reinsurance intermediaries could play a role in broking a fair compromise on the duration and magnitude of loss buffering, informed by data, in particular loss development patterns.
3. We could explore the addition of incentives for both protection buyers and investors. One such incentive would be to introduce wording which requires the protection buyer to pay interest on outstanding collateral balances after expiry of the reinsurance term. There is precedent for this already in securitised property cat bonds and growing support in other forms of collateralised risk transfer. This would incentivise the protection buyer to release collateral promptly and not to pad ultimate loss estimates. Another incentive would be to introduce a no claims bonus in the reinsurance structure design, payable only if the contract is commuted within a stipulated timeframe following expiry. While this does not guarantee early collateral release, it would likely incentivise the protection buyer in cases where a reinsurance recovery looked highly improbable. There is already precedent for such mechanics in cyber excess of loss reinsurance deals, in particular event XL and aggregate XL treaties.

We have skipped over some fine detail in this discourse for the sake of brevity, including the role that fronting partners may play in the transformation of risk. But we conclude by noting that collateral release mechanisms can be borrowed from the property cat ILS world and tailored to cyber reinsurance, while safeguarding the interests of both protection buyers and investors.

Final Comments

We hope this final instalment of our series on cyber ILS has shed light on loss development patterns in cyber (re)insurance. While patterns are longer tailed than most property lines, the difference is relatively moderate as evidenced by historical loss data. Mechanisms already used to govern collateral release in collateralised property reinsurance can be applied in cyber reinsurance, with several levers available to allay investor concerns regarding trapped collateral.

Envelop remains committed to fostering growth of the cyber ILS marketplace. If investors or allocators, current or prospective, have any questions on the material in this series, please do not hesitate to contact a member of the Envelop Capital Markets team.

Legal Information

©2025 Envelop Risk Analytics Limited^[2] (“Envelop”). All rights reserved.

This document has been prepared by Envelop on behalf of itself and its subsidiaries. Envelop and its subsidiaries are together referred to herein as the “Envelop Group”. This document is confidential and written only for the benefit of the intended recipients, being persons with sophisticated professional expertise in, and who are involved in a professional capacity (as a cedant, sponsor, adviser, services provider or asset manager) with, insurance-linked securities. Any person who accesses, views or receives this document must (a) not use, copy, publish, disclose, transmit, distribute or reproduce it, whether in whole or in part, without the prior written consent of Envelop; (b) not permit its disclosure to any other person; and (c) keep it confidential. No rights are derived from any information contained in this document. Envelop retains all copyright and intellectual property rights in this document and no licence is given to any other person to use or reproduce the information contained in or derived from it.

This document does not constitute or include any recommendation, offer, or a solicitation of an offer, to sell or buy any investment or type of investment including (without limitation) re/insurance, any insurance-linked securities, Lloyd’s capacity, Lloyd’s syndicate membership or, in each case, rights therein (“Investment”) and no person may treat it as constituting such. This document may not be used to make such an offer nor is capable of acceptance, and any agreement with any Envelop Group entity, special purpose arrangement or syndicate at Lloyd’s is subject to separate written terms and conditions fully negotiated and executed by the parties. The information in this document is provided as general information only. This document does not amount to advice nor expresses any views as to the suitability of any Investment or to the individual circumstances of any recipient and no intended recipient or any other person should rely on it. It is the obligation of any recipient or viewer of this document to obtain professional or specialist advice before taking, or refraining from, any action on the basis of the information in this document. This document is not directed at, or intended for distribution to or use by, any person or entity who is a citizen or resident of or located in any jurisdiction where such distribution, publication, availability or use would be contrary to applicable law or regulation or which would subject Envelop or its affiliates to any registration or licensing requirements in such jurisdiction.

This document may contain forward-looking statements, projections, valuations or statistical analyses that involve substantial risks and uncertainties, and may be based on certain assumptions and/or subjective assessment. Actual results and developments may differ materially from those expressed or implied in this document due to a variety of factors, and this document should not be relied upon as an accurate prediction of future performance. The information contained in this document is subject to updating, completion, modification and amendment without notice. Envelop Group entities have and undertake no obligation or duty to maintain or update the contents of this document. No Envelop Group entity makes any statement, representation, warranty, assurance, undertaking or guarantee in or in relation to this document, including that this document is accurate, complete or up to date, nor holds out any person as having any authority to do so. Under no circumstances shall any Envelop Group entity be liable for any loss (including direct, financial, indirect or consequential) relating to this document. Each of the recipient and any person viewing or accessing this document acknowledges that Envelop Group will not be liable for any loss or damage of any sort arising in connection with its or any other person’s use or reliance on this document or any information in or derived from it.

[2] Envelop Risk Analytics Limited is a limited company incorporated in England and Wales with registered number 10531277 and registered office at 6th Floor Vintry Building, Wine Street, Bristol, BS21 2BD, United Kingdom