Beyond the Peaks - Cyber as a Catastrophe Risk

Introduction

The US$54 billion catastrophe (cat) bond market is dominated by the peak perils of US wind and US quake with over 70% of outstanding notional exposed to the former, and over 45% to the latter.

These perils dominate the cat bond market for a reason – sponsors need large amounts of cover and cat bonds offer diversification of capital providers; zero credit risk; multi-year cover; and pricing competition with traditional reinsurance. In turn, investors value the diversification that insurance offers relative to financial assets.

But cat bond investors are running an insurance portfolio just like reinsurers are, where tail concentrations are penalised and managed through an insurance solvency capital requirement.¹ To manage tail behaviour, cat bond investors need to look beyond the two peak perils.

In (this) part two of a series on the asset class, we examine cyber as a man-made peril. As well as being orthogonal to other perils, there is demand for cyber cover that cannot be fully met by traditional reinsurance. As a result, we see opportunity for this peril to experience steady growth in the cat bond market and perhaps become a diversifying ‘third peak peril’.

The emergence of cyber as a cat bond peril

History of cyber cat bond issuance

Recall that the origins of the cat bond market were large catastrophes denting reinsurance capital in the 1990s and a realisation that, for peak perils, “traditional reinsurance capacity is necessarily limited … (therefore needing a long-term) … supplement of additional capacity”.²

Moving to cyber, traditional insurance gross written premium (GWP)³ is estimated to have been growing at more than 20% per annum (from US$3.9 billion in 2017 to US$15.3 billion in 2024). This growth is expected to continue at a rate of more than 10% per annum, with GWP forecast to more than double by 2030.⁴ As carriers acquire increasing amounts of this risk, it becomes a peak peril primed to tap the cat bond market.

Many perils have histories dating much further back than one might think. For example, terrorism made the headlines when the Baltic PCC deal was launched for Pool Re in 2019, yet it was the 2003 Golden Goal Finance deal, sponsored by FIFA, that first brought terrorism to the cat bond market. Similarly, the Vision 2039 deal provided UK flood cover for Flood Re for the first time in 2025, yet this peril first emerged in the Blue Wings deal of 2007.

Cyber as a cat bond peril is more recent, but groundwork for securitising cyber risk was laid earlier by:

1. Property Claim Services (PCS) launching the PCS Global Cyber Industry Loss index in 2017;
2. AIR, CyberCube, and RMS all launching cyber risk modelling platforms in 2018; and
3. The launch of the Parametrix Cloud Monitoring System

The first provides a centralised source of historical loss information and facilitates industry loss structures, the second provides alternative perspectives on risk, and the third facilitates cloud outage risk transfer.

It is worth noting that the multiple risk models are not simply different corporate implementations of the same concepts – rather, they take different modelling approaches. For example, CyberCube takes a bottom-up approach centring on impacts of Single Points of (technology) Failure, assessing the accumulated loss across individually impacted companies.⁵ Taking a different approach, RMS develops a range of plausible, extreme cyber event scenarios that could lead to widespread, correlated losses. These scenarios form the basis of a stochastic event set, allowing for a probabilistic view of potential losses.⁶

From there, cyber securitisations followed, first in the private 4(A)2 market and then in the public 144A market. The private market saw Beazley launch Cairney 1, 2, and 3 in 2023 for a total of US$81.5 million of cyber indemnity cover,⁷and in 2024 Hannover Re launched US$13.75 million of cloud outage cover (renewed and upsized in 2024). In the public market, AXIS, Beazley, Swiss Re and Chubb tapped the market for a total of US$785 million of cover (Figure 1).

Figure 1. Timeline of private and public cyber deal issuance

Source: Man Group database.

Are all cyber deals the same?

What diversification benefits emerge from holding a basket of cyber deals? Table 1 illustrates some key features of the public deals. A common characteristic is their triggering on single events (rather than aggregating multiple, smaller losses throughout the risk period). The standout is perhaps the industry index deal for Swiss Re (where the index is administered by PERILS⁸) while the others indemnify against insured losses. This forms a convenient basis for comparison.

Table 1: Key terms of public cyber deals

Indem: indemnity, IndIx: industry index, Occ: per occurrence. Source: Artemis.

The index covers US losses, in contrast to the other deals which have global coverage. That said, this difference is perhaps not so significant given that cyber insurance penetration, and therefore likely reinsurer exposure, is much greater in the US.

As originally conceived, and as applied to the Swiss Re deal, the PERILS index covers intentional (malicious) events. This is in contrast with other deals, which include non-malicious events. It should be noted that in late 2024 (following the earlier CrowdStrike outage), PERILS expanded coverage to include non-malicious events.⁹ This made no difference to the existing deal, but suggests that future index deals may well also cover non-malicious losses.

