Captives increase options for cyber cover

After some initial reluctance, owners of captive insurers appear to be showing some enthusiasm for using captives to cover cyber risks, industry analysts say.

But difficulties in measuring cyber exposures and concerns over the size of the exposure are still holding many captive owners back.

Tina Summers, a senior vice president with Marsh L.L.C.’s captive solutions practice in San Francisco said that while cyber capacity remains abundant in the commercial market, market pricing and appetite has deteriorated for clients in certain industries.

“In some cases,” Ms. Summers said, “cyber risk is evolving faster than the commercial market, which forces clients to retain exposures that the market will not write. For these clients, using a captive to fund increasing retentions or gaps in their cyber program can reduce the volatility of retained losses and lessen the balance sheet impact.”

Ms. Summers added that Marsh has some clients for whom cyber is still a relatively new risk, “so they’re using the captive as a way to kind of incubate the risk before approaching the commercial market to try and get insurance.”

“So it’s a good transition state from being uninsured into a risk transfer program,” she said. “They feel like having the data can provide them with more negotiating leverage because they have more information about their exposure.”

Samit Shah, Denver-based insurance solutions manager at security ratings company BitSight Technologies Inc., said some captives might have “difficulty wrapping their arms around what cyber risk means, what it is, what the risk exposures are, and how they measure the impact that risk might have to the company.”

“When you’re putting risk like that into a captive,” he said, “you should have some baseline understanding of what the risk exposures are so you can underwrite it and identify the gaps with other coverages that you might have in the captive.”

As far as potential solutions, Mr. Shah said many companies are bringing prebreach, loss-mitigation, and post-breach services to the market, decreasing costs and increasing quality and breadth of services.

In addition, he said several risk modeling firms are taking the available data and generating severity models to better approximate the financial impact of an event.

“They’re trying to find the data,” he said. “They’re trying to help companies understand what’s the likelihood of a breach and what’s the financial impact of a breach. Industry and government associations are all trying to help drive some kind of standard around information sharing. And that’s been one of the challenges for a long time, and it still is a challenge — something that I think carriers are reluctant or slow to get involved with, but it is starting to slowly take shape.”

In August, Zurich Insurance Group Ltd. announced its security and privacy protection policy for companies and their captives cover the costs associated with a data breach.

“I think going forward, businesses will looking for better options to address their cyber risk, and that may mean the captive use will continue to grow for at least retention and deductible amounts,” said Erica Davis, New York-based head of specialty products errors and omissions for Zurich North America.

Ms. Davis added that “it could be the captive use is more intended for the unique kind of ‘uninsurables,’ so what currently isn’t covered in a traditional cyber product available in the marketplace, or we may see it grow by ways of risk transfer here in the U.S. but fronting outside of the U.S., because the exposure is less understood generally speaking outside of the U.S.”

Carolyn Snow, director of risk management at Humana Inc. in Louisville, Kentucky, said that while there are several good business uses for captives, cyber is currently probably one of the coverages that’s less frequently placed in a captive.

“When you place risk or coverage in a captive,” Ms. Snow said, “you need to do an actuarial study or a reserve analysis so that you can evaluate your true exposure, as cyber coverage is relatively new compared to other lines of coverage and there generally is not as much industry experience that an actuary could use. So it’s harder to evaluate your exposure if you’re a looking to use a captive for your cyber coverage.”

Ms. Snow said cyber is typically placed in smaller company captives, where their exposure might just be the cost of the breach and the cost of the credit monitoring.

“Bigger companies have different exposure,” she said. “You have not only the breach, you generally have a lot more records, so the cost of credit monitoring is much greater, and you also have a potential hit to your reputation and even a potential loss of business if people lose confidence in your ability to protect their information. A growing concern for publicly held companies is a potential related (director and officers liability) claim.”

“In my opinion,” Ms. Snow added, “it doesn’t make good business sense to put your cyber coverage in a captive unless you’re just a small company that can anticipate the cost of your breach.” In January, Aon Global Risk Consulting said it was launching a cyber captive program to create a new risk transfer option for growing cyber exposures.

The program guides companies through a series of steps to help identify, assess and quantify their cyber exposures, ultimately making more informed decisions around risk retention in a captive as well as providing broad-form risk transfer capacity of potentially up to $400 million, Aon said.

Historically, Aon said, captive insurers have most often been used to underwrite property damage, workers compensation, medical malpractice and third-party liability risks. Eight percent of respondents to an Aon survey in 2015 indicated interest in underwriting cyber risk in a captive, a trend that is projected to increase threefold in the next five years.

Peter Mullen, CEO of Aon Global Risk Consulting’s captive and insurance management team in Bermuda, said one of the challenges Aon discovered that clients had was actually understanding the risk.

“The clients were struggling when it came to risk identification and quantification,” he said. “So we knew there was a need in the market for an identification assessment quantification process, certainly for larger clients. We also find cyber risk varies dramatically by industry. That in turn was reflected in the insurance buying habits of the various industries.

We found that in the health care space, 70% of the clients were buyers of insurance, whereas in the manufacturing space, 17% were buyers.”