As the threat of cyber crime has become a major worry for all companies, it may surprise some to discover that firms are starting to manage this risk in their captives. US Captive explores the logic of such a move.
Using a captive is not an obvious solution for companies grappling with their ever-growing and always changing cyber risks. By definition, a cyber loss has the potential to be high severity but low frequency—exactly the type of risk managed by the wider commercial markets as opposed to a captive that tends to manage better understood and predictable risks.
Yet while the numbers remain small in relative terms, a growing number of large companies are interested in turning to their captives to help manage this risk either on a standalone basis or by participating in an industry-type mutual.
Peter Mullen, the chief executive of Aon’s global Captive and Insurance Management, says that within the broker’s own portfolio of captives, it has seen significant growth in the number of companies using their captives to manage cyber risks, but this is starting from a very low base. He said the number of captives taking in cyber risks increased from 1 percent to 2.5 percent in a space of some 18 months.
“They are not doing anything dramatic with it,” Mullen says, indicating that most companies are simply maintaining the deductible in their captive and buying reinsurance or an excess-of-loss policy in the commercial markets. They also tend to copy the types of policies and pricing available in the private market.
"It would be natural that more companies look at this as a potential solution either on a standalone basis or as group captive.” Peter Mullen, Aon Captive and Insurance Management
He says an added motivation for using a captive for this risk is to “incubate” the risk so they can see how it performs in regulated insurance conditions where they collect premium and pay claims over a period of time.
“This allows them to assess the loss experience over several years and make better decisions over how to cover it in the future,” he says.
He adds that one of the biggest challenges companies face, however, is properly assessing and quantifying the risk. “It changes so rapidly that is a real challenge for any company,” he said.
Taking the risk seriously
Recent studies show a mixed picture in the way companies are handling the threat of a cyber attack but it is clear that more companies are taking it seriously and are seeking solutions.
In April Aon published a survey of large companies’ attitudes towards cyber risk and how they manage it. It found that their biggest concern around cyber risk is business interruption, both during a breach and post-breach, while bodily injury and property damage was rated as their lowest concern.
Mullen points out that losses are starting to move from the intangible world of data into the physical world, resulting in direct damage resulting from cyber attacks. He notes that while cyber policies do not tend to cover physical losses, property policies can sometimes also exclude this type of loss.
The study found that only 59 percent of companies have used a formal risk assessment process to help inform their insurance strategy around cyber, a process that would help most companies get a better handle on the risk.
It also found that 68 percent of companies that buy cyber insurance do so for balance sheet protection and to ensure due diligence comfort for their board of directors. Yet of those that buy, 75 percent have concerns over the loss adjustment process and 99 percent suggest policy terms and conditions need to be clearer.
In terms of buying coverage in the first place, more than 50 percent do not buy any but this varies greatly by industry with companies classed as data holders the most likely to buy (70 percent) compared with just 17 percent of product risk companies (eg, agriculture, chemicals, food and beverage), which buy coverage.
Keeping tricky risks close
One of the conclusions of the survey is that, given the uncertainty over the nature of this risk and what can be covered in the commercial market, more companies could turn to captives to get a better handle on it. The survey revealed that 94 percent of companies would consider sharing their risk with others in their industry as part of a captive facility writing cyber.
“A captive is a risk financing tool and cyber risk is on every agenda now. It would be natural that more companies look at this as a potential solution either on a standalone basis or as group captive,” says Mullen.
Cyber accounts for around $2 billion of premiums globally now but this is expected to grow to $10 billion by 2020. So while adoption rates remain low, more companies are starting to use their captives to manage their cyber risks.
Chris Maiato, principal, EY, chaired a panel discussion on this topic at an industry event recently. The session charted the evolving and growing threat of cyber risk and documented how companies, regulators, insurers, reinsurers and the captive industry are responding.
“Technology is now the cornerstone of everything we do. But it is an escalating risk and the reality is that all organisations will suffer some type of cyber event at some stage,” said Maiato.
“It is a threat that is constantly evolving, however, and attacks can be very expensive to deal with. The harsh fact is that many companies have already been breached.”
Larikus Scott, partner, Krys Group, noted that many companies see the solution to the cyber threat as being technology. “But that is a big mistake. Without the right people and processes, technology does not serve any purpose,” he said.
John Masters, underwriter, AIG, gave an overview of the types of coverage available in the commercial market and how this has evolved over time. He said that whereas historically only certain industries such as financial services saw themselves as at risk that has changed rapidly in recent years thanks to so many high profile data breaches plaguing industries including healthcare, hospitality, social media sites and retail companies.
Aon, North America, Peter Mullen, Captives, Insurance, Risk management, Reinsurance