Cyber Captives Increasing
Risk managers are increasingly thinking about captives for cyber coverage due to the availability of better benchmarking data as well as the existence of more year-over-year trend analysis.
Five years ago, Marsh had few clients using captives to house cyber risks.
Last year, the number grew to 20, said Mike Serricchio, senior vice president for Marsh’s captive solutions practice. All were Marsh-managed captives with cyber risk policies along with other coverages.
He expects to see a relatively large growth rate for 2015, when the final numbers become available.
“It should be no surprise,” he said. “[Cyber] is what everyone is talking about.”
Due to the high-severity of cyber-related risks and risk managers’ desire to handle them in the best possible way, it’s reasonable that some would explore the use of captives, he said.
One reason is the desire to assume a high deductible and/or a higher coverage limit and fund it through one’s captive in order to gain access to reinsurance markets offering cyber coverage. Another is risk managers’ desire to avoid numerous coverage exclusions common in commercial cyber programs.
“Through a captive, you could expand typical commercial terms and cover something like gross employee negligence,” Serricchio said.
“Most cyber policies will do forensics and notification [when a cyber breach occurs] but might not cover property damage, liability to third parties or reputational risk.”
Interestingly enough, he said, there is broad interest in cyber captives across all industries and among large captives with $5 million to $20 million in annual premium, and small captives with less than $1.2 million in overall premium.
But not everyone is seeing the same level of cyber-captive development.
Stephanie Snyder Tomlinson, national cyber insurance sales leader for the Aon Risk Solutions Services Group, said only 1 percent of more than 1,000 Aon managed captive clients in 2014 wrote cyber insurance.
“Cyber insurance goes back to the late 1990s,” Tomlinson said. She does not anticipate an increase in the use of captives for cyber in the near future.
And whereas Marsh sees interest in cyber captives across all industry segments, Tomlinson said Aon is only seeing interest from health care, financial services and retailers.
These are areas with the greatest cyber-related losses, Tomlinson said.
She agreed, however, that one reason to set up a captive would be to get broader-than-usual cyber coverage.
“The cyber solution is not for every single client but if they do have a captive we are engaging with them in having that conversation.” — Stephanie Snyder Tomlinson, national cyber insurance sales leader, Aon Risk Solutions Services Group
Back in 2013, for instance, Towers Watson (now Willis Towers Watson) told Risk and Insurance® that much of the cyber coverage being offered was being done on a claims-made basis, but several of their captive clients were able to write cyber risk insurance using a manuscript policy occurrence form.
Thus, they were able to build up solid reserves in their captive to use for their cyber risk losses down the road.
Oceana Yates, vice president of captives with R&Q Quest Management Services Ltd. in Hamilton, Bermuda, said that her company manages more than 100 captives — none of whom are writing exclusively cyber risk.
“Some captives have an element of cyber included in their current policies, and the larger parent companies are trying to figure out where and what the risks are and how including cyber in a captive may help them to build reserves for that rainy day experience,” she said.
Clients and their parent companies in the health care and retail spaces especially are realizing how monumental these risks can be, said Yates.
But the risks are substantially wider. Hackers shutting down a power grid, for instance — as happened recently in Ukraine — would have a massive impact on company operations and supply chains.
“It’s no longer just about someone attacking an individual company’s computer systems or jeopardizing credit card information but also the terrorism event that shuts down the power plant or other major infrastructure.
“There’s a broadening awareness of the increasing likelihood of those type of events and the need to use a captive to access the excess markets like the market in Bermuda,” said Yates.
Today, it is larger companies seeking to insure significant layers of risk that are using the captive solution.
“Small and medium-sized companies tend to be at the beginning of the feasibility process at this time,” Yates said.
It remains a challenging process, however.
“There is not a significant amount of historical information for actuaries and others to use as the basis for analysis.
“Added to which, each company has its own unique risks and risk management infrastructure in place so the underwriting becomes bespoke on a case-by-case basis,” Yates said.
Aon’s Tomlinson said captives are being “underutilized” for cyber risk, especially considering the growth of the Internet of Things.
“We anticipate there will be 50 billion devices connected to the internet by 2020,” she said.
But all of Aon’s captives are “using standard policy wordings for cyber risk,” even though they could conceivably widen the coverage.
“A cyber captive may be used to include coverages that are not typically included in a retail insurance market cyber policy, such as Internet of Things exposures (property/general liability risks), or reputational risk.
“And yet generally, insurance buyers find it difficult to quantify the consequences of a cyber event, and hence are reluctant to include cyber in a single-parent captive.
“The cyber solution is not for every single client, but if they do have a captive, we are engaging with them in having that conversation,” Tomlinson said.
There are advantages to captive solutions for cyber coverage, however, including:
- To manage pricing;
- To set specific coverage;
- To set limits not available from the retail insurance market;
- To ensure greater control of claims, including expedient payment of claims compared to traditional insurers; and
- To access tax and other financial statement benefits, which may vary from domicile to domicile.
For cyber-only programs, limits available from the retail insurance market cap out at $200 million to $300 million, said Tomlinson.
“Some multinationals want a large tower of protection to perhaps $500 million,” she said.
“Often, it makes sense to use a captive to retain a large retention,” since the retail market may provide limits in excess of that significant retention, Tomlinson said.