Cyber: a bespoke fit
Few emerging risks are as pervasive as cyber. Information technology has come to permeate all aspects of business operations, bringing with it untold benefits, but at the same time creating risks with which the industry will be obliged to grapple. Nevertheless, it is clear that the captive sector is already finding a home for such risks. As Robert Johnson, managing director at Aon Risk Solutions in Bermuda outlined, “we see cyber as a significant emerging risk. Discussions are taking place at the board room level, at key renewal dates and during strategic planning meetings”, with efforts to mitigate risk exposures increasingly on the minds of international parents.
Andy Hulme, deputy manager—underwriting and claims at JLT Bermuda concurred: “Parents of captive entities are increasingly looking to place some or all of the cyber risk into their captive, particularly as captive managers are constantly looking to ensure captives provide the greatest value to their parent organisations.”
Gary Markham, CEO of LSG, a technology firm active in the captive space, warned that cyber risk is emerging as a “huge issue”, but not one that is fully appreciated by many companies. Much depends upon the IT capabilities of staff, with knowledge of cyber risk “not always filtering through to the risk management departments of companies”. Captives can prove a good home for such risks, encouraging closer attention to such exposures and instilling risk mitigation best practice in key operational areas.
Christina Bell, executive vice president—underwriting and claims at JLT also spoke of a “lack of real understanding” regarding the risk exposures in cyber. She said there are a limited number of carriersand technical experts in the commercial market, with coverage proving decidedly “sporadic” as a result. This then raises the prospect of employing a captive to host such risks. As Bell outlined, “The beauty of the captive is that you can really home in on the exposures of that particular company and craft coverage according to the parent’s business activities.” David Gibbons, director of captive insurance at PwC, spoke in a similar vein, arguing that “as a form of risk management, use of a captive brings areas of risk into focus and enables the parent to apply more targeted risk management practices, creating definite opportunities for the parent”.
"With a captive you can tailor specific and appropriate coverage that is totally in line with your parent company's needs."
Hulme added that JLT was seeing rising interest in running cyber risk through captives as such entities offer “flexibility of coverage and flexibility in pricing”. However, he warned that with a lack of loss information, captives may be best employed to provide their parents with “blended coverage” that draws upon both captive and commercial capabilities. Addressing such a blended approach, Kilian Whelan, CEO of JLT Bermuda said that it generally takes two forms. The first is to “piggy-back” on coverage provided by the commercial market, adding some of the coverage into the captive. The other is to use the captive as a “risk incubator”, whereby you place a small amount of risk in the captive in order to better understand the line, with the intention of running more business through the captive over time, said Whelan. Either approach can reap significant benefits for captive parents, enabling them to get a better view of the risk potential of cyber and the opportunities associated with running the business through a captive.
And as with any other line, the fundamentals of opting to run the business through a captive do not change, said Whelan. “As a corporation looking at your risk, you have to consider your risk appetite, which risks you should you be retaining within your captive and which you should be transferred into the commercial market.” Faced with an emerging risk like cyber however, risk appetite will need to be carefully calibrated to potential future exposures and changes in the cyber landscape.
Broad exposures
One of the key questions captives need to consider when taking on cyber risk is how broadly the risks extend and what kind of coverage can realistically be run through a captive. As Gibbons outlined, cyber risk generally falls into three buckets. The first is around data security, the second malicious attack, and the third relates to the misuse of social media. While it may be easy to find coverage in the commercial market for the first risk—thanks largely to the rigidity of regulations regarding data security—the lack of hard and fast rules and dataregarding the second and third buckets of risk present unique challenges, he said. Again, this may well mean captives are a good fit for new and emerging risks associated with cyber, risks that would otherwise struggle to find a home in the commercial market.
However, cyber risk can also extend to third party exposure. Hulme said that while first party exposures have traditionally been the focus, firms are increasingly aware of data security and business interruption issues associated with third parties. This awareness enables them to take a prophylactic approach to risk rather than respond to losses post-event, an approach that suits employing a captive entity.
The second question concerning cyber is whether the line should be dealt with on a standalone basis or as part of a wider casualty or business interruption portfolio. Johnson said that at present cyber is “often tacked on to another property or casualty programme, but it is increasingly being considered as a standalone line”. Bell likewise said that cyber would continue to gain ground as an independent programme as increasing awareness and exposure cement its significance.
