White Paper

Cyber Insurance or Cyber Captive?

Pinnacle Actuarial Resources’ Aaron Hillebrandt advises caution for those engaged in managing cyber risk—even those seeking a captive solution, given the unknowns and volatility associated with the cyber insurance market.

White Paper Summary

Insurers and risk managers expecting relief from escalating cyber insurance premium increases may want to temper their expectations.

According to Pinnacle Principal and Consulting Actuary Aaron Hillebrandt, the cyber risk landscape continues to be extremely complicated, even murky. It’s difficult to know if the insurance industry is getting a full and complete picture of the number and severity of cyber breaches or ransomware attacks.

In addition, price increases for coverages are continuing to increase, so anyone seeking to purchase coverage, start a captive to manage cyber risk, or self-insure for cyber losses should tread carefully.

Not only are premiums continuing to spike, but research from organizations specializing in cyber are delivering divergent results on the details of losses, including number and scope of losses for companies in a variety of industries.

Remote work became much more prevalent for a large section of the workforce during the COVID-19 pandemic. It stood to reason that less technologically secure remote work arrangements could, theoretically, increase cyber risk and attendant losses. According to IBM’s Cost of a Data Breach Report 2021 featuring research from the Ponemon Institute, concerns about those arrangements appear to be well-founded.

According to the report, the average cost of a breach for companies with less than 10% of their workforce working remotely was $3.65 million. For companies with 81 to 100% of their workforces working remotely, that cost averaged $5.54 million.

That same report stated that companies with less than 50% of their workforce operating remotely reported requiring an average of 258 days to identify and contain a breach. Companies with more than 50% of their employees working remotely needed an average of 316 days to identify and contain a breach.

Could it be that the companies encouraging remote workers to return to the office in 2022 are most concerned with cyber security risk?

Hillebrandt confirmed that the frequency and severity of cyber incidents increased as the COVID-19 pandemic pushed so much of the workforce into work-from-home situations.

“The influence of remote work accelerated cyber claims trends and exacerbated conditions associated with greater cyber risk,” Hillebrandt said.

The Pinnacle team has also documented what many underwriters have experienced, some more acutely than others. Cyber insurance premium rates have been inadequate for quite some time and are likely still inadequate.

“Several years ago, research indicated that pricing levels were lower than where they should have been. The industry seemed to be racing, competing to write more cyber policies, depressing pricing,” he said.

“Subsequently, the claim situation reversed, with increasing frequency and severity. Consequently, there is much more ground needed to be made up to get premiums to an adequate level. I think we’re still not there yet,” he added.

“That’s why pricing is accelerating so much now,” he said.


To learn more about Pinnacle Actuarial Resources, Inc., please visit their website.

A full-service actuarial firm, Pinnacle provides your business with data-driven research backed by clear communication. Our expert Consultants work with you to look beyond today’s numbers in planning for tomorrow.

More from Risk & Insurance

More from Risk & Insurance