Every insurance market has a last resort. When the tail risk gets too heavy for any single balance sheet, reinsurers absorb the excess. When even reinsurance has limits, the risk migrates to capital markets. In property insurance, that migration happened decades ago. Hurricane and earthquake catastrophe bonds are a mature asset class with established models and a long track record.
In cyber, the migration started three years ago. Over $1.2 billion in 144A cyber catastrophe bonds are now outstanding. The asset class did not exist before November 2023.
cat bonds
decline, 2024 to 2025
ever triggered
The $1.2 Billion Experiment
AXIS issued the first 144A cyber catastrophe bond back in November 2023. Long Walk Re raised $75 million and became the template for every deal that followed.
Beazley moved next and kept going. Four PoleStar Re deals between December 2023 and December 2025 raised a combined $810 million, with deal sizes growing from $140 million to $300 million. The latest, PoleStar Re 2026-1, is the largest cyber cat bond ever issued and the first with a three-tranche structure and a three-year term. After the earliest deal matured, Beazley has roughly $670 million outstanding. More than every other sponsor combined.
Chubb entered in the fourth quarter of 2025 with East Lane Re, a $150 million deal that introduced a structural innovation: the first annual aggregate cyber cat bond, covering cumulative losses over a year rather than losses from a single event.
Hannover Re took a different approach entirely. Its Cumulus Re series, ranging from $13.75 million to $35 million per deal, uses parametric triggers tied to cloud provider outage duration. If AWS, Azure, or GCP goes down longer than a specified threshold, the bond pays. Clean and fast, but very narrow.
Three sponsors dominate the market. No new 144A sponsor entered in 2025.
What Zurich Bought With Beazley
Beazley’s $670 million in outstanding cyber cat bonds has not gotten much attention in the coverage of the Zurich acquisition. It should.
When I wrote about the Zurich-Beazley deal in “Buy or Cede,” the focus was on underwriting capability and breach response data. But Beazley also built the most developed capital markets pipeline for cyber risk transfer in the industry. Beazley pioneered the asset class, established investor relationships, and built modeling credibility with ILS funds that are still cautious about cyber.
In May this year, Allianz transferred its entire standalone cyber book to Coalition, a specialist MGA, under a ten-year exclusive agreement. Coalition has not issued a single cat bond.
Zurich bought the full stack including the capital markets exit. Allianz outsourced underwriting but kept the balance sheet.
The Trigger Problem
Cyber cat bonds work differently from hurricane bonds. That difference matters.
Eight of the ten 144A cyber cat bonds issued to date use indemnity triggers, meaning they pay based on the sponsor’s actual losses. In natural catastrophe bonds, parametric and industry loss index triggers are established alternatives with decades of history. A hurricane bond can use a wind speed reading at a geographic coordinate. An earthquake bond can trigger at a magnitude and depth. Decades of physical science make those measurements reliable.
Cyber has nothing comparable. PCS Global Cyber, the closest thing to an industry loss index, has designated only three events since launch: MOVEit, Change Healthcare, and CrowdStrike. Compare that to the PCS property index, which draws on loss data going back to the 1950s.
Indemnity triggers dominate in cyber because investors do not trust parametric or index-based models yet. The tradeoff is significant: indemnity eliminates basis risk for the sponsor but locks investor capital for two to three years during loss development. Hannover Re’s parametric structure is the exception, because cloud outage duration is measurable, fast to settle, and binary. But it covers only one narrow slice of cyber risk.
Why Cyber Is Harder Than Weather
A cyber attack does not.
The correlation problem is fundamental. Plenum Investments, a major ILS fund, treats all existing cyber cat bonds as a single correlated risk and caps total cyber exposure at 2% of fund NAV. In property cat bonds, an investor can diversify across Florida wind, Japanese earthquake, and European flood. In cyber, a single vulnerability can trigger every bond simultaneously.
The modeling problem compounds the correlation. CyberCube and Moody’s RMS are the two dominant cyber risk modeling vendors, and they approach the problem from radically different philosophies. The numbers they produce are different. In natural catastrophe modeling, decades of refinement have narrowed the gap between vendors. In cyber, the models are calibrated against roughly a decade of data in a risk environment that reinvents itself on an 18-month cycle.
Cyber risk is adversarial. Hurricanes do not learn from defenses. Threat actors do. When you reinforce a roof against a hurricane, the next hurricane does not adjust course. When insurers require multi-factor authentication, attackers develop session hijacking. When companies train their employees to spot phishing, attackers deploy AI-generated deepfakes. The worst cyber losses can run 25 to 61 times the average loss, compared to 20 to 30 times for natural catastrophe.
And, no cyber cat bond has ever been triggered. CrowdStrike in July 2024 crashed 8.5 million systems and produced an estimated $5.4 billion in Fortune 500 costs, with insured losses between $300 million and $1.5 billion. It was the closest test. It fell well below the attachment points, the loss thresholds that would trigger a payout. Every observation about how these bonds perform under stress is still theoretical.
The Threat Multiplier
The risk is growing faster than the market’s ability to model it. AI-generated deepfake fraud caused over $1 billion in US losses in 2025, triple the prior year, and Munich Re expects AI to increase attack frequency more than severity. When frequency rises faster than pricing can adjust, the models fall behind. NIST plans to retire current encryption standards by 2035 as the quantum timeline compresses, and nation-states are already collecting encrypted data for future decryption. Lloyd’s war exclusion now requires standalone cyber policies to exclude state-backed operations, but attribution remains unresolved. The Merck NotPetya dispute took seven years to settle.
What the Pricing Tells Us
When the first cyber cat bonds came to market, investors charged a steep premium for the novelty of an untested asset class. That premium has eroded 36% from 2024 to 2025, according to Gallagher Securities. Beazley’s PoleStar Re 2026-1 priced at 6.8 times expected loss, down from 10.7 times on the 2024 deals. Investors are getting more comfortable with the risk.
But “more comfortable” is relative. Cyber cat bonds still trade at roughly 2.7 times the broader cat bond market average. The structural reasons for that premium have not changed. Only four sponsors have issued 144A cyber cat bonds. The economics require a portfolio large enough to justify $500 million-plus attachment points, and three consecutive years of declining cyber reinsurance rates have undercut the case for new entrants.
Why This Matters Beyond the Capital Markets
More capital absorbing cyber tail risk is good for every institution that holds a cyber policy. More capacity means more competition, better terms, broader coverage.
But only if the structure holds when tested. The community banks I audit carry policies that sit at the end of a chain: carrier, reinsurer, capital markets. If any link in that chain reprices after a systemic event, the policyholder feels it at renewal.
The chain behind your policy matters. No cyber cat bond has ever been tested by a systemic event. When one is, the answer to “who pays” will depend on structures that most policyholders have never seen.