However Gibbons said that in many instances including cyber risk in other programmes makes sense for captive entities. “As much as it can be bolted on to other lines, it’s easier to take on cyber risk that way, especially for captives writing purely related business, because the captive is there to pay claims if and when they come due. To have additional costs just to write it separately when you could include it in a couple of other lines and be totally covered doesn’t make economic sense.” Gibbons said that with a lack of loss data associated with cyber, it does not make a lot of sense to have it sitting in the portfolio on a standalone basis—“you’re going to need a little bit of time, a little bit of loss history” before you can truly understand your exposures, he said.
Markham said that such decisions depend upon “the ‘build it or buy it’ paradigm”. If you buy it, the requirement to understand and price cyber risk goes away, he said. If you build it there will inevitably be significant initial investment, “but who knows the potential risk best?”. While the captive solution may be a strong fit, Markham warned that parents would need to be vigilant, ensuring that they remain ahead of the curve when it comes to new and emerging risks.
Parents certainly need to ensure that cyber risk will not prove overly burdensome to the wider portfolio. As Whelan explained, “You have to carefully assess the financial strength of the captive and ensure that you’re not putting the balance sheet of the captive unduly at risk. Captives are typically not there for the catastrophic risks; rather they are there for the burning costs.” While this makes it a good fit in terms of first party exposures, Whelan warned that third party exposures may prove rather too much for a captive to handle, citing the example of class action suits that could cripple the capital base of such entities. Gibbons agreed that the size of potential exposures means that employing a commercial element alongside the captive makes sense, with the captive writing the deductible layers and the commercial market providing coverage beyond that.
Cyber may not however be the best fit for all forms of captive. As Johnson indicated, for single parent captives it is relatively easily accomplished, “subject to the captive being comfortable with the risk, its pricing and the reinsurance structures that they want to wrap around it”. But for group captives and risk retention groups, the challenges of running cyber and the associated sensitivities associated with data security are likely to prove a hurdle. For such entities “cyber is one that might be looked at a little later”. For now, it is likely that cyber risk will remain largely the preserve of single parent captives.
Headline motivation
While rising use of information technology will undoubtedly act as a driver of cyber take-up, greater regulation concerning the protection of client data and security will also play its part. Parent companies are now obliged to pay increasingly close attention to their data security, faced with the potential implications of costs associated with any clean-up following a data breach. Regulation concerning the protection of client data already has strict penalties in place, but while these will create considerable challenges to parents, they could yet prove of benefit to the captive sector.
As Gibbons explained, without sufficient loss data it is very difficult to underwrite cyber policies and to set limits, but “to have them codified in law, it becomes much easier to anticipate what a good aggregate or occurrence limit should be”. As a result, cyber risk and coverage that may extend into areas such as social media, could be much more readily placed within a captive.
Hulme added that regulation has served to “highlight the need to ensure that organisations are working on prevention and preparedness for cyber risk”. Once this has been set in train, the second question they need to consider is whether there is a “risk transfer requirement”, he said.
Calls for greater regulation and awareness have been helped by well-documented data breaches. As Johnson made clear, “nothing highlights cyber risk better than news of some large corporate data bank being hacked, what that means and what access cyber attackers gain as a result of that attack. The motivation to run cyber risk is very much around risk management and protection”. Law suits and extensive pay-outs are likely to sharpen the minds of those considering their cyber exposures. And significant awards are unlikely to encourage firms to consider cyber simply as an add-on. “The more those numbers come through and the cost of reinstatement of systems and confidence is examined, the more people will be looking at cyber on a standalone basis,” said Johnson.
And the threat and the need to mitigate it are unlikely to go away any time soon. As Markham explained, “pressure is growing on companies to demonstrate that they are continuing to enhance their cyber defences and levels of sophistication in order to ensure clients are less exposed to the dangers posed by cyber risk”.
This “moving feast” of risk, as Markham put it, presents both unique challenges and opportunities for the captive sector. Captive insurers will need to consider carefully what cyber exposures—if any—they take into their captive and will need to do so with their eyes fully open. However, as Bell outlined “The beauty of running cyber risk through the captive is that it can be bespoke. At the moment the cyber policies that you see out there in the commercial market vary dramatically, but with a captive you can tailor specific and appropriate coverage that is totally in line with your parent company’s needs.” It will be in providing precise and targeted coverage that captives will prove their worth.