Cyber Captive

Captives Seen As Cyber Option

Using captives to help address the growing threat of cyber risk.
By: | August 1, 2013 • 7 min read

At a time of heightened concern about data breaches and other cyber exposures, a small number of risk specialists are using captives for cyberrisks, while others are still weighing the pros and cons of the cyber-captive alternative.

“I’ve worked with four different companies on captives in this area,” said Jim Swanke, director of risk consulting for Towers Watson.

One of Swanke’s clients set up a captive specifically to address cyber-related liabilities, while two others used existing captives that were covering multiple coverage lines and added cyberrisk. The fourth company added cyber exposures to a captive with a single coverage line, Swanke said.

Swanke is based in Minneapolis and focuses on financial and strategic planning issues including captive insurance company design.

Some are going the captive route to secure coverage through manuscript policy language that is broader than what they can purchase in the commercial market. An example of this is occurrence-based coverage wording.

Because occurrence-based coverage applies to incidents that occur during the policy period, there is generally a longer time horizon for claim reporting and payment, allowing for a build-up of captive reserves.

Some companies would simply prefer to retain the premium dollars for this relatively new coverage area in a captive rather than pay a commercial insurer. Utilizing the captive to access the reinsurance market may also be attractive, Swanke said.

That said, these strategies are more the exception than the rule right now.

One challenge: Cyberrisk is a high-severity, low frequency risk that does not easily lend itself to a captive solution.

“Captives do better with more predictable high-frequency, low-severity risk resulting in a large probable number of claims” requiring lower capitalization rates, observed James Murray, director of Aon’s Captive and Insurance Management operation in Burlington, Vt.

Standard Market Remains Competitive

The market for cyber coverages is very competitive at the moment, if one includes the participation of excess and surplus line companies like Markel, which is charging a minimum premium of just $1,500 for $1 million in insurance limits for its own data breach claims-made policy.


Specialty underwriter Hiscox, meanwhile, is calling for a minimum premium of even less  —  just $999 for lower-hazard types of coverages written for smaller companies, according to Matt Donovan, assistant vice president and underwriting leader of Technology and Privacy at Hiscox in Atlanta.

The Hiscox program is also claims-made, and would normally include data breach mitigation coverage. This sort of coverage is among the most-used part of the cyber policy these days. There are rules in 46 states that require companies to notify individuals when there is a data breach putting private personal information at risk.

Both Markel and Hiscox offer maximum limits of $10 million in such cases.

Still, given the enormity of the risks in question and the costs at stake, Murray acknowledged that a large number of risk managers are talking with their brokers about whether the captive approach makes sense for them in today’s cyberspace, even if only a small number are using a captive for the risk at this point.

It seems like everyone is looking at all possible options when it comes to cyberrisk.

“Almost every client I’ve seen is continuing to reevaluate how it handles cyberrisk, and by that I mean privacy risks including health care data and credit card information,” said Bob Parisi, Network Security and Privacy practice leader at Marsh in New York.

Parisi said the decision to insure one’s cyberrisk exposures using a captive comes when the client is an aggressive user of captives already, where the risk manager is with a large company and has a sophisticated view of risk and where  —  in some cases at least  —  the company’s professional liability is uninsurable in the commercial marketplace because they’re in a heavily litigious area.

Watch for New Email Threats

From a data security perspective, the health care industry is among the most highly exposed businesses given the wealth of patient information it holds. This past May, Andi Baritchi, managing principal of Security Consulting at Verizon Business, spoke at a health care conference and suggested that 2013 will be marked by the prevalence of malicious emails.

Baritchi estimated that one in five emails contain malware and that of the billions of spam emails sent each day, 92 percent of them have potentially malicious web links. Baritchi made his comments to the Huffington Post.

“Traditional anti-virus and firewall defenses can no longer be trusted to prevent these web-borne threats,” he said to that news outlet.

