Cyber Captive

Captives Seen As Cyber Option

Using captives to help address the growing threat of cyber risk.
By: | August 1, 2013 • 7 min read

At a time of heightened concern about data breaches and other cyber exposures, a small number of risk specialists are using captives for cyberrisks, while others are still weighing the pros and cons of the cyber-captive alternative.

“I’ve worked with four different companies on captives in this area,” said Jim Swanke, director of risk consulting for Towers Watson.

One of Swanke’s clients set up a captive specifically to address cyber-related liabilities, while two others used existing captives that were covering multiple coverage lines and added cyberrisk. The fourth company added cyber exposures to a captive with a single coverage line, Swanke said.

Swanke is based in Minneapolis and focuses on financial and strategic planning issues including captive insurance company design.

Some are going the captive route to secure coverage through manuscript policy language that is broader than what they can purchase in the commercial market. An example of this is occurrence-based coverage wording.

Because occurrence-based coverage applies to incidents that occur during the policy period, there is generally a longer time horizon for claim reporting and payment, allowing for a build-up of captive reserves.

Some companies would simply prefer to retain the premium dollars for this relatively new coverage area in a captive rather than pay a commercial insurer. Utilizing the captive to access the reinsurance market may also be attractive, Swanke said.

That said, these strategies are more the exception than the rule right now.

One challenge: Cyberrisk is a high-severity, low frequency risk that does not easily lend itself to a captive solution.

“Captives do better with more predictable high-frequency, low-severity risk resulting in a large probable number of claims” requiring lower capitalization rates, observed James Murray, director of Aon’s Captive and Insurance Management operation in Burlington, Vt.

Standard Market Remains Competitive

The market for cyber coverages is very competitive at the moment, if one includes the participation of excess and surplus line companies like Markel, which is charging a minimum premium of just $1,500 for $1 million in insurance limits for its own data breach claims-made policy.


Specialty underwriter Hiscox, meanwhile, is calling for a minimum premium of even less  —  just $999 for lower-hazard types of coverages written for smaller companies, according to Matt Donovan, assistant vice president and underwriting leader of Technology and Privacy at Hiscox in Atlanta.

The Hiscox program is also claims-made, and would normally include data breach mitigation coverage. This sort of coverage is among the most-used part of the cyber policy these days. There are rules in 46 states that require companies to notify individuals when there is a data breach putting private personal information at risk.

Both Markel and Hiscox offer maximum limits of $10 million in such cases.

Still, given the enormity of the risks in question and the costs at stake, Murray acknowledged that a large number of risk managers are talking with their brokers about whether the captive approach makes sense for them in today’s cyberspace, even if only a small number are using a captive for the risk at this point.

It seems like everyone is looking at all possible options when it comes to cyberrisk.

“Almost every client I’ve seen is continuing to reevaluate how it handles cyberrisk, and by that I mean privacy risks including health care data and credit card information,” said Bob Parisi, Network Security and Privacy practice leader at Marsh in New York.

Parisi said the decision to insure one’s cyberrisk exposures using a captive comes when the client is an aggressive user of captives already, where the risk manager is with a large company and has a sophisticated view of risk and where  —  in some cases at least  —  the company’s professional liability is uninsurable in the commercial marketplace because they’re in a heavily litigious area.

Watch for New Email Threats

From a data security perspective, the health care industry is among the most highly exposed businesses given the wealth of patient information it holds. This past May, Andi Baritchi, managing principal of Security Consulting at Verizon Business, spoke at a health care conference and suggested that 2013 will be marked by the prevalence of malicious emails.

Baritchi estimated that one in five emails contain malware and that of the billions of spam emails sent each day, 92 percent of them have potentially malicious web links. Baritchi made his comments to the Huffington Post.

“Traditional anti-virus and firewall defenses can no longer be trusted to prevent these web-borne threats,” he said to that news outlet.

Of course, now, it’s not only health and technology companies that are at risk. Currently, everyone from lawyers and accountants to medical professionals to educational institutions may find reasons to consider the purchase of cyberrisk insurance either commercially or via a self-insured option like a captive. Exposures exist even for retailers like gas stations and supermarkets.

Cyber-Captive Advantages

Risk experts considering the use of a captive to insure their first-party property and third-party cyberliability risks might want to consider the following goals and advantages:

* The ability to “buy down” one’s deductible or serve as a cyberrisk reinsurer. Aon’s Murray said he has a client using its captive insurer to cover a high deductible, in order to get better pricing for that part of its coverage package.

Marsh’s Parisi said that where insurers are participating in a large “cyber tower,” he has seen a few fronting arrangements where the captive acts as a reinsurer  —  though with the market as soft as it is now, that usually is not required to fill in gaps in cyber insurance programs.

“Limits of $200 million are available for all coverage lines under cyber”  —  including data breach mitigation  —  said Parisi, adding that Marsh has placed several such programs.

