10 July 2019Law & regulation

Captives could drive innovation in cyber market amid GDPR crackdown

A growing number of companies falling foul of general data protection regulations (GDPR) highlights the need for comprehensive cyber coverage. It could also incentivise the formation of more captives, if cyber providers do not up the quality of their offerings, according to experts.

In recent days both BA and Marriott have been handed fines - reported to be £183 million and $100 million respectively - for data breaches that left them non-compliant with GDPR regulations.

Other big companies, and many lower profile companies too, will also be struggling to adhere to the rules, and wondering whether they have insurance cover to protect them.

In some cases companies with cyber coverage may be lulled into a false sense of security, believing they have more comprehensive coverage than they in fact have. There are huge variations in the wording used in cyber policies, and the differences between them in terms of exactly what is covered.

Data breaches are a fairly standard component of many cyber policies, so many - but by no means all - policies are likely to cover these associated costs related to a GDPR issue, other than the fine.

The fines themselves are thought to be uninsurable, because including it into a policy would remove the disincentive to break the law that the fine is supposed to create. This looks like a gap in the commercial cyber market that even a captive cannot fill.

Rob Smart, technical director at Mactavish, said: “A captive is unlikely to be able to provide coverage for regulatory fines because of legal insurability and it has to keep in step with what is going on in the commercial market. They have to assess risk in broadly the same way to avoid raising questions about substance.”

However, the growing GDPR compliance problem should definitely be pushing companies to think hard about their cyber coverage, said Smart. “Even if a cyber policy does not cover companies from the risk of fines over GDPR, for example, it is still worth buying the right policy,” he said.

“It can help with other costs that can arise from that other than the fine, including defence costs, compensation, crisis management, customer support and more.”

However, Smart called on the insurance industry as a whole to improve the quality of cyber coverage being offered.

"We want to see insurance providers pushing the envelope in cyber coverage, offering tailored cover based on individual client exposures and even considering how to underwrite things like reputational cover,” he said. “There is a lot of scope for innovation there, and that is a real opportunity for captives.”

For the largest companies a captive could be the only way of getting cyber coverage of a sufficient size. Getting cyber coverage for more than $100 million could be very difficult in some markets.

Smart admitted the insurance industry is not known for its innovation, with the last major new product to come through before cyber arguably being directors and officers cover, more than 20 years ago. That market has been tightening because of the losses many providers have experienced in that market over the last few years.

“The cyber market is also more complicated because of how rapidly the threat itself is evolving,” said Smart. “There is no chance of the cyber market maturing to the point of becoming a standardised product within the next two years - more likely it is going to remain very ambiguous for years to come and clients need to analyse their cover carefully.”

Smart said: “We meet a lot of clients that find out rapidly that off the shelf cyber coverage available is not right for them. We help them to explain their specific exposures and negotiate with the provider, and sometimes it is possible to amend the coverage to suit their needs, but often the market isn’t as flexible on changing standard wordings as it should be - even where insurers will agree the intention of cover.”

There is some evidence that companies are indeed turning to captives to meet their highly specific cyber risk needs. A recent Aon report showed the volume of captive premium growth for cyber had accelerated in the past year by 263 percent.

The report found the overall cyber insurance market was growing by 50 percent annually in gross written premiums, though it also found the number of captives covering cyber risk was relatively stable.

Only 3 percent of captives retain cyber risk, according to the Aon report, up from 2.5 percent, while there has been a 33 percent increase in the number of parent companies accessing cyber insurance coverage from traditional markets, up from 21 percent.