Of course, now, it’s not only health and technology companies that are at risk. Currently, everyone from lawyers and accountants to medical professionals to educational institutions may find reasons to consider the purchase of cyberrisk insurance either commercially or via a self-insured option like a captive. Exposures exist even for retailers like gas stations and supermarkets.

Cyber-Captive Advantages

Risk experts considering the use of a captive to insure their first-party property and third-party cyberliability risks might want to consider the following goals and advantages:

* The ability to “buy down” one’s deductible or serve as a cyberrisk reinsurer. Aon’s Murray said he has a client using its captive insurer to cover a high deductible, in order to get better pricing for that part of its coverage package.

Marsh’s Parisi said that where insurers are participating in a large “cyber tower,” he has seen a few fronting arrangements where the captive acts as a reinsurer  —  though with the market as soft as it is now, that usually is not required to fill in gaps in cyber insurance programs.

“Limits of $200 million are available for all coverage lines under cyber”  —  including data breach mitigation  —  said Parisi, adding that Marsh has placed several such programs.

“Realistically, market capacity for a single entity probably maxes out at about $300 million,” he said. Other experts note that even if the cyber insurance market becomes less competitive, using one’s captive as a reinsurer means extra charges in the form of ceding commissions and fronting costs.

* The ability to receive better policy terms through their captive. Towers Watson’s Swanke said that a lot of the cyber coverage being offered out there is on a claims-made basis, but several of his clients are able to write cyberrisk insurance using a manuscript policy occurrence form. This way, he said, they are able to build up solid reserves in their captive to use for their cyberrisk losses down the road.


Then too, there are the typical benefits of the captive strategy to consider, such as:

* The ability to avoid the volatility of commercial insurance pricing and policy term restrictions over time. Today, many coverages are relatively inexpensive but that may not always be the case.

* The ability for your captive managers to have their own say as part of their panel of cyberrisk underwriters.

* The ability to structure your insurance program more easily given that the captive can fill any gaps in coverage that could materialize over time.

“My professional opinion is that if someone has been operating a captive for many years it would be a very easy next step to add cyber coverage to that captive,” said Swanke.

Also, he observed, whereas it’s mostly large, Fortune 500 companies opting for such a strategy today, this could change pretty quickly. Small to medium-sized organizations are exposed to cyberrisks as well and will likely move towards captives as a risk financing solution.

“Anybody that is holding the personal data of individuals now knows that information is sacred,” and that it’s terrible news if that data is lost or stolen. “We are seeing a greater frequency of loss than at any time in the past,” said Swanke.

“The big advantage to having a captive is you basically control the captive and the scope of coverage,” he said.

Claim payments from a captive are also typically faster than those from commercial insurance, said the Towers Watson executive.

Do Your Homework

“Of course, like any captive arrangement, you still need a game plan and to do your homework vis a vis actuarial and legal considerations,” he added.

As for where to house a new captive focusing on cyberrisk, experts said most of the major U.S. captive domiciles are open to such arrangements. Murray pointed to two domiciles, Vermont and Montana, with experience in this area.

On this point, Murray offered a single caveat. “While there is no niche domicile, it’s always easier if your captive is not one of the first to bring this risk to a state without experience in cyber. That’s always a little more challenging,” he said.

Janet Aschkenasy is a freelance financial writer based in New York. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

The Profession

For This Pharmaceutical Risk Director, Managing Risk Means Being Part of the Mission to Save Lives

Meet Eric Dobkin, director, insurance and risk management, for Merck & Co. Inc.
By: | September 28, 2018 • 5 min read

R&I: What was your first job?
My first job out of undergrad was as an actuarial trainee at Chubb.I was a math major in school, and I think the options for a math major coming out are either a teacher or an actuary, right? Anyway, I was really happy when the opportunity at Chubb presented itself. Fantastic company. I learned a lot there.

R&I: How did you come to work in risk management?
After I went back to get my MBA, I decided I wanted to work in corporate finance. When I was interviewing, one of the opportunities was with Merck. I really liked their mission, and things worked out. Given my background, they thought a good starting job would be in Merck’s risk management group. I started there, rotated through other areas within Merck finance but ultimately came back to the Insurance & Risk Management group. I guess I’m just one of those people who enjoy this type of work.