The index is an aggregation of data from the largest participating insurance companies (grossed-up to cover the entire cyber market), who will each apply their own coverage conditions and exclusions. As such, it ‘follows the fortunes’ of the market. Specifically, the index does not explicitly exclude war and infrastructure, whereas the other deals do.

Finally, the index covers events affecting two or more insureds. In that sense, it is capturing ‘systemic’ events. The AXIS deal is similar, whereas Beazley and Chubb also cover single claims.

In terms of risk and reward, the modelled risk of the deals ranges from one-in-50 year to one-in-100 year events. Relative to many other perils, the spreads are attractive (circa 9-13%), reflecting the novelty of the peril, modelling uncertainty, and a significantly more limited investor base.

What of outages to the ubiquitous clouds? Insurers and investors should be concerned that a large-scale cloud outage could lead to extensive business interruption, so while all deals have some cloud exposure, sub-limits and waiting periods may be imposed at policy level. Hannover Re tackled this risk head-on with the Cumulus Re private deal launched in 2024 and subsequently renewed and upsized in 2025. The deals cover specific cloud providers, regions, and services. Should they experience an outage in excess of a specified waiting time, then the bonds will start to erode. Monitoring of the clouds (and modelling of risk) is performed by Parametrix, and this straightforward arrangement should lead to very short tails (the time between event and settlement of the claims) in the event of an outage.

Just how remote are the events covered?

The expected losses of the public cyber bonds are all comparable (one-in-50 year to one-in-100 year risks), but what does a triggering event look like? Have we already seen one? The picture is obscured by the fact that economic losses (somewhat visible) and insured losses (less visible) are not the same thing. Interpreting the attachment point for an indemnity deal also requires apportioning losses from an event to the insurer on the basis of their market share, geographical coverage, and sector exposures.

As a result, the Matterhorn industry index deal is perhaps a good starting point. It attaches at US$9 billion of industry insured losses, and exhausts at US$ 11.5 billion.

This represents a very severe event, of a magnitude not witnessed before. We have not seen economic losses from single events approach this figure, even before scaling down economic losses given limited insurance penetration (large US corporates being the most developed). Swiss Re estimates that circa 80% of large corporates (annual revenue above US$10 billion) have adopted cyber insurance, while the percentage is only around 10% for SMEs (annual revenue below US$100 million).¹⁰

Should an allocator consider cyber insurance (a man-made peril) in their portfolio?

Cyber insurance may be intellectually interesting, but does it belong in a cat bond portfolio?

There may be very specific reasons why a manager may choose to exclude it. For example, their mandate may not allow it (e.g. it may be limited to natural catastrophe risk). Alternatively, a manager may have built up a team of specialists by peril but have no equivalent cyber capability. Modelling uncertainty, with, perhaps, US wildfire as the nearest analogue, may also prompt them to wait for the peril to mature.

Yet there are numerous mitigating factors. Firstly, the (notional weighted) spread per unit of risk for the above deals is about 9.2, which is high relative to traditional perils (currently, natural catastrophe deals average about 4.5), in part to compensate for model uncertainty.

Given that none of the bonds have been eroded by losses, it should come as no surprise that historical performance has been strong. Spread tightening in the peril has provided an additional boost. If we look at the market-cap-weighted return of public cyber bonds and compare it with the Swiss Re index over the same period (which is market-cap-weighted over natural catastrophe perils) we see that the former has returned 18.1% per annum, compared with 13.4% per annum for the Swiss Re index. It is unsurprising that cyber performance was not dented by the 2025 LA wildfires, and the fact that the bonds were not marked down around the time of the CrowdStrike outage illustrates that they are covering remote risks.

Figure 2: Since the launch of public cyber bonds, a market cap weighted portfolio has outperformed an equivalent natural catastrophe portfolio (represented by the Swiss Re total return index)

Problems loading this infographic? - Please click here

Source: Man Group database, Swiss Re, as of May 2025.

Cyber and natural catastrophes are quite clearly uncorrelated, but why does this matter? One perspective it to think about an insurance solvency capital requirement (ISCR) which obliges an insurer to have sufficient capital to support losses at, say, the one-in-200 year level.¹¹ If we have a set of three uncorrelated perils, each paying a spread of 10% and an expected loss of 2% (i.e. one-in-50 years), then an equal-weighted portfolio requires enough capital to support the loss from one of them (Figure 3, left). That is because the probability of two or more perils defaulting is more remote than one-in-200 years. If we add a fourth peril (in equal weight), then the one-in-200 loss still only captures a single default. Therefore, we have two options, both attractive: retain the limit (total exposure), reduce the ISCR and leave the expected return unchanged (Figure 3, centre), or increase the limit, leave the ISCR unchanged, and earn a higher expected return (Figure 3, right).

