Captives: a solution built for cyber risk
The first cyber insurance plan was written by AIG in 1997, and was written to cover customer credit card data stored on servers. Those plans provided up to $250,000 in legal fees if there was a data breach, and the premiums started at $2,500 a year.
Selling the idea of this plan, without any actuarial data on the risks, was not easy. The coverage of that first plan couldn’t have anticipated the cyber liability that would exist almost two decades later. The growth, volatility and unpredictability of cyber liability is difficult for most people in the insurance industry to comprehend, let alone predict, and the data is difficult to assemble.
For the last decade insurance companies have been offering cyber insurance policies without understanding the risk before offering coverage, assuming that they’d never come calling. Now, after several high-profile legal wins for policyholders, insurers have had to make good on the polices and as a result cyber insurers have seen significant losses in recent years.
In response to these losses, companies are either declining to cover cyber risk or have chosen to severely restrict coverage. Additionally, they have begun pricing policies so high that many business owners can’t afford to seriously consider meaningful coverage.
According to the US Government Accountability Office: “As demand for cyber insurance has increased, so has uncertainty about the market. It’s become more challenging to price cyber risk and to make this coverage available.
“The cost of cyber insurance is based in part on the frequency, severity, and cost of cyber attacks, all of which have been increasing. The uncertainty about future threats also plays a role, and insurers have become more selective about who and what gets covered. In our 2021 report, we found that a number of insurers reduced coverage limits or increased premiums for higher-risk organisations and industries, such as academic institutions or the health care and public sectors.
“Insurers have tightened policy terms and conditions to reduce unexpected losses from cyber attacks. Traditionally, commercial property and casualty policies could include limited cyber coverage. But now, carriers are becoming less likely to include it, and are instead offering cyber coverage separately. For policyholders, these changes translate into fewer coverage options, stricter standards, and more exclusions.”
What does this mean for companies who need to insure their cyber risks? What options are available with meaningful coverage that take into account the actual risks facing your company that aren’t cost-prohibitive?
An honest look at the unruly nature of cyber risk tells us that insurance market still isn’t prepared to insure such an unstable risk environment, at least not with traditional coverage and, with the instability of the traditional market, they are telling us that themselves.
While there is no perfect solution, there may be ways to add cyber risk to your captive to solve the problems that cyber presents to traditional insurance.
Problem: cyber risk is a new and emerging threat
As fast as solutions are found to any particular threat, more threats pop up. Cyber criminals innovate faster than the technical solutions to the threats they pose, and much faster than insurance plans can even dream of keeping up with.
A captive can change and respond faster than the traditional insurance market, pivoting to quickly adapt to emerging risks and can be planned to quickly evolve with the innovations of cyber criminals.
Problem: a limited loss history makes coverage difficult to price accurately and potential losses difficult to quantify
The traditional insurance model is not good at quantifying risks it doesn’t understand because there aren’t large, homogenous datasets to analyse.
Cyber losses lack these datasets because it is a new and emerging risk. What data is available is murky at best.
While lack of loss history makes large datasets difficult to create, independent analysis of individual companies and losses that are publicly available can create a blueprint for the types of losses a business may experience.
Captives are individualised for the potential losses of one company, not all companies. The captive will not understand cyber risk for the market any better than the insurance company does, but it could understand its own cyber risk better, and be able to write custom coverage to deal with it.
Problem: cyber risk is dynamic and reducing those risks starts with each company and its internal security plans
Traditional insurance puts companies into groupings that may not account for the steps individual companies have taken to mitigate those risks internally, instead treating all organisations equally based on external similarities.
Adding cyber risk to your captive should include an extensive internal audit of the cyber risks of a company and a plan to manage those risks internally. The risks aren’t one-size-fits-all, and the coverage shouldn’t be either. As the company learns more about its own risk to cover it in a captive, it can improve loss control and create a position of risk ownership within the leadership of the company.
Problem: a cyberattack is an immediate all-hands-on-deck situation requiring immediate capital
The faster a company reacts to mitigate the attack the faster it can get back to business as usual. The cost of a cyber crisis can be quite high and having the immediate capital to pay for the professional services to meet this crisis can’t wait for an insurance claim (and likely the following lawsuit) to pay out.
Your captive coverage can be written so that capital is immediately available to respond to a cyber attack. One option is a parametric trigger that immediately releases funds to cover expenses to deal with a cyber attack. It’s your coverage: you can write it how you need it, subject to approval from the state insurance regulators.
Problem: a cyber attack causes a variety of losses in a variety of ways and requires flexible capital for solutions
Business is interrupted, physical assets need to be replaced, reputational harm needs to be mitigated, professional services need to be hired, and fees and fines may be levied. These are just the beginnings of the costs of recovering from a cyber attack.
One of the responses of insurance companies to the NotPetya attack was refusing to pay business interruption or any other costs of the attack, with the exception of replacing physical assets. While the courts eventually required the insurance companies to cover these costs, it took five years for that to happen.
Your captive policy language can be broad and tailored to the benefit of the captive owner, to better cover all the risks associated with a cyber attack. This includes reputational harm, media responses, legal fees, potential ransom payouts and other costs that aren’t physical damage to the company as a result of the attack.
Captives do, however, have some limitations.
Problem: traditional insurance policies specialise in steady, predicable known risks—cyber risk is none of these things
Actuarial tables with significant historical data to back up the numbers are the bread and butter of writing policies that insurance companies can make good bets on coming out ahead overall. Risks become predictable if the gathered data is homogenous.
Vast quantities of homogenous historical data allow insurance companies to make reliable predictions. In cyber the data isn’t available or homogenous.
Captives suffer from this problem as well. We’re actuaries, not fortune-tellers. However, when data is unknown, we can create a larger risk margin in the premium so that 90 percent of scenarios are likely to be covered. This means you’ll be paying more for premiums—but wouldn’t you rather pay those higher premiums to yourself so you are building towards covering higher losses in the future?
Problem: I don’t have enough capital in my captive to cover my risk
Your captive is limited by the capital available to cover your risk. You may not be able to escape the market entirely. Start your captive now to begin an escape plan. Perhaps your captive can cover one layer of risk while a traditional insurance plan covers another. And after you’ve built up capital, you can take on more risk.
Problem: correlation considerations-
Writing only cyber into your captive is risky. As they say, you shouldn’t put all your eggs in one basket.
To have a viable insurance company you need to have uncorrelated risks. There are solutions. For example pooling, where you share your cyber risk with other captive owners. Or write other policies in your captive, consider purposely adding policies that cover other uncorrelated risks to your captive so your company isn’t too vulnerable to any one kind of risk.
Are you ready to add cyber risk to your captive? If you already have a captive, adding cyber to your captive can make a lot of sense for the reasons outlined above. Having a conversation with your captive manager or actuary to see if it makes sense for your captive is a great place to start.
Gordon Thompson is a consulting actuary at AmeRisk Consulting. He can be contacted at: firstname.lastname@example.org