Jeffrey Sirr, senior advisor, DeNexus, writes on the strengths and weaknesses of cyber mutualisation.

Jeff Sirr1

As the cyber insurance market experienced challenges with losses, capacity reduction, pricing increases and coverage restrictions, the talk of mutualising cyber risk developed into serious action being taken with the setting up of Brussels-based cyber insurance mutual Miris (Mutual Insurance and Reinsurance for Information Systems) and the latest proposal to establish a cyber mutual for UK utilities to name two.

Insuring non-life risk via mutual structures has inevitably occurred at times of hardening insurance markets and there are many examples of this in other classes of insurance risk, but we should also understand that the essence of insurance is mutualisation – the pooling of the many to pay the claims of the few.

Mutualisation in the insurance context has usually been based on industry segment, with some examples being Aegis (utilities), Everen (oil and gas companies), Nuclear Mutual (nuclear power producers), ICI Mutual (mutual funds), and group captives for industry associations such as physicians.

However, there have been hybrid structures by class of insurance, with the main examples being the initial formation of ACE and XL to solve the casualty crisis that engulfed the insurance market in the mid-80s.

There are of course differences between insurance mutuals and their stock counterparts. For one, the business model creates the curious dynamic of the customer usually being the owner as well (normally referred to as members). Consequently, there are differences in strategies.

Customer engagement and requirements have to assimilate with those ownership interests without jeopardising the commercial and legal responsibilities of the enterprise.

This dynamic can be compounded should the growth of the mutual incorporate customers who are not also owners. Furthermore, a value-creation mindset is needed over a purely profit focus as is the case with the stock counterparts.

The strengths and advantages of cyber mutualisation can be many and some examples are:

1. Achieving and maintaining an acceptable, minimum and consistent level of cyber risk management amongst each member of the mutual would enhance the member’s value to its own stakeholders.

2. Knowledge sharing between members would create a valuable brain trust and best practices.

3. There would be greater strategic purchasing power of cybersecurity services.

4. Each member’s business would gain the benefits of digitalisation while being able to manage the risks supported by the financial stability risk transfer would bring.

5. Costs savings could occur due to the mutual structure.

6. Mutualising risk lowers the overall potential for significant financial loss to any one entity. However, the quid pro quo is it also lowers the potential pay-off to the single entity since the rewards must be shared among other parties taking on some of the risks.

7. The immediate source of capacity would have greater consistency with mutualisation and can respond to demand fluctuations of members with greater flexibility.

8. The mutual itself can produce monetary value for its members.

Mutualisation can also provide benefits from the perspective of engaging with the established risk transfer market:

a. Utilising the portfolio effect, consistent minimum levels of cyber security risk management and increased risk visibility, would enable the risk transfer purchasing capabilities of the mutual members and empower the risk transfer market to apply better terms and conditions more tailored to the mutual members as a whole.

b. There would be flexibility in sourcing this additional risk capital support i.e., co-insurance as well as direct access to the reinsurance and capital markets.

DeNexus mantra for the management of cyber risk is “Cyber - A Community Risk Requiring a Community Solution”. As it is ubiquitous, an appropriate solution to managing cyber risk necessitates the appropriate involvement of all parties. This mantra of community is the basis of a pilot programme DeNexus is running for industrial cyber risks.

The pilot programme seeks to bring together the community to determine the potential ways it can provide the solutions for managing cyber risks. Consequently, the participants include industrial risk owners that are using the DeNexus’ Cyber Risk Quantification and Management platform DeRISK, a managed service security provider (“MSSP”), risk assumers (both insurance and ILS related) and DeNexus’ analytical services. Each member of the community plays an important role not only in how they interact with each other in the creation of various types of industrial cyber risk management transfer solutions and the necessary documentation, but also:

i. The establishment of an effective, efficient, and transparent process for claims. Including early event notification and loss estimates,

ii. A secure ecosystem for the distribution of what is highly sensitive data, and

iii. The determining of data requirements for risk underwriting purposes and portfolio management.

The ultimate goal is to establish a mutual understanding and addressing of the requirements, needs and challenges of each member of the community to instill confidence in the community’s overall capability to successfully manage and transfer cyber risks at scale; thereby establishing a foundation stone for cyber risk transfer growth.