I’m hypothesizing that when insurers and insurance groups fund startup cyber MGAs or startup cyber insurers they are behaving like VCs hoping to generate desired returns from (some of) their investments. But are they really behaving like VCs – do these insurers (using cyber MGAs) have a plan regarding how much to invest, or a plan to decide which VCs (e.g. cyber MGAs) to invest in, or a plan that monitors the financial performance of the cyber MGAs (no, not volume of business but loss runs, loss ratios, and combined ratios of the book of business the cyber MGA generates), or a plan that encompasses when to exit and why to exit at a certain point in time?
I believe that increasingly more cyber risks will evolve into systemic cyber risks and in these situations I don’t see how insurers can comfortably estimate the maximum probable losses from the sale of the cyber cover they sell. How can any insurer sell coverage if they can’t comfortably estimate the MPL from the sale?
I see the cyber risk environment as a Nth dimensional topographic space that is continually expanding each instant another digital artifact is connected to the web. (And each instant a physical artifact with IP-sensors is connected to the web. And each instant a sentient entity [inclusive of farm animals] with IP-sensors is connected to the web. And each instant a NHI is connected to the web.)
So, I believe the cyber risk space is fluid. Not stable. Not mature. And will never be stable or mature.
How can insurers generate profitable underwriting? (Unless perhaps they offer a low amount of cyber cover with extremely tight terms, conditions, and restrictions.) So tight, like a Medieval Chastity Belt that can be unlocked with only one key. So tight, even the most brilliant plaintiff’s bar attorney can’t find coverage where none is intended in the contract. So tight, the most activist judge can’t find coverage where none is intended in the contract.
However, I realize that insurers can participate in the cyber market sponsoring ILS cyber cat bonds. There seems to be a small but growing number of insurers doing this. Keeping their financial capacity dry but participating.
And then there is the ART mechanism of cyber captives – there seem to be even fewer instances of insurers involved with establishing cyber captives than sponsoring ILS cyber cat bonds.
This brings me back to:
1) How can insurers generate profitable underwriting from selling coverage to prospective clients who have (systemic) cyber risks? Are they using a dart board with MPL values? Or are they falling back to “we’ve sold cyber insurance for the past 20+ years and have had combined ratios under 100% so we know what we’re doing.” This completely ignores that cyber risks are evolving to more complex forms of cyber risks (with corresponding cyber attacks and cyber incidents). This completely ignores that society is becoming an ever-increasing denser and denser set of web-driven interconnections and interdependencies among and between corporations, their ecosystems, web-connected devices, their clients, and their prospects (at a minimum).
2) Can insurers or insurance groups generate the ROI they want or expect from investing in startup cyber MGAs or startup cyber carriers? Patience is one thing; losing money as cyber risks evolve to more complex forms with attendant combined ratios over 100% is another thing.
3) Will it be enough (from the perspective of the carriers) to sponsor ILS cyber cat bonds or front cyber captives? Or will carriers find they are investing too many resources (time, people, money) in the ILS cyber cat bonds or fronting cyber captives to justify the financial returns from these efforts?
Just a few thoughts …. (But it seems like an Alice in Wonderland situation to me.)
Rabkin's Opinions 