Why 20% of Health Care Organizations Are Using Captives for Cyber Risk Coverage
Health care organizations are leading the way when it comes to using their captives to insure cyber risk, according to a new survey by Aon.
Aon’s Cyber Captive Survey 2019 Report — ‘Creating Value for the Cyber Risk Agenda’ — found that cyber gross written premiums grew by 263% year-on-year overall, illustrating a huge uptick in demand for cyber products among captive owners.
However, it was the health care sector that stood out as the industry with the biggest uptake of cyber risk in its captives at 19%. Next came energy at 15%, followed by financial institutions, food and beverage and life sciences, which each reported a 7% uptake.
“Unsurprisingly health care is the most prominent industry featured given the levels of sensitive data currently being processed around patient care and management,” Aon said.
Aon noted that the uptick in captive cyber premiums comes against a backdrop of increased capital investment in digital transformation ($1.5 trillion CAPEX per year) and more financially material cyber security incidents (approximately $550 billion in economic loss per year).
Adrian Lynch, managing director of Aon Insurance Managers (Cayman), said U.S. health care organizations in particular face potentially huge exposures and have until recently struggled to obtain capacity, adequately responding coverage and limits in the commercial market.
“Hospitals aren’t in a position to just shut operations down until they have got a cyber breach under control, so they are very concerned by their exposure,” he told Risk &Insurance®.
“A lot of these organizations are investing in tools to help them identify where their cyber risk lies. They can now take credible data to the commercial market, which is responding with the quality capacity they need – which means they can now discuss the potential for captive retentions.”
Growing Uptake
Aon’s survey suggested that only 2.5 to 3% of captives globally currently retain cyber risk, but that more than a third (34%) may retain cyber risk in five years’ time. Aon also projected that captive cyber premiums could reach up to $2.9 billion, or 20-22% of the total spend on cyber insurance.
“The captive can be a fundamental cog in how organizations tackle cyber risk going forward — be it as a protection or funding mechanism,” Aon said.
The main reasons respondents reported using captives for cyber risk were to achieve greater control of their insurance programs (37%) as well as cost efficiencies (37%).
Innovative wordings and breadth of coverage are also key factors, Aon noted, with many captives writing cyber coverage that includes cover for non-damage business interruption (63%) and coverages not accessible in the commercial marketplace, such as liability associated with bodily injury (22%).
According to John English, CEO of captive and insurance management for Aon, “a captive can not only provide access to innovative coverage and unlock additional capacity … but also better coordinate key internal teams in a company to improve overall capital allocation, strategic planning, and risk improvement for cyber risk.”
Around a quarter (26%) of captives surveyed have suffered a cyber loss, of which 29% have been a full limit loss.
However, Aon noted that the management of cyber risk remains “fragmented and inconsