Using captives to manage cyber risks
Managing cyber risk using a captive seems in many ways to go against the core logic of captives and the risks they are designed to manage. Focusing purely on the risk transfer benefits of captives, well-run companies should be able to manage certain risks themselves—but usually if they are high frequency, low severity, predictable and relatively easy to understand and manage.
For anything else, that is what the commercial insurance market—with its wider spread of risk and use of reinsurance—is for. Anything that is difficult to understand and has a potential high severity is better managed by third parties with the experience and capital base to manage large losses.
On the face of it, cyber risk certainly falls into this second camp. It is extremely difficult to understand and, therefore, manage and price. It also has the potential for some pretty big losses.
Yet while the numbers remain small in relative terms, a growing number of large companies are interested in turning to their captives to help manage their cyber risks, either on a standalone basis or by participating in an industry-type mutual.
Clayton Price, managing director, Marsh Management Services Cayman, says he is seeing solid growth in this area and explains that there are several reasons that it can make sense for some companies.
“Cyber liability is one of the most well-known emerging risks facing organisations today. While capacity remains available in the commercial insurance market, pricing and appetite has deteriorated for organisations in certain industries,” Price says.
"There is considerable potential for existing captives to grow organically by writing ‘new’ risks such as cyber.” Conor Jennings, Captiva Insurance Managers
He says Marsh believes captives can represent an effective solution to properly manage cyber risk. Within Marsh Captive Solutions as a whole, the number of cyber programmes initiated by captive owners grew by 30 percent in 2015—most of which happened in the US.
He says that one driving force behind this trend is that many companies use their captive to access the reinsurance markets to ultimately help them manage this risk.
“Organisations often seek to use captives to access the reinsurance market in order to retain higher limits and lower premiums as gaps in cyber coverage continue to emerge,” Price says.
“A captive can be an optimal alternative vehicle to accomplish this and address many other cyber liability concerns, making it a compelling option that we expect more organisations to gravitate toward as this risk continues to affect the insurance market.”
Other brokers report similar interest in using captives in this way. At a recent industry conference, Peter Mullen, chief executive of Aon’s global captive and insurance management business, reported that within the broker’s own portfolio of captives, it has seen significant growth in the number of companies using their captives to manage cyber risks, albeit starting from a very low base. He said the number of captives taking in cyber risks increased from 1 percent to 2.5 percent in a space of some 18 months.
Concurring with Price, Mullen indicated that most companies are simply maintaining the deductible in their captive and buying reinsurance or an excess-of-loss policy in the commercial markets. They also tend to copy the types of policies and pricing available in the private market.
He added that another motivation for using a captive for cyber risk is the ability to “incubate” the risk so they can see how it performs in regulated insurance conditions where they collect premiums and pay claims over a period of time.
Aon also conducted a 2016 survey of large companies’ attitudes towards cyber risk and how they manage it. It found that their biggest concern around cyber risk is business interruption, both during a breach and afterwards, while bodily injury and property damage were rated as their lowest concerns.
The study found that only 59 percent of companies have used a formal risk assessment process to help inform their insurance strategy around cyber, a process that would help most companies get a better handle on the risk.
It also found that 68 percent of companies that buy cyber insurance do so for balance sheet protection and to ensure due diligence comfort for their board of directors. Yet of those that buy, 75 percent have concerns over the loss adjustment process and 99 percent suggest that policy terms and conditions need to be clearer.
In terms of buying coverage in the first place, more than 50 percent do not buy any but this varies greatly by industry with companies classed as data holders the most likely to buy (70 percent) compared with just 17 percent of product risk companies (eg, agriculture, chemicals, food and beverage), which buy coverage.
One of the conclusions of the survey was that, given the uncertainty over the nature of this risk and what can be covered in the commercial market, more companies could turn to captives to get a better handle on it. The survey revealed that 94 percent of companies would consider sharing their risk with others in their industry as part of a captive facility writing cyber.
Adrian Lynch, managing director, Aon Risk Solutions, says that he now discusses cyber risk with all clients but believes the market has a lot of developing still to do as companies, insurers and brokers alike attempt to quantify and price this ever-evolving threat.
“I believe—in time—there will be a role for the captive in any cyber play, but we are not there yet. Aon has developed a market for cyber capacity, but we have learned that risk quantification remains a pivotal point.
“Risk managers still can’t quite get their heads around where their exposure lies with cyber, and how much precisely that exposure will cost them,” he says.