R&I: What is risk management doing right?
I think the community is doing a good job of promoting education, sharing ideas and advancing knowledge. Opportunities like this help make us all better business partners. We can take these ideas and translate them into actionable solutions to help our companies.

R&I: What could the risk management community be doing a better job of?
I think we have made good advancements in articulating the value proposition of investing in risk management, but much more can be done. Sometimes there is such a focus on delivering immediate value, such as cost savings, that risk management does not get appropriate attention (until something happens). We need to develop better tools that can reinforce that risk management is value-creating and good for operational efficiency, customers and shareholders.

R&I: What’s been the biggest change in the risk management and insurance industry since you’ve been in it?
I’d actually say there hasn’t been as much change as I would have hoped. I think the industry speaks about innovation more often than it does it. To be fair, at Merck we do have key partners that are innovators, but some in the industry are less enthusiastic to consider new approaches. I think there is a real need to find new and relevant solutions for large, complex risks.

R&I: What emerging commercial risk most concerns you?
Cyber risk. While it’s not emerging anymore, it’s evolving, dynamic and deserves the attention it gets. Merck was an early adopter of risk transfer solutions for cyber risk, and we continue to see insurance as an important component of the overall cyber risk management framework. From my perspective, this risk, more than any other, demands continuous forward-thinking to ensure we evolve solutions.

R&I: What’s the biggest challenge you’ve faced in your career?
Sticking with the cyber theme, I’d say navigating through a cyber incident is right up there. In June 2017, Merck experienced a network cyber attack that led to a disruption of its worldwide operations, including manufacturing, research and sales. It was a very challenging environment. And managing the insurance claim that resulted has been extremely complex. But at the same time, I have learned a tremendous amount in terms of how to think about the risk, enterprise resiliency and how to manage through a cyber incident.

R&I: What advice might you give to students or other aspiring risk managers?
Have strong intellectual curiosity. Always be willing to listen and learn. Ask “why?” We deal with a lot of ambiguity in our business, and the more you seek to understand, the better you will be able to apply those learnings toward developing solutions that meet the evolving risk landscape and needs of the business.


R&I: What role does technology play in your company’s approach to risk management?
We’re continuing to look for ways to apply technology. For example, being able to extract and leverage data that resides in our systems to evaluate risk, drive efficiencies and make things like property-value reporting easier. We’re also looking to utilize data visualization tools to help gain insights into our risks.

R&I: What are your goals for the next five to 10 years of your career?
I think, at this time, I would like to continue to learn and grow in the type of work I do and broaden my scope of responsibilities. There are many opportunities to deliver value. I want to continue to focus on becoming a stronger business partner and help enable growth.

R&I: What is your favorite book or movie?
I’d say right now Star Wars is top on my list. It has been magical re-watching and re-living the series I watched as a kid through the eyes of my children.

R&I: What is the riskiest activity you ever engaged in? When I was about 15, I went to a New York Rangers versus Philadelphia Flyers game at the Philadelphia Spectrum. I wore my Rangers jersey. I would not do that again.

Eric Dobkin, director, insurance & risk management, Merck & Co. Inc

R&I: What is it about this work you find most fulfilling or rewarding?
I am passionate about Merck’s mission of saving and improving lives. “Inventing for Life” is Merck’s tagline. It’s funny, but most people don’t associate “inventing” with medicine. But Merck has been inventing medicines and vaccines for many of the world’s most challenging diseases for a long time. It’s amazing to think the products we make can help people fight terrible diseases like cancer. Whatever little bit I can do to help advance that mission is very fulfilling and rewarding.

R&I: What do your friends and family think you do?
Ha! My kids think I make medicine. I guess they think that because I work for Merck. I suppose if even in a small way I can contribute to Merck’s mission of saving and improving lives, I am good with that. &

Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]