David Molony, director of EMEA cyber risk, Aon
The increasing digitisation of our lives brings many benefits, but it is also making it much harder for companies to get a full picture of their risk exposures, particularly in terms of cyber risk. But captives can be used as a strategic tool to give organisations an enterprise-wide understanding of their cyber risk, says David Molony at Aon.
The timing of today’s hardening market represents a challenge to the cyber insurance community. Organisations are being forced to justify increased levels of insurance spend on cyber, a non-traditional insurance purchase, at a time when the cost of insurance is already rising.
“Captives will continue to grow in cyber participation driven by two major factors.”
The technological evolution and digital transformation of society ($1.5 trillion capital expenditure per year) represents enormous opportunity for traditional and emerging industries. However, it is coming hand-in-hand with growing regulatory demands, and making it increasing difficult to get a clear picture of risk exposures.
Organisations need to gain an enterprise-wide understanding of what this means. It may be that the captive is the strategic risk management tool to make that a reality.
Aon’s captive survey 2019
Aon conducted a Cyber Captive Survey in 2019 which showed a static growth rate among our captives book who were looking to write cyber risk. However, it also showed that those who were writing the risk were expanding their cover substantially from a premium and coverage perspective. These clients were embracing the additional complexity of cyber, and seeking to better understand the implications for their business.
Cyber must mean different things to everyone it is by its very nature a bespoke risk with a modular insurance solution. The challenge, however, remained that for those who were writing a more expansive cover in the captive, only 7 percent had conducted any level of financial analysis (deterministic and/or stochastic modelling). And for an emergent risk, this was a true inconsistency. The rationale for placement remained broadly in line with more traditional risks: greater control of insurance programmes and achieving cost efficiencies.
There remains keen and consistent interest in working through a captive solution into a global cyber insurance programme. Organisations, after all, must protect their balance sheets from technology risk. The captive is a mechanism to do that, but perhaps the greatest opportunity for captive owners is to allow non-traditional stakeholders, such as a chief information security officer (CISO), to align risk management strategy with information security and information technology protocol.
Organisations have historically maintained distance between these functions because the subject matter was not always an easy fit. The insurance market was evolving, but there was no consistency in the approach to these changes, despite the need for the risk management and insurance community to fit these changes into the wider risk management framework.
Increasingly, and somewhat encouragingly, CISOs are participating to achieve the solution. Cyber insurance must be a complementary safeguard to cybersecurity initiatives. If the policy is not fine-tuned to the organisation (with material input from the security function) it may not respond appropriately in the event of a major incident.
If there is buy-in from the start, and true understanding of the flexibility a captive can bring to the process, then this cannot be seen as anything other than a bonus for strategic cyber risk resilience.
Unlocking future growth
Undoubtedly the process for cyber risk management remains to a large extent immature and inconsistent. Cyber risk management must integrate into the broader framework. Risk managers can facilitate this process by collaborating across the business functions (legal, IT, security, operations, etc) using proven enterprise risk management methodologies, albeit through a digital lens. This mechanism for balance sheet protection can allow for visible benefits to be seen across the organisational value chain and an effective return on capital employed.
This enhanced organisational dialogue will notably benefit a company’s security function. Using the traditional risk assessment and quantification methodologies, CISOs can begin to leverage financial metrics to enhance the opportunity scope for prioritised security investment. This will help non-technical stakeholders to understand the risk in a balance sheet context, enabling a thorough cost:benefit analysis process.
Organisational security functions have also been increasing their use of cyber bursaries to part fund or fully fund risk analysis and security improvement initiatives. A third of captive owners writing cyber risk are currently doing so to incubate and better understand the risk. But this should not stop a continued investment to improve the risk.
The creation of a narrative of risk improvement for open market carriers will be a crucial component for more favourable terms and engaging long-term market partners. The captive represents an alternative level of capital or can provide access to non-traditional capital via an appropriate insurance-linked securities (ILS) structure.
Where should we go from here?
In the current environment there remain some undeniable facts. Underwriters are taking reduced levels or risk on international placements. It is increasingly common to see carriers who previously would have written a $50 million-plus primary cyber cover reduce that to $10 million-plus, or to remove themselves as the primary partner in the insurance tower.
There have also been increased retentions from the market. It is fair to assume that market aggregation factors may be encouraging this, but this remains yet one more reason for captives to play in the space. Deductible buy-down structures (especially on global programmes) are growing in relevance and with shrinking levels of capital being offered the captive once more operates at a facilitative level on an XS lines basis.
Many captive owners remain understandably reticent to incorporate cyber into their captive programmes. It is perceived as a volatile and wildly unpredictable risk. In some respects this is true. But there is an opportunity to use the captive as a strategic tool to assist in enterprise-wide learning of what cyber means at your organisation.
The digitisation of our corporate (and non-corporate) environments will continue. We will become more and more connected and ultimately reliant on technological advancements and enhancements to continue to produce, process and manage.
With this in mind we suspect that captives will continue to grow in cyber participation driven by two major factors.
Shift in asset value from tangible assets to intangible assets: this will shift the insurance purchasing philosophy of most clients across their entire portfolio but notably within how we choose to protect our corporate balance sheets from technology risk; and Shift in risk landscape from physical to non-physical: material non-physical damage business interruption cyber-related events have altered the minds of boards of directors. Somewhat more pertinently, they have also become the focus of internal audit functions as well as audit and risk committees.
Aluminium producer Norsk Hydro fell victim to a notable LockerGoga ransomware attack earlier this year and incurred suspected losses of up to $50 million. From a governance and due diligence perspective we should expect large organisations to become increasing aware of the impact cyber risk may have on their organisation. The captive will be a key incubator and risk-financing mechanism with which to achieve that.
We should expect accelerated cyber captive market growth as cyber evolves into the mainstream. Captive insurance professionals should look upon this is an opportunity to evolve the relevance of their captive within an interconnected world.
David Molony is director of EMEA cyber risk at Aon. He can be contacted at: firstname.lastname@example.org
Aon, Digitisation , Captive, Insurance, Reinsurance, Cyber Risk, ILS, David Molony, UK