Figure 3: A portfolio of three independent risks with a limit of 100m has a 1-in-200 year ISCR of 33m and expected return of 8m per annum (left). Adding a fourth peril allows us to reduce the ISCR while retaining the expected return (centre), or retain the ISCR while increasing the expected return (right)

This makes a case for adding cyber to a pure natural catastrophe portfolio, but what if that portfolio already has a large equity exposure? Specifically, are cyber and equity markets related?

Table 2 lists some notable cyber events, and Figure 4 aligns them on the S&P 500 total return. It is clear that recent cyber events have not impacted the equity market much, and that material equity moves are driven by other factors. Cat bonds in general, and cyber bonds in particular, have proven to be a good diversifier.

Table 2: A selection of (mostly malicious) cyber events

Figure 4: Cyber events have had very little impact on the S&P 500

Problems loading this infographic? - Please click here

Source: Bloomberg, as of 1 June 2025.

Conclusion: A third peak peril?

What will drive further growth of the cat bond market, currently at US$54 billion? On the investor side, strong recent performance, diversification, and increasing mainstream press coverage is supporting interest.

Where will additional supply come from? We see a steady stream of new sponsors in the space, and inflation also drives increased demand for cover. New perils are the other source of capacity. Some new perils (e.g. New Zealand quake) are naturally constrained in demand, but the demand for cyber cover has been growing, is substantial, and has room for further growth.

Cyber as a peril is not without its challenges. It is a dynamic space, with limited historical data, and confidence in modellers will take time to build. While not all funds include this peril, those that do see higher spreads to compensate for these uncertainties.

Yet rewards have been attractive for those who were early adopters, and we believe cyber has the potential to become the third peak peril over time.

The authors would like to thank Richard Gray, Head of Third-Party Capital at Beazley plc, for his helpful comments.

1. i.e. setting capital to support a one-in-X year capital shock.
2. Source: https://scholar.harvard.edu/files/kenfroot/files/the_market_for_catastrophic_risk.pdf
3. Gross written premium refers to premiums received from policies without regard to any insurance claims or purchase of reinsurance
4. Source: https://www.munichre.com/en/insights/cyber/cyber-insurance-risks-and-trends-2025.html
5. Source: https://www.fitchratings.com/research/banks/quantifying-us-bank-systemic-cybersecurity-risk-fitch-cybercube-model-impact-of-systemic-cyber-events-on-us-banks-10-08-2021
6. Source: https://www.moodys.com/web/en/us/insights/announcements/rms-releases-industrys-first-probabilistic-cyber-risk-model.html
7. Source: https://www.beazley.com/globalassets/ir-documents/presentations/2024/cyber_risks_1st_october_update.pdf
8. PERILS AG aggregates and distributes industry catastrophe loss data to facilitate index-based risk transfer
9. Source: https://www.perils.org/files/News/2024/Company-News/Cyber/2024-09-23-PERILS-CyberAcuView-Press-Release-US-Cyber-Loss-Index-Unintentional-Loss-event-reporting.pdf
10. Source: https://www.swissre.com/risk-knowledge/advancing-societal-benefits-digitalisation/about-cyber-insurance-market.html
11. Source: https://www.skadden.com/insights/publications/2024/06/the-standard-formula-a-guide-to-solvency-ii-chapter-8
12. Source: https://spectrum.ieee.org/the-real-story-of-stuxnet
13. Source: https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-million-n764031
14. Source: https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html
15. Source: https://www.reuters.com/article/business/verizon-yahoo-agree-to-lowered-448-billion-deal-following-cyber-attacks-idUSKBN1601EK/
16. Source: https://www.reuters.com/article/technology/cyber-attack-could-cost-sony-studio-as-much-as-100-million-idUSKBN0JN2L0/
17. Source: https://www.isaca.org/resources/isaca-journal/issues/2023/volume-6/lessons-learned-from-the-bangladesh-bank-heist
18. Source: https://www.breachsense.com/blog/equifax-data-breach/
19. Source: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
20. Source: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
21. Source: https://www.simmons-simmons.com/en/publications/ckgwfvhmp1g2r0a71j9xyp76j/marriott-is-fined-18-4m-for-massive-data-breach
22. Source: https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021/the-threat/solarwinds
23. Source: https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic
24. Source: https://www.theguardian.com/technology/2021/may/19/colonial-pipeline-cyber-attack-ransom
25. Source: https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance
26. Source: https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf
27. Source: https://energycommerce.house.gov/posts/what-we-learned-change-healthcare-cyber-attack https://www.ibm.com/think/news/change-healthcare-cyberattack-exceeds-1-billion-costs
28. Source: https://en.wikipedia.org/wiki/2024_CrowdStrike-related_IT_outages