Cyber captives: the only way is up
How much money is lost to cyber crime every year globally? According to research company Cybersecurity Ventures it totalled $3 trillion in 2015 and, increasing at a rate of 15 percent a year, could hit $10 trillion in 2025.And to make matters worse, it’s not just cyber criminals who are targeting companies—the Federal Bureau of Investigations has been warning that foreign governments are targeting the US and other countries, as states including China seek all kinds of information on technology and are willing to hack their way to any advantage. The Russian government is suspected to be behind a number of attacks, especially now that it has been hit by Western sanctions after the invasion of Ukraine.Companies are therefore understandably nervous about their exposure to cyber threats and are wondering if their insurance covers them correctly.In a report published in November 2021: “
”, Evan Hessel, casualty practice leader and senior vice president and partner at insurance services and risk management firm Woodruff Sawyer, said the cyber insurance landscape has never been more challenging for corporate insurance buyers.According to Hessel, increased retentions, huge premium increases, and narrowed coverage terms all have corporations searching for alternative solutions for cyber liability. Many companies are asking whether a captive insurance company can provide relief from the increasing prices for commercial cyber insurance.“Whenever commercial market pricing is tough and availability restricted, captive formations tend to thrive,” John Andre, managing director at rating agency AM Best told Captive International. “It’s hard to track as you can’t get an accurate amount of global captive premiums. From a rated captive perspective, we have seen some of these carriers add limited amounts of cyber cover.”Andre said that from what AM Best has seen recently there have been increased formations in the larger captive insurance domiciles. He explained that there are always trends that lead to captive growth in certain areas—years ago it was medical malpractice and then later commercial auto. Now it is cyber as, just as they have been doing for decades, captives have been responsive to business needs.
Taking the captive plunge
Unfortunately, starting a captive insurer for the primary purpose of insuring cyber liability is unlikely to be a cost-effective replacement for commercial cyber insurance, Hessel points out. Forming a captive is not a cheap or simple transaction. Captives require substantive strategic resources, regulatory capital, and operational costs, all of which in total can make traditional cyber insurance look like a smart purchase (even at higher premiums).Practicality appears to be the key word for the formation of cyber-linked captive. In June 2022 AM Best issued a new market segment report into the cyber market: “
”.AM Best said that companies have been taking over or having some layer of cyber in their captive. In addition, a number of managing general agents (MGAs) have been focusing on creating their own captive companies or specialty companies so they can share some of the risk and exposure within themselves.“When a captive, especially a single parent captive, wants to take cyber within itself, it’s a big decision,” Fred Eslami, associate director at AM Best said.“They go through an extensive due diligence and research within their organisation. And because of the proximity they have at a captive level, and within the overall enterprise risk management (ERM) of the parent company, it may make sense for the captive to take some layer of its cyber exposure because of its experience, the proximity with IT/HR teams and the ERM framework of the company in part.“It doesn’t happen overnight, so they go through a calibration of choices and bring in captive managers to do feasibility studies.”As Andre points out, if the price and terms are reasonable in the traditional market, they will still place the cyber there. But once the prices go up, terms narrow or availability is short or some combination of the three, there is probably more need to put it inside their captive. And as Andre adds, in current market conditions, prices are going up and availability is limited.Corporations are smart and they don’t want to pay the exuberant premium that this line demands right now, claims Eslami. While they are expending several $100 million on IT security systems and paying $10 to $20 million in premium, it doesn’t make sense for corporations that spend $200 to $600 milllion in terms of annual net expenditure for IT and cybersecurity.
“The potential for severity in cyber claims is greater than for other types of claims.”
Evan Hessel, Woodruff Sawyer
However, Hessel adds, for large organisations with well-established captives that hold significant underwriting surplus generated from other coverages, adding cyber liability may be a sensible potential strategy to mitigate the impact of a hardened cyber market.Most corporate insurance buyers considering a captive for cyber insurance are reacting to recent rate increases and coverage reductions by commercial cyber insurers.According to Hessel, the first step in evaluating the viability of using a captive to cover cyber risk is to determine whether taking on additional risk is sensible given a company’s financial strength, capital objectives and tolerance for variability in insurance costs.And as difficult as recent cyber rate increases have been, exposing a company to a large potential loss may not be worth the benefit of removing a cyber premium from the commercial insurance market. Using a captive to write cyber coverage does not eliminate the risk, it simply creates an alternative for organisations to retain and finance cyber risk via actuarially-determined premiums to be paid from the parent company to the captive.Captives are typically used to underwrite high-frequency, low-severity, predictable claims that pay out over many years. Good examples of these risks are workers’ compensation, general/products liability, medical malpractice, and errors and omissions. These types of risks are easy to model using traditional actuarial methods and are well understood by captive regulators.However, cyber insurance claims, Hessel underlines, are low-frequency, high-severity events that are extremely difficult to model using even the most cutting-edge analytical tools.“The volume of historical large cyber claims is small compared to other coverages, so models relying on industry data are imprecise at best,” Hessel says. “The nature and scope of cyber-attacks is evolving quickly; cyber loss forecasters have to rely heavily on assumptions and theory to develop expected loss.“The potential for severity in cyber claims is greater than for other types of claims. Similar to the severity that drives commercial cyber premiums, the loss funding needs for captives are actuarially-based, informed by market prices and overseen by insurance regulators.”
The cyber road ahead
As to what lies ahead for the cyber captive market, Eslami says that the expectation is that it is going to grow. AM Best’s June 2022 cyber report is based on the domestic US companies which write cyber and according to Eslami this line is now about $5 billion in terms of premiums, and is getting larger than other lines in the insurance industry such as surety, property title and other lines.For AM Best, cyber is a growing line of business for insurance companies—especially as issues such as ransomware and data breaches are not going to stop, with Eslami describing ransomware as “effectively being a business” for some cyber criminals. He said that the expectation is that this line is going to be much larger than other lines of business and that the National Association of Insurance Commissioners (NAIC) is requiring separate classification and separate risk factors.“MGAs are in the middle between the policyholders and carriers,” he told Captive International. “They basically underwrite cyber for small and medium-sized enterprises (SMEs), so it doesn’t have to be large corporations.“For the most part, you know they already have covered themselves but for SMEs the MGAs that are writing or underwriting their business are creating their own specialty cyber insurance companies or captive insurance companies,” he explained.“This makes sense because these are companies who are providing the service to the policyholders in terms of their cyber hygiene. They understand the gap between what the company needs versus what the coverage is, so they can fill that gap and give the policyholders enough coverage.”
Adding new lines to old ones
Hessel concluded by stating that cyber insurance can be a new line for a mature captive—for companies with existing captives that already have stockpiled capital, adding cyber is a more viable proposition. The captive’s underwriting surplus could address some regulatory risk capital requirements without requiring the captive’s owner to transfer new capital into the captive.In addition, a mature captive could increase its from-the-ground-up self-insured cyber retentions and use the captive to underwrite part or all of the increased retention. Bumping up the attachment point of commercial insurance can help mitigate industry rate pressure and stimulate insurer competition.Hessel said that another strategy could be to use the captive to underwrite whole layers within the tower if pricing exceeds reasonable levels, either through a policy issued directly by the captive or by a fronted policy issued by a commercial insurer (and reinsured by the captive).“Captive insurance could participate in a quota-share basis with commercial insurers for layers above the primary self-insured retention,” said Hessel. “If loss modelling shows current total limits are inadequate, the captive could ‘stretch’ available insurance market capacity by retaining a percentage of the limit on a managed basis.”