8 August 2019

The edge of risk

Captives have often been used to manage new risks or liabilities which are tricky or expensive to find coverage for in the commercial insurance markets. A growing sophistication on the part of risk managers and captives owners, paired with increasingly complex analytics within brokers and consultants, seems to have taken that dynamic to a new level in recent years—and there could be more to come.

The big talking point has been the use of captives to insure cyber risk—that conversation has moved in a very short space of time from being theoretical to almost commonplace. Some of the new risks now being pondered for captives including reputational risks, risks associated with the legal marijuana industry, and even cryptocurrency risk.

To deal with cyber first, captive premium growth for cyber risk has accelerated by 263 percent in the past year, according to Aon’s Cyber Captive Survey for 2019: Creating Value for the Cyber Risk Agenda.

“This significant growth rate has occurred within a context of increased capital investment in digital transformation ($1.5 trillion capex per year) and more financially material cybersecurity incidents (approximately $550 billion in economic loss per year),” Aon said in its report.

The overall cyber insurance market is growing by 50 percent annually in gross written premiums, but the number of captives covering cyber risk has actually not increased significantly, Aon said. It found that 3 percent of captives retain cyber risk, up from 2.5 percent, while there has been a 33 percent increase in the number of parent companies accessing cyber insurance coverage from traditional markets, up from 21 percent.

The growth of cyber
Nearly one in five (19 percent) of Aon-managed captives offering cyber coverage have parent companies in the healthcare area, making it the leading sector. Close behind was the energy sector, which has 15 percent of Aon-managed captives with cyber coverage.

Other sectors were a long way behind, with 7 percent each having parents that were financial institutions, or food and beverage, or life sciences companies.
Overall, the number of captives retaining cyber exposure will expand to 34 percent by 2024, predicted Aon, based on the number of captive owners reporting the future direction of their risk financing strategies.

Aon research suggests captive insurance premiums may represent only up to 10 percent of overall premium spend on cyber coverage.

Cyber insurance coverage provided by a captive is also increasingly likely to include protection not offered via the commercial marketplace, said Aon.

According to research, 22 percent of captives currently writing cyber include coverage for liability associated with a bodily injury event, acknowledging the possibility that bodily injuries can arise as a result of a cyber-specific incident, for example through the internet of things, virtual reality, autonomous vehicles, robotics or artificial intelligence.

Commenting on the report, John English, CEO of captive and insurance management at Aon, says that while more cyber has moved into captives, firms could be better at pricing the risk. The survey found that most captive owners still have a relatively unsophisticated approach to retention, limits and premium determination.

Most still rely on their brokers to help price the risk instead of conducting their own financial analysis using stochastic modelling.

“Bearing in mind the evolving risk and technology profiles across industry this is a somewhat surprising finding,” Aon said in the report. It found that 7 percent of captives “are not applying a quantitative risk assessment approach to determine suitability of limits, retentions, and premiums”.

This compares to 41 percent of companies “that employ a combination of scenario analysis and modelling to determine the most appropriate risk financing and transfer strategy for traditional enterprise risks”.

To improve penetration of cyber risk coverage, Aon recommended that companies integrate cyber risk into their broader risk management framework, with only 38 percent of risk teams currently responsible for assessing cyber risk, compared to 86 percent of IT teams.

Chief information security officers also need to make greater use of financial metrics when communicating with senior management, it said. More excess and reinsurance capacity should be made available for emergent intangible risks such as intellectual property—which has estimated global losses of more than $600 million annually—reputation and brand and privacy regulations, Aon added.

Aon would like to help more companies develop their own models to price this risk, says English.

“Despite the sharp untick in the number of companies using their captives for cyber risk, the majority are using their broker or following the wider market to establish pricing. We would like to help them price that risk more accurately themselves,” he says.

The next level
While a growing number of companies are using their captives to transfer cyber risk, some of the most innovative are also exploring the possibility of insuring reputational risk, according to Jason Flaxbeard, executive managing director, captive management and consulting, Beecher Carlson.

Flaxbeard says that the cyber coverage is typically being split between expected liabilities, such as fines, penalties and credit monitoring, and unexpected risks generated by cyber.

While the latter are much harder to measure and price, some captive owners are looking at whether they can bolt on reputational risk to their cyber policy within their captives. Many risk managers see reputational risk as being one of the biggest threats to their organisations, but it is very difficult to cover this risk using insurance.

Flaxbeard says that such a policy would act as more of a financing play to help fund some of the processes and procedures that need to happen in the event of a crisis.

“A number of companies are looking at whether this is something that could be bolted on to cyber,” he says. “The industry will increasingly understand that this is a risk they need to look at, as is intellectual property risk, although there are no moves to attempt to cover that in a captive at the moment.”

He notes that coverage for reputational risk is starting to become available, for example Steel City Re will offer this liability and such a policy could in theory be acquired via a captive.

The edge of risk
Two other risks being closed watched by the captives market are risks associated with the legal marijuana industry, and cryptocurrency risk. The first captive to manage risk associated with cryptocurrencies was formed on Bermuda earlier this year. US captives domiciles will be watching this development with interest, given the interest in the sector in recent years.

The Bermudan captive was formed by a large financial institution to take on the risk of digital assets that it stores on behalf of third parties being stolen. The captive will take on the first party risk of digital assets being stolen from cold storage. Although cold storage is considered a very secure method of storing digital assets, the company wanted some protection against hacking or cybercrime that might target the assets.

The company will retain some of the risk with the rest being held by the captive, which will not buy any further coverage in the open market.

Michael Parrish, head of client services for Marsh Management Services Bermuda, says that although insurance is available in the open market for such a risk, the client in this case felt a captive was the better option.

“They believe the risk is pretty low and see a captive as a good way of managing that,” he says. “This could be just the start. They have not used a captive before and could expand it to cover other types of risk over time.”

Parrish predicts that this could be the first of further deals in which captives manage digital risks. “History shows that where coverage is difficult to secure or place, captives can have an important role to play,” he says.

He also expects that the first captive to cover risks associated with the production of cannabis will be formed soon, probably on behalf of a company based in Canada, where the drug is now legal.

“Companies are struggling to buy insurance in the open market and a captive would be a natural solution,” he says.

That sentiment has been backed up by the Bermudan authorities, who believe the first captive to manage cannabis-related risks in Canada will be formed there. Doing a similar thing in the US could prove tricky in a US domicile because the drug is illegal at a federal level.

Jereme Ramsay, business development manager (risk solutions) at the Bermuda Business Development Agency, says he expects the first captive to manage cannabis-related risks to be formed in the near future, probably by a company based in Canada.