BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Captive insurance seen as vehicle for cyber risks

Captive insurance seen as vehicle for cyber risks

As the business community's understanding of data breaches, network shutdowns and other cyber threats becomes more nuanced, some companies in high-risk industries are beginning to turn to captive financing for their cyber risk insurance programs.

In Vermont—by far the largest captive domicile in the U.S.—as many as 10 large companies have added cyber risk coverage to their existing single-parent or group captives, or have launched a new captive company specifically to address cyber exposures, according to the state's Department of Banking, Insurance, Securities and Health Care Administration.

David Provost, deputy commissioner of the department's captive insurance division, said that while those firms—which he described as “very large, nationally recognized brands”—each had their own unique set of reasons for switching to captive insurance coverage for their cyber exposures, a common theme among them was the need for greater transparency of their up-front costs.

“At that size, it can be hard for some companies to put a real value on this kind of cover in the traditional market,” Mr. Provost said. “They can certainly get someone to quote them a premium, but they have a hard time figuring out whether the price is worth the transfer of the risk.”

In all but one instance, Mr. Provost said companies have elected to add a cyber liability program to an existing captive, as opposed to launching an entirely new entity. Insured limits on the captive cyber policies registered in Vermont vary widely, Mr. Provost said, ranging from $1 million to $100 million, with as much as $25 million in excess retentions or reinsurance.

Outside of Vermont, experts say most of the interest in captive cyber risk financing has been exploratory in nature and has developed only among the handful of industries most likely to retain high volumes of personal consumer data, including financial institutions, managed health care, software and Internet services, and national retailers.

“It's pretty common among emerging risks,” said Steve Bauman, a New York-based senior vp and head of global corporate captive services at Zurich North America. “Folks are always a little bit hesitant to get their captives involved in something that's brand new or emerging, especially if it could have high volatility.”

A combination of factors likely is holding back more widespread implementation of cyber risk captives, experts said. For one, most midsize and large companies would have little difficulty purchasing cyber risk coverage in the traditional insurance markets, depending on their flexibility on pricing, experts said.

“The commercial marketplace seems to be largely able to respond to clients' needs in a way that most clients are comfortable paying for,” said Sean Rider, a New York-based managing director for Willis Group Holdings P.L.C.'s global captive practice.


Perhaps more of an impediment to greater utilization of captives to address cyber liability, experts said, is the extremely fluid nature of cyber risk itself. Aside from the seemingly endless permutations of data and network security threats, companies also must contend with state and federal regulators pursuing ever-greater protections for consumers in the event of a breach.

Additionally, experts noted, captive insurance tends to be more effective when applied to high-frequency, low-severity risks. A given company may only experience one data breach in a period of several years, but the total cost of mitigating that event could be devastating.

“As a result, using a captive as a risk financing mechanism for a cyber insurance program, depending on the size and complexity of the captive, might unduly expose that program to a catastrophic loss,” Mr. Rider said.

Nevertheless, experts said they expect to see a gradual upswing in the number of companies utilizing captive programs to finance their cyber insurance coverage, especially as more risk managers and C-level executives develop a fuller understanding of the true cost of data and network security.

“I'm seeing a lot of companies move toward a more centralized management of their overall privacy and data security exposures,” said Catherine Mulligan, a New York-based senior vp and national underwriting manager for specialty E&O at Zurich North America. “There's a lot more attention being paid to these risks at the C-suite level, which I think will help a lot of companies get their arms around what their total costs and exposures might be.”

Ultimately, if a company can accurately model its exposures and raise sufficient retention capital, experts said a captive insurance program could significantly reduce the frequency and severity of data breaches over time.

“There is value in doing it because it forces a much more disciplined approach toward identifying and addressing your risks,” said Arthur Koritzinsky, a New York-based managing director of the captive solutions groups at Marsh Inc. “The rigor that putting this type of risk into a captive imposes on the parent just makes for better risk management than knowing that the risk is out there, but not doing much about it.”

This story is from the March 19, 2012, issue of the weekly print edition of Business Insurance, a special theme issue featuring an in-depth look at how organizations can protect themselves against cyber risks.

Copies of this issue, which includes a data poster featuring detailed information on cyber insurance purchasing trends, are available for $100 by contacting our Single Copy Sales department at 888-446-1422.

To subscribe to Business Insurance to receive all future special print issues, click here.

Read Next

  • Risk managers' expertise valuable in cyber risk efforts

    Most risk managers might not be information technology experts, but they can effectively manage cyber risks by applying their expertise in such areas as contract risks, assessing the value of exposures and communicating the potential impact of exposures across their organizations.