“Realistically, market capacity for a single entity probably maxes out at about $300 million,” he said. Other experts note that even if the cyber insurance market becomes less competitive, using one’s captive as a reinsurer means extra charges in the form of ceding commissions and fronting costs.

* The ability to receive better policy terms through their captive. Towers Watson’s Swanke said that a lot of the cyber coverage being offered out there is on a claims-made basis, but several of his clients are able to write cyberrisk insurance using a manuscript policy occurrence form. This way, he said, they are able to build up solid reserves in their captive to use for their cyberrisk losses down the road.


Then too, there are the typical benefits of the captive strategy to consider, such as:

* The ability to avoid the volatility of commercial insurance pricing and policy term restrictions over time. Today, many coverages are relatively inexpensive but that may not always be the case.

* The ability for your captive managers to have their own say as part of their panel of cyberrisk underwriters.

* The ability to structure your insurance program more easily given that the captive can fill any gaps in coverage that could materialize over time.

“My professional opinion is that if someone has been operating a captive for many years it would be a very easy next step to add cyber coverage to that captive,” said Swanke.

Also, he observed, whereas it’s mostly large, Fortune 500 companies opting for such a strategy today, this could change pretty quickly. Small to medium-sized organizations are exposed to cyberrisks as well and will likely move towards captives as a risk financing solution.

“Anybody that is holding the personal data of individuals now knows that information is sacred,” and that it’s terrible news if that data is lost or stolen. “We are seeing a greater frequency of loss than at any time in the past,” said Swanke.

“The big advantage to having a captive is you basically control the captive and the scope of coverage,” he said.

Claim payments from a captive are also typically faster than those from commercial insurance, said the Towers Watson executive.

Do Your Homework

“Of course, like any captive arrangement, you still need a game plan and to do your homework vis a vis actuarial and legal considerations,” he added.

As for where to house a new captive focusing on cyberrisk, experts said most of the major U.S. captive domiciles are open to such arrangements. Murray pointed to two domiciles, Vermont and Montana, with experience in this area.

On this point, Murray offered a single caveat. “While there is no niche domicile, it’s always easier if your captive is not one of the first to bring this risk to a state without experience in cyber. That’s always a little more challenging,” he said.

Janet Aschkenasy is a freelance financial writer based in New York. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Focus: Cyber

Expanding Cyber BI

Cyber business interruption insurance is a thriving market, but growth carries the threat of a mega-loss. 
By: | March 5, 2018 • 7 min read

Lingering hopes that large-scale cyber attack might be a once-in-a-lifetime event were dashed last year. The four-day WannaCry ransomware strike in May across 150 countries targeted more than 300,000 computers running Microsoft Windows. A month later, NotPetya hit multinationals ranging from Danish shipping firm Maersk to pharmaceutical giant Merck.


Maersk’s chairman, Jim Hagemann Snabe, revealed at this year’s Davos summit that NotPetya shut down most of the group’s network. While it was replacing 45,000 PCs and 4,000 servers, freight transactions had to be completed manually. The combined cost of business interruption and rebuilding the system was up to $300 million.

Merck’s CFO Robert Davis told investors that its NotPetya bill included $135 million in lost sales plus $175 million in additional costs. Fellow victims FedEx and French construction group Saint Gobain reported similar financial hits from lost business and clean-up costs.

The fast-expanding world of cryptocurrencies is also increasingly targeted. Echoes of the 2014 hack that triggered the collapse of Bitcoin exchange Mt. Gox emerged this January when Japanese cryptocurrency exchange Coincheck pledged to repay customers $500 million stolen by hackers in a cyber heist.

The size and scope of last summer’s attacks accelerated discussions on both sides of the Atlantic, between risk managers and brokers seeking more comprehensive cyber business interruption insurance products.

It also recently persuaded Pool Re, the UK’s terrorism reinsurance pool set up 25 years ago after bomb attacks in London’s financial quarter, to announce that from April its cover will extend to include material damage and direct BI resulting from acts of terrorism using a cyber trigger.

“The threat from a cyber attack is evident, and businesses have become increasingly concerned about the extensive repercussions these types of attacks could have on them,” said Pool Re’s chief, Julian Enoizi. “This was a clear gap in our coverage which left businesses potentially exposed.”

Shifting Focus

Development of cyber BI insurance to date reveals something of a transatlantic divide, said Hans Allnutt, head of cyber and data risk at international law firm DAC Beachcroft. The first U.S. mainstream cyber insurance products were a response to California’s data security and breach notification legislation in 2003.

Jimaan Sané, technology underwriter, Beazley

Of more recent vintage, Europe’s first cyber policies’ wordings initially reflected U.S. wordings, with the focus on data breaches. “So underwriters had to innovate and push hard on other areas of cyber cover, particularly BI and cyber crimes such as ransomware demands and distributed denial of service attacks,” said Allnut.

“Europe now has regulation coming up this May in the form of the General Data Protection Regulation across the EU, so the focus has essentially come full circle.”

Cyber insurance policies also provide a degree of cover for BI resulting from one of three main triggers, said Jimaan Sané, technology underwriter for specialist insurer Beazley. “First is the malicious-type trigger, where the system goes down or an outage results directly from a hack.

