The insurance industry is paying increasingly close attention to providing, strengthening and marketing coverage for cyber and supply chain risk. EMEA Captive spoke with the industry about ‘emerging’ lines.
Back in 2011, Sony’s PlayStation online network was hacked, resulting in the leak of millions of account details and unencrypted credit card numbers. Sony was forced to shut down its online platform for over a month, leading to millions in lost gaming revenue, while data security breaches cost the company an estimated $171 million. In May of that year, Citigroup was also hit and admitted that hackers had taken $2.7 million from 3,400 customer accounts. Both incidents, affecting high-profile global corporations, revealed the potential threat posed by cyber criminals and the growing need for data security and cyber risk coverage.
In 2011 the need to consider supply chain risk more closely was also highlighted, with the Tohoku earthquake in Japan and the Thai floods, which resulted in $40 and $15 billion of insured losses respectively, as well as considerable business interruption and contingent business interruption losses. And with the rise in just-in-time manufacturing globally, such risks are only likely to increase in frequency and severity.
In an increasingly interconnected world, all four incidents highlighted the need to deal with cyber and supply chain risk more efficiently. Coverage and expertise were too often found wanting and the insurance industry is now paying increasingly close attention to providing, strengthening and marketing such coverage. But what role can captives play in insuring against such risks?
Supply chain risk is not a recent phenomenon and perhaps shouldn’t fall under the umbrella of ‘emerging’ risk, but concerns such as business interruption and contingent business interruption have become something of a zeitgeist of late. As Nick Wildgoose, global supply chain product manager at Zurich Insurance Group indicated, 73 percent of companies recently surveyed by the company had suffered a significant supply chain disruption in the past year. In addition 39 percent ofrespondents indicated that disruptions had been caused by non-tier one suppliers, suggesting that risks can burrow deeply into the supply chains of global firms. Wildgoose said that events such as Tohoku and the Thai floods had raised awareness and the spectre of loss, but added that “the gap between insurance coverage and economic losses shows there’s a lot of room to extend further coverage”.
Opportunities also abound in the cyber risk area, although the involvement of captives has generally been more limited. As Jonathan Groves, head of Continental European risk management group at AIG indicated: “Captives are well prepared to take on additional risks in the cyber risk and supply chain areas. With substantial capital bases and a good understanding of their own risks, captives are in a position to offer meaningful capacity to their parents. We have clients writing business interruption, cyber and supply chain coverage through their captives.” Groves said that in the case of smaller captives, the chances of their being able to offer meaningful capacity to their parents was likely to limit their involvement in the space, although it is evident that suitably sized captives do have a role to play.
Many companies have collected data around such risks from a loss perspective, said Groves, and with sufficient appetite and capital they can run such lines through their captives. The question is whether when facing real pressure to optimise its use of capital, the parent opts to place such risk in the captive, go to the commercial market or allow the risk to go straight to the balance sheet and deal with losses when they arise, said Groves.
A rising threat
Such risks are certainly worth captives considering as they grow and evolve. As Simon Milner, partner in the specialty financial risk division of JLT explained, while issues such as cyber risk mean different things for different firms, there are ongoing and increasingly significant dangers posed by cyber attacks that can affect “your brand, result in a loss of reputation, and possibly a threat of legal action in the event the data you hold on your corporate clients is exposed”. While for an engineering company this could mean a loss of key information on a particular project, for a bank or hospital it could be a more significant breach of confidentiality, he said.
Citing a recent data breach at a credit card company, Milner said that there had been a loss of reputation, “an obligation to notify customers, provide credit card monitoring, a call centre and forensics, as well as legal advice and card re-issuance costs, with the total cost to the credit card processing firm totalling around $760 million”. The size of such aloss might deter some captives, but they provide some indication of the potential dangers posed by cyber attack.
Threats are not limited to the cyber space. As Groves outlined, “the issue of supply chain risk has shown up every single time there has been a major loss recently—from Tohoku to Sandy”, and he added that while the nature of supply chain risk continues to evolve, it is how the industry responds to such threats and prepares for future losses that will be the major lessons to be learnt from such events.
Wildgoose also spoke of a “learning curve” when dealing with threats such as supply chain and cyber risk, adding that there is no “off-the-shelf solution”. Instead captives need to “work closely with clients in a bespoke way. Supply chain, for example, is a company’s competitive advantage, so no two supply chain (or risk) solutions are going to be identical”.
