How insurance-linked securities can improve cyber-security in India

These viewpoints have also been recently echoed by Zurich Insurance chief Mario Greco who feels that enterprise cyber-attacks (especially those on critical infrastructure) might become uninsurable with growing business disruptions due to them. The scarily important lesson from past cyber incidents on critical enterprise infrastructure is not so much what happened as what did not happen. ICS hackers did not push their limits by not poisoning water supplies, not melting down nuclear power plants, and not bringing down the power grid of an entire city—despite them successfully compromising critical infrastructure facilities. Conditioned on the event that malicious actor intentions could only get worse over time, the words of the Zurich chief might be true simply because the post-attack economic damage could be too high for cyber (re)insurance companies around the globe to bear.

A radical way to boost capital

Another big question is: Is there any alternative way to boost capital injection in existing cyber (re-)insurance markets in India and worldwide? Insurance-linked security (ILS) solutions such as catastrophe (CAT) bonds and resilience bonds might provide an answer. The crux behind the potential effectiveness of ILS solutions, such as CAT bonds and resilience bonds, is that their markets rely on trading securities in non-correlated multi-trillion financial markets. Since financial markets can draw on a larger, more liquid, and increasingly diversified pool of capital than the equity of cyber (re-)insurance markets, diversifying (at most) a few hundred billion dollars of cyber-risk in a 30-odd trillion dollar financial market is akin to insuring a drop in an ocean.

Also read: How should regulators policy cyber insurance for Indian businesses?

According to a Hannover Re (a global leader in providing re-insurance services) report, the ILS market is approximately worth $100 billion globally. Even though this is not near to being a trillion-dollar market (the valuation of cyber-loss annually around the globe), it is high enough to improve the density of current cyber-insurance markets—thereby also improving the ILS market in return. Since the early 1990s, ILS funds have provided retrocession (re-insurance for re-insurers) to the property-catastrophe re-insurance market for hurricanes and earthquakes when their capital is in short supply. ILS funds protect rare events and hence can generate,

1. Enough returns for their investors, and
2. Much required capital for cyber (re-)insurers to manage (catastrophic) cyber-risks more effectively.

In the context of insuring enterprise cyber-risks and especially in the age of rising ransomware demands, cyber-insurers can get enough capital injected into their business (through re-insurers) using ILSs to be able to rapidly proliferate markets with contracts that are not lemons—those that appropriately price exposed enterprise cyber-risk with coverage. This, alongside the fact that IT/ICS-operated smart cities around the globe are growing fast, will densify cyber (re-)insurance markets for the social good.

Also read: Why cyber-security needs to be a strategy in the infinite corporate game

The International Financial Services Center Authority (IFSCA) committee has recently called for India to develop a framework to enable a captive insurance offering (including cyber-insurance), other alternative risk transfer solutions, insurance-linked securities (ILS), catastrophe bonds, and to specialise in parametric risk transfer as well. The goal here is for India to target being a successful Asian (cyber-) ILS hub, such as Singapore, through effective deregulation and provision of incentives. In other words, the IFSCA of India wants the nation to be another location that encourages global companies to look for an attractive marketplace for the issuance of (cyber-) insurance-linked securities.  

How do cyber ILS solutions operate?

CAT bonds, when compared to treasury and municipal bonds, are only triggered in the event of a catastrophe—characterised by a (cyber) loss value above a particularly high threshold (e.g., above ₹10 lakh crores or $400 million in cyber-loss settings).

Also read: Seven challenges against securing the systemic cyberspace in the industrial IoT age

In the context of cyber-space, when a ‘rare’ catastrophe occurs (e.g., a critical ICS plant like a power plant shuts down for days at a stretch due to a cyber-attack) within a bond term (e.g., two years), the bond sponsor (the cyber-insurer paying premiums to a bond issuer) keeps a portion of the bond value to pay off aggregate first and third-party cyber-losses. The investors (e.g., hedge funds), on the other hand, lose some or all their principal (capital) invested. The bond issuer (e.g., cyber re-insurance firm along with special purpose vehicles and/or investment banks) creates the bond and pays interest to the investors after collecting premiums from the bond sponsor. If the catastrophic cyber event does not occur during the bond term, the investors get their invested capital back at a maturity date. In addition, the return on principal combined with coupon payments acts as the return on investment (ROI) for the investors. Since only catastrophic events trigger cat bonds, the portfolio-diversifying investors are happy to invest significant capital into cyber re-insurance markets (for higher returns) that, in turn, seep through to cyber-insurance markets.

A resilience bond is a new ILS instrument, and quite like a CAT bond in insurance benefits, can be used to inject capital into the cyber re-insurance market apart from protecting cyber re-insurers from cyber-catastrophes. These bonds link insurance coverage with capital investments in cyber-resilience projects that reduce expected losses from cyber-catastrophes. To this end, the main difference between resilience bonds and CAT bonds is the former’s goal of capturing a portion of insurance value created by cyber-resilience projects governed by critical enterprise infrastructures (e.g., ICSs) in the form of a rebate and transferring them to bond sponsors. This happens in two steps. In the first step, the bond issuer, i.e., a re-insurer and/or a third party (that include independent cyber-risk experts), uses data-driven financial catastrophe models to judge the degree that a cyber-resilience improving effort by an ICS reduces expected aggregate cyber-losses. This degree contributes to the reduction in coupon, i.e., interest, payments to bond investors. In the second step, the cost savings from coupon rebates are distributed to bond sponsors, i.e., cyber-insurers, and subsequently to ICSs in the form of resilience rebates used to finance cyber-risk reduction investments. The difference adds skin to the game of ICSs to boost their security and reduce negative externalities—also paying fewer premiums.

Improving enterprise cyber-security

We have thus far established that cyber-CAT and cyber-resilience bonds have the potential to densify existing cyber (re-)insurance markets covering (aggregate) enterprise cyber-risk by injecting significantly higher capital. On the other hand, dense cyber (re-)insurance markets have been proved via multiple seminal theory studies (Pal, et.al, IEEE INFOCOM 2014, Pal et.al., ACM SIGMETRICS PER 2018, Lelarge and Bolot, IEEE INFOCOM 2009, Shetty et.al., WEIS 2010) to improve cyber-security in principle. Because cyber-insurance premiums act as a strong control mechanism for enterprises to boost their cyber-hygiene and security culture. These results are conditioned on the fact that cyber-insurance be made compulsory for enterprises—though there will be ‘proportional' improvement in cyber-security if a high proportion (if not all) of enterprises invest in cyber-insurance.

About authors

Ranjan Pal (Massachusetts Institute of Technology, Sloan School of Management, USA)

Bodhibrata Nag (Indian Institute of Management Calcutta, India)

Stuart Madnick (Massachusetts Institute of Technology, Sloan School of Management, USA)