A comprehensive solution to cyber
Cyber risk is emerging as a growing threat to companies—and it is one that is constantly changing. But captive insurance can play a meaningful role in how it can be managed. A captive can be used to tailor specific coverages, lowering the total cost of risk and keeping insurance programmes consistent in the process.
This is according to Anup Seth, managing director of Aon Insurance Managers (Bermuda), who explains to Captive International how cyber insurance is evolving, and how the sector is growing. More companies are looking at alternative ways to insure this risk, he says.
“The captive can have a meaningful retention, and that can keep the total cost of risk lower for the parent company,” says Seth.
“You can look at the policy form and tailor it for the exposures within your company. Then you can use that within the captive and buy reinsurance on a consistent basis. It’s very important to have a consistent policy form throughout your entire insurance or reinsurance portfolio.”
Cyber insurance penetration in the commercial markets has been very low to date. Seth suggests that companies that have bought cyber coverage have, typically, been large data holders—financial institutions, retail companies and healthcare companies—which are looking for protection against a data breach.
This coverage is now opening up to companies that are not necessarily holding personal data, but have critical technology in their supply chain that may be subject to physical damage, bodily injury or business interruption exposures arising out of a cyber event.
“This opens up the industry to general manufacturing, utility companies, and life sciences companies,” says Seth.
“A much broader range of industry sectors are now looking at this approach to cyber because it meets their needs. They’re looking at how to mitigate that exposure by buying insurance or a risk transfer solution.”
An evolving risk
Given cyber’s rising exposure and importance, Seth explains, Aon is now treating cyber separately as a standalone peril—previously it would have been an extension to a property or casualty policy.
“With technology being such an integrated part of all businesses, cyber risk is evolving, and the exposures that are now attributable to a cyber breach are quite significant. As a result, cyber insurance is evolving as well,” says Seth.
In Aon’s Global Risk Management Survey 2017, some of the greatest concerns for risk managers included physical damage and business interruption losses arising out of a cyber event.
“Those types of exposures were not necessarily covered under previous cyber coverages that were just an extension of property or liability coverages.”
There have been challenges in assessing cyber risk, he adds, as traditional methods of analysing risk from historical claims data are not as helpful for cyber, which has emerged only in the last few years.
“We have to take a different approach to underwriting cyber risk, and also to understanding the cyber exposures within an organisation,” he explains.
One of the ways Aon is addressing cyber is through its Cyber Captive Program. This involves first understanding the cyber exposure of a company by undertaking a cyber resilience review.
Cybersecurity engineers conduct this review and look at the strengths of cybersecurity control within an organisation, and compare that with best practices. The review plays through different scenarios, such as where critical controls in place protecting core assets suddenly fail, to quantify what the cyber loss would look like.
“Akin to obtaining an engineering report before underwriting a property, before you undertake the underwriting of cyber risk you need to understand the cyber controls, through the resilience review,” Seth continues.
Organisations also need to understand what their cyber insurance policy will look like now that insurers are treating cyber as a standalone peril. The resilience review would look at both non-physical and physical damage losses arising from a cyber event, and first party and third party coverage would also now be covered under this new approach, he says.
“When you look at the industry in total, the cyber industry is worth around $2 to $3 billion. We’re expecting that to grow to $10 billion in the next three to five years, and captives will play an integral role,” Seth adds.
An evolving product
Once an organisation understands its cyber exposures and the type of coverage it needs, a captive can have an important role to play in developing specific cyber insurance towers, explains Seth.
“For example, after the cyber resilience review the captive or parent company might like to buy $500 million of cover. As part of its programme structure, the captive retains the first $50 million of cover, and will then buy reinsurance for the remaining $450 million.
“That reinsurance is on the same policy form as the primary $50 million,” he says. “It’s important that you have the same consistent coverage in your insurance tower or programme.”
If there has been a specific cyber breach which has led to a physical damage loss or a business interruption loss, for example, Seth says there will be no confusion over which policy is going to respond, and it will be able to respond immediately.
“There are no coverage gaps,” he says. “If you take the old approach of extending the property or casualty policy to cover cyber, if you had a cyber issue with one of your business partners in the supply chain, and it’s a contingent supply chain issue that caused an impact in your business—was that covered?”
Seth suggests this solution resolves the debate as to what policy is going to respond to a certain exposure, removing any ambiguity.
Another reason he says insurance carriers will prefer a captive solution is that the client has a meaningful retention and, effectively, skin in the game.
“Using a captive rather than a self-insured retention, you are creating a mechanism where all your data and all your analysis are stored into one company. It’s a more efficient way of dealing with third parties—especially in a claims scenario as well,” he says.
In terms of policy wording, Seth says that while you can still create a bespoke policy wording through buying direct insurance, it will be easier when the captive is retaining the first $50 million on the same policy form to build upon that and create a $500 million programme.
Another advantage of setting up a captive—based upon its strength after taking the resilience review—is that the captive can price the primary layer of the total cost of risk, which can set the tone and pricing consistency for the rest of the programme.
“Because it’s an emerging risk, there’s still a divergent view in the market with regard to pricing. It’s an important reason to have a captive in place—so to some degree you are driving the pricing as well.”