Tailoring an advantage
How well can captives take on such risks, and are many doing so? “My experience is that if you tailor the proposition to the captive involved, captives can take on risks such as supply chain coverage,” said Wildgoose. “We have clients looking to take the deductible amount or to take low value coverages and start running them through the captive.” Milner added that for single parent captives it is “very much a possibility, and if the captive wants to seek reinsurance from the market, I am sure they would be willing to entertain that risk”.
Groves warned that while risk managers have a strong view of their parent’s risks, third party risks associated with supply chains could present challenges. “If the risk originates outside the business, there can be quite a steep learning curve, with parents having to nurture relationships all the way along the supply chain in order to understand the full nature of such exposures.” He argued, however, that as long as their understanding of such risks is sufficient and demonstrable, there is little reason that they cannot be taken on with some independent assistance around pricing and industry best practice.
Knowledge of the risk evidently plays a significant part in the decision, with Groves arguing that data history will dictate just how capitalintensive such risks will prove. This in turn dictates the minimum size of captive able to write such risks. The question then becomes whether such capital deployment is the most efficient use of the parent’s funds, said Groves. This is one the parent will have to mull over, but he sees no reason why captives cannot be employed to take on emerging risks. He added that mutuals such as Bermuda-based OIL have achieved considerable success in taking on industry-specific risks in the energy sector and others could learn from their approach. “It boils down to understanding the particular risk,” explained Groves.
However, close knowledge of individual risks position captives to benefit from taking on such lines. As Wildgoose outlined, parents can expect to benefit from improved “information capture, because one of the challenges you find at the bigger companies is that they can take a siloed approach that divides the procurement, supply chain, finance and risk management offices”.
“The questions then become: who owns the supply chain and who captures the data on the disruption side? If you bring this all within a captive and report upon it, capturing this market intelligence, then that’s a huge benefit. At the same time, armed with this disruption data, you can also go out and explore your reinsurance options.”
An increasing role
Are captives leading the way in taking on some of these emerging risks? For Groves, the answer is mixed. Captives aren’t leading the way in terms of general policy wording or the understanding of general risk, he said, but in specific areas relevant to their businesses, captives can blaze a trail—and have been doing so. “In some areas individual captives have demonstrated a greater knowledge of risk than the commercial market and have led the way in the way in writing policies and using their wording to crystallise exactly what risk it is they are covering.” A captive’s proximity to its parent’s risk and a close understanding of the means and needs to mitigate such threats can make them a strong fit for emerging risks.
As Wildgoose explained, captives are being used more and more in supply chain and cyber space risk. “They are two key emerging risks and in order to retain their relevance and the investment that is made in them, captives will emerge as the logical place for such coverage to develop.” Milner concurred, arguing that such risks are a “growing area of interest. Numerous conversations are taking place, and supply chain and cyber risk remain areas of great concern to a lot of our customers”.
Events such as the Thai floods and the Sony PlayStation loss should help to focus efforts to take on such risks, but so will legal change. “Another big loss would certainly help focus minds,” said Milner, “while a changing legal and regulatory environment is also driving interest.” As he explained, companies will in future be compelled to disclose losses associated with cyber attacks publicly and notify each customer “with a whole slew of costs involved”. In the US, credit file monitoring has already taken root, he said, with the demands of consumer protection in an increasingly online age driving greater purchase and awareness of cyber coverage.
On the supply chain side, various regulatory measures around supply chain transparency are already in place for industries such as the pharmaceutical and the food industries for health and safety reasons, said Wildgoose, and it is expected that further regulatory measures are in the offing. As he indicated, around 70 percent of quoted US companies have cited supply chain risk as a major concern and such statistics are likely to heighten calls for greater understanding of, and coverage for, such exposures.
There is certainly a part for captives to play in extending their involvement, should their capabilities be sufficient to provide meaningful coverage. As Groves indicated, “a lot of captives are underutilised and as a result we are seeing a lot more discussion around particular emerging risks being considered for captive programmes”. He added that Solvency II would act as a further driver, with the regime encouraging greater diversification as a means of managing the impact associated with capital increases—a factor that would also apply to captive insurers. “Adding additional lines will be an important part of captive strategy going forward—more than has previously been the case,” said Groves. It seems that emerging lines could increasingly form a component part of the captive landscape.
Emerging risks, captive insurance, cyber risk, supply chain risk