“The market is responding but not yet at pace until they are comfortable around their value proposition in the cyber space. I see perhaps the captive writing some sort of buffer layer in the cyber space or perhaps crafting some gap coverage in cyber.”
Lynch adds that in order for captives to cover cyber in this way, any captive would need to be well capitalised and the coverage to be well funded and commercially make sense. He says that a natural wariness will exist over managing this risk in a captive.
“Most CFOs or risk managers right now would be reluctant to place cyber in the captive but it’s our job as managers to ensure we are collating that data to eventually allow them to make an informed decision,” Lynch says.
“I do believe cyber will be a recurring theme in all captives perhaps within the next five years. In the healthcare space many of our clients look at it and our brokers are working hard to ensure the market responds.”
A growth market
Cyber accounts for around $2 billion of commercial insurance premiums globally but this is expected to grow to $10 billion by 2020. While this clearly represents a big growth market for commercial players, it seems likely that, although adoption rates are currently low, more companies will start to use their captives to manage their cyber risks—complementing this wider growth or simply to access reinsurance.
Captives may even help drive innovation forward in this sector.
Linda Haddleton, managing director of Artex, a company that creates and manages a range of alternative risk solutions, says that one of the advantages of owning a captive is the ability to design cover—and this could lead to innovation.
“While commercial cyber policies cover a variety of expenses associated with data breaches, and may cover some liability and property losses, a captive can write an additional policy to cover gaps in commercially purchased coverage,” Haddleton says.
“Cyber coverage is a growth factor but unlikely on its own to register as a huge growth area. However, the innovation that it represents is an important component of captive growth. As captives mature we do see owners placing additional risks in their captives and this is but one example.
“The captive is a risk management and risk financing tool. Once the initial step has been taken and sustainability proved, it is a natural course of action for the captive owner to consider how to optimise this investment.”
Paul Macey, president of USA Risk Group (Cayman), adds that he agrees that captives will be used increasingly to manage cyber risk but it is unlikely to be on a standalone basis—instead it will complement developments in commercial insurance and reinsurance.
“Captives can be used to manage cyber liability but is likely to be in conjunction with the commercial insurance market and not as an alternative. This is an emerging area and the potential exposures are still evolving. The use of captives will develop over time,” Macey says.
There is also a bigger picture here. Conor Jennings, managing director, Captiva Insurance Managers, believes the way cyber risks might be managed by captives ties in with the wider potential of captives to grow by writing new risks.
“I do not know how much cyber crime is insured in Cayman, but I believe that there is considerable potential for existing captives to grow organically by writing ‘new’ risks such as cyber,” he says.
The circle of risk
Jennings references a recent report by Captiva that advocates captive owners considering insuring a greater diversity of risks in their captive in order to maximise its profits and, thus, the extent to which it benefits its parent.
He likens this argument to having built a beautiful and exclusive hotel but only having one room occupied. “Although the charges paid by that one guest may be enough to cover the operating costs of the hotel, just think how much more could be made if other rooms were also made available. As with the owner of the hotel, the captive owner needs to carefully consider how he can make more profit by making better use of the captive’s resources,” Jennings wrote in the report.
He says that to achieve the goal of making a captive more profitable, two steps must be taken.
First its parent company must have in place a top class risk management framework. This will help identify, analyse, manage and control the risks being insured to the captive, with the resultant profits being more than enough to cover the additional costs of risk management.
“Risk management is the backbone of success. This is all common sense, and applies equally to the hotel manager who also uses risk management techniques to ensure that all his guests are well behaved and pay their bills,” Jennings says.
Second, and this is relevant to cyber risks, he argues that more premium is then needed. “Once the risk management framework is in place, it’s just a matter of adding more risks and premium to generate more profits, or for the hotel manager, making more rooms available.
“Lessons can be learned from the older captives based in other domiciles such as Bermuda and in Europe. The majority of these captives tend to insure a number of different types of risk, whereas in North America and the Caribbean, it is common for medium sized or large captives to insure only a few risks.
“Based on the experience of these older captives, we know that almost any type of risk can be insured. In addition to traditional risks such as property and general liability, captives can write virtually whatever they like ranging from workers’ compensation or marine cargo to IT hacking and even kidnap and ransom.
“One thing these multi-line captives have in common is that they all tend to generate very healthy profits. More often than not, a good proportion of the profits are then reinvested back into the parent company’s risk management programme to help fund ongoing safety training, updating safety equipment and reinvesting in procedure changes. This should be the ‘circle of life’ for a captive—a symbiotic relationship with its parent company.”