16 June 2016Bermuda analysis

More companies turn to captives to cover cyber risk

Though adoption rates remain low, more companies are starting to use their captives to manage their cyber risks. A panel of experts discussed the challenges and implications of this at the Bermuda Captive Conference yesterday (Wednesday June 15).

Chaired by Chris Maiato, principal, EY, the session charted the evolving and growing threat of cyber risk and documented how companies, regulators, insurers, reinsurers and the captive industry are responding.

“Technology is now the cornerstone of everything we do. But it is an escalating risk and the reality is all organisations will suffer some type of cyber event at some stage,” said Maiato. “It is a threat that is constantly evolving, however, and attacks can be very expensive to deal with. The harsh fact is that many companies have already been breached.”

Larikus Scott, partner, KRYS group, noted that many companies see the solution to the cyber threat as being technology. “But that is a big mistake. Without the right people and processes, technology does not serve any purpose,” he said.

John Masters, underwriter, AIG, gave an overview of the types of coverage available in the commercial market and how this has evolved over time. He said that whereas historically only certain industries such as financial services saw themselves as at risk that has changed rapidly in recent years thanks to so many high profile data breaches planning industries including healthcare, hospitality, social media sites and retail companies.

Peter Mullen, chief executive officer (CEO) of Aon Risk Solutions, said that within its own portfolio of captives, it has seen significant growth in the number of companies using their captives to manage cyber risks, but this is starting from a very low base. He said the number of captives taking in cyber risks increased from 1 percent to 2.5 percent in a space of some 18 months.

“They are not doing anything dramatic with it,” he said, indicating that most companies are simply maintaining the deductible in their captive and buying reinsurance or an excess-of-loss policy in the commercial markets. They also tend to copy the types of policies and pricing available in the private market.

But he said an added motivation for using a captive for this risk is to “incubate” the risk so they can see how it performs in regulated insurance conditions where they collect premium and pay claims over a period of time.

“This allows them to assess the loss experience over several years and make better decisions over how to cover it in the future,” he said.

He added that one of the biggest challenges companies face, however, is properly assessing and quantifying the risk. “It changes so rapidly that is a real challenge for any company,” he said.