A solution for cyber risks

More companies are using their Bermuda-based captives to manage their cyber risks, according to experts at KPMG in Bermuda who predict that captives will become an increasingly used risk transfer solution for this rapidly evolving and complex risk.

William Miller, managing director at KPMG in Bermuda, says that this is a relatively new phenomenon and still limited in its use. But despite the nature of the risk being very different from the type that is typically transferred to captives, he explains that there are several good reasons this can make sense.

“Captives are more typically used to manage predictable exposures such as high frequency, low severity risks where you have a large number of probable claims and the ability to control those risks in-house. A captive offers an efficient way of insuring those and better managing your capital,” he says.

“With cyber risks, the opposite is generally true. There is a lot of uncertainty and also the expectation that you could have very big losses: high severity and low frequency. That is the challenge when managing these risks but there are also certain things that set cyber risks apart that explain why some companies are using captives.”

Better coverage

Miller explains that the biggest factor driving companies towards captives as a solution is the type of coverage available in the commercial market. In essence, it is usually expensive and highly restricted in terms of what is offered.

This is because, as is the nature of any form of insurance, companies with a very sophisticated approach to their cybersecurity are being lumped in with less secure companies to determine the cost and nature of coverage. Firms that understand this and which are also confident in their ability to manage their own cyber risks will therefore benefit from managing that risks themselves—through a captive.

“There is a cost implication for companies that are very good at this but don’t want to pay high premiums in the commercial market. There is also a big advantage in that they can set their own policy language and make this much broader to suit what they are trying to achieve.

“For instance, they may set coverage using an occurrence-based approach as opposed to a claims-based one. That is very important because the way in which cyber attacks can happen means that there can be a significant time lag between a virus entering a system and finding its way on to a database and a loss actually emerging. There is a long latency period and a lengthy reporting period as a claim evolves.”

Chris Eaton, senior manager at KPMG in Bermuda, adds that using a captive to tailor coverage in this way can also offer an advantage when it then comes to securing suitable reinsurance.

“For a company that has a very good grasp of its cyber risks, and which has a very mature approach to standards and frameworks to manage cybersecurity, this can work because that can be clearly seen and understood by reinsurers. They can see that this is a high quality risk compared with the average in the open market. If there is a good story backed up by solid data, they will offer better terms as a result.”

Ahead of the game

Miller says that it is difficult to generalise about which types of companies are best suited to considering this approach to managing cyber risks. He says that they simply need to have a good handle on their cyber exposures, good risk management in place around this and an existing sophisticated risk management strategy that includes a captive. It will be highly unlikely that someone would form a captive specifically to manage this risk.

“Some sectors are ahead of the game on this. Healthcare companies, retail businesses and financial services companies are the most at risk and they have the biggest challenge finding affordable commercial cover. But some have also become very sophisticated at managing these risks and therefore could consider using an existing captive to manage them,” Miller says.

He stresses that the underwriting of cyber risks is still very immature in the wider market, hence the high premiums and restrictive policy terms. He says insurers are concerned that they do not fully grasp their exposures and aggregations in this market, especially because many end clients could use the same third party provider to manage their cybersecurity.

Another reason insurers are keen to split out the cyber element of coverages is to get a better handle on their overall aggregations.

“We are seeing companies modelling this and running through different scenarios to establish how exposed they are,” Miller says.

“But some are also getting much more sophisticated as a result and rewarding companies with a good handle on this risk.”

“Again, this is simply driving caution among insurers and people to consider captives,” he says. “They might want that tailored coverage, control over their own risks and full credit for that while also working with reinsurers that will do the same.”

Eaton notes that sets of common standards in the way cyber attacks can be prevented and systems made more secure have evolved rapidly in recent years. The NIST Cybersecurity framework, for example, has become well adopted in North America while sets of international standards such as the ISO 27001 are also starting to emerge.

“A body of knowledge is increasingly emerging now that companies can tap into to shore up their security and establish best practice around this threat,” he says.

This is starting to change the insurance landscape. Some insurers are giving companies adhering to such frameworks credit for it, which might be reflected in the premium of a dedicated policy. Yet many others are increasingly risk-averse in relation to cyber risk and are excluding it from traditional policy structures. This in turn is creating a greater need for dedicated policies.

A dynamic environment

Miller also stresses that the claims environment is a very dynamic one at the moment. The outcomes of some very large class action law suits relating to data breaches have yet to come to pass and this could change the landscape again.

“There are some big class actions out there and there has been no payout yet,” he says. “Many insurers do not appreciate what a long tail this type of business potentially has and once we see some of these big claims come home to roost there could be a shift in the market.”

Miller warns that other factors could trigger a shift in the market. A big loss in any area of the re/insurance markets, for example because of a natural catastrophe, could also cause a shift in the market and rates to harden across all lines. Equally, that very big loss could be as a result of a cyber attack.

“There is always uncertainty in the commercial insurance market because a big loss can cause a significant increase in rates,” he says.

“That is another good reason to use a captive as it helps avoids that volatility and restrictions on commercial insurance over time.

“To a certain extent cyber risk has been benefiting from a soft insurance market and it has been that way for a while. But all that can change very quickly.”

He stresses that as a result of all these factors, it makes sense that more companies, as long as they have an existing sophisticated risk management programme that includes a captive, would consider using it for cyber risks.

“If you already have a captive and good risk management around your cyber risks, this is certainly worth considering,” he says.

“We are seeing more interest in that concept so it will be interesting to see how quickly that evolves and whether captives can offer a solution for many companies seeking cyber coverage.”

William Miller is a managing director at KPMG in Bermuda. He can be contacted at: billmiller@kpmg.bm

Chris Eaton is a senior manager at KPMG in Bermuda. He can be contacted at: chriseaton@kpmg.bm