Printed from BusinessInsurance.com

Lack of cyber risk data hampers captive underwriting

Posted On: Jun. 16, 2016 12:00 AM CST

SOUTHAMPTON, Bermuda — The increase in the number of captive insurers that cover cyber risk has been slow due in part to a lack of data to define and assess the risk.

Peter Mullen, CEO of captive and insurance management at Aon Risk Consulting in Pembroke, Bermuda, said about 12 of 1,100 clients were putting cyber risk in their captives 18 months ago, a number that had risen to 25 in Aon's most recent survey.

“It's not a huge number, but the adoption rate is definitely growing,” he said Wednesday at the 2016 Bermuda Captive Conference in Southampton, Bermuda. “It's not like any other risk you put in the captive.”

Before cyber risk is written, a fairly detailed risk assessment needs to be performed to identify, quantify and analyze the risk — and that is difficult, which explains the low adoption rate, Mr. Mullen said.

Those who are putting cyber risks in their captives are interested in “incubating the risk” to see how it would perform under regulated insurance market conditions, Mr. Mullen said. They collect a premium and claims information and develop loss experience over three to five years that can help them decide how much risk they should retain or transfer.

“Clients are trying to get their arms around the risk, coupled with a lack of data. For a risk manager to put that in a captive that has been nurtured for 25 years and expose all of that is a tough decision,” he said.

John Masters, senior underwriter and cyber product leader for Hamilton-based American Intenational Group Co. Ltd., said that when he evaluates a company interested in a cyber liability program, he needs to understand how the company is managing their exposures. “First, we need to understand how a breach could occur,” he said.

Mr. Masters said he focuses on three broad categories: company culture, the nature of the company's exposure and what tools the company uses to manage those exposures.

He also inquires about other areas of concern, including the company's risk management framework and its information security training program for employees.

He also asks how a material network interruption would affect the company's ability to generate income, what technologies are in place to mitigate the risk and whether there is a roadmap to resolve the issue quickly.

“All of this information helps us to determine if the company is a good risk,” he said.