“Second is any incident involving negligence — the so-called ‘fat finger’ — where human or operational error causes a loss or there has been failure to upgrade or maintain the system. Third is any broader unplanned outage that hits either the company or anyone on which it relies, such as a service provider.”

The importance of cyber BI covering negligent acts in addition to phishing and social engineering attacks was underlined by last May’s IT meltdown suffered by airline BA.

This was triggered by a technician who switched off and then reconnected the power supply to BA’s data center, physically damaging servers and distribution panels.

Compensating delayed passengers cost the company around $80 million, although the bill fell short of the $461 million operational error loss suffered by Knight Capital in 2012, which pushed it close to bankruptcy and decimated its share price.

Mistaken Assumption

Awareness of potentially huge BI losses resulting from cyber attack was heightened by well-publicized hacks suffered by retailers such as Target and Home Depot in late 2013 and 2014, said Matt Kletzli, SVP and head of management liability at Victor O. Schinnerer & Company.


However, the incidents didn’t initially alarm smaller, less high-profile businesses, which assumed they wouldn’t be similarly targeted.

“But perpetrators employing bots and ransomware set out to expose any firms with weaknesses in their system,” he added.

“Suddenly, smaller firms found that even when they weren’t themselves targeted, many of those around them had fallen victim to attacks. Awareness started to lift, as the focus moved from large, headline-grabbing attacks to more everyday incidents.”

Publications such as the Director’s Handbook of Cyber-Risk Oversight, issued by the National Association of Corporate Directors and the Internet Security Alliance fixed the issue firmly on boardroom agendas.

“What’s possibly of greater concern is the sheer number of different businesses that can be affected by a single cyber attack and the cost of getting them up and running again quickly.” — Jimaan Sané, technology underwriter, Beazley

Reformed ex-hackers were recruited to offer board members their insights into the most vulnerable points across the company’s systems — in much the same way as forger-turned-security-expert Frank Abagnale Jr., subject of the Spielberg biopic “Catch Me If You Can.”

There also has been an increasing focus on systemic risk related to cyber attacks. Allnutt cites “Business Blackout,” a July 2015 study by Lloyd’s of London and the Cambridge University’s Centre for Risk Studies.

This detailed analysis of what could result from a major cyber attack on America’s power grid predicted a cost to the U.S. economy of hundreds of billions and claims to the insurance industry totalling upwards of $21.4 billion.

Lloyd’s described the scenario as both “technologically possible” and “improbable.” Three years on, however, it appears less fanciful.

In January, the head of the UK’s National Cyber Security Centre, Ciaran Martin, said the UK had been fortunate in so far averting a ‘category one’ attack. A C1 would shut down the financial services sector on which the country relies heavily and other vital infrastructure. It was a case of “when, not if” such an assault would be launched, he warned.

AI: Friend or Foe?

Despite daunting potential financial losses, pioneers of cyber BI insurance such as Beazley, Zurich, AIG and Chubb now see new competitors in the market. Capacity is growing steadily, said Allnutt.

“Not only is cyber insurance a new product, it also offers a new source of premium revenue so there is considerable appetite for taking it on,” he added. “However, whilst most insurers are comfortable with the liability aspects of cyber risk; not all insurers are covering loss of income.”

Matt Kletzli, SVP and head of management liability, Victor O. Schinnerer & Company

Kletzli added that available products include several well-written, broad cyber coverages that take into account all types of potential cyber attack and don’t attempt to limit cover by applying a narrow definition of BI loss.

“It’s a rapidly-evolving coverage — and needs to be — in order to keep up with changing circumstances,” he said.

The good news, according to a Fitch report, is that the cyber loss ratio has been reduced to 45 percent as more companies buy cover and the market continues to expand, bringing down the size of the average loss.

“The bad news is that at cyber events, talk is regularly turning to ‘what will be the Hurricane Katrina-type event’ for the cyber market?” said Kletzli.

“What’s worse is that with hurricane losses, underwriters know which regions are most at risk, whereas cyber is a global risk and insurers potentially face huge aggregation.”


Nor is the advent of robotics and artificial intelligence (AI) necessarily cause for optimism. As Allnutt noted, while AI can potentially be used to decode malware, by the same token sophisticated criminals can employ it to develop new malware and escalate the ‘computer versus computer’ battle.

“The trend towards greater automation of business means that we can expect more incidents involving loss of income,” said Sané. “What’s possibly of greater concern is the sheer number of different businesses that can be affected by a single cyber attack and the cost of getting them up and running again quickly.

“We’re likely to see a growing number of attacks where the aim is to cause disruption, rather than demand a ransom.

“The paradox of cyber BI is that the more sophisticated your organization and the more it embraces automation, the bigger the potential impact when an outage does occur. Those old-fashioned businesses still reliant on traditional processes generally aren’t affected as much and incur smaller losses.” &

Graham Buck is editor of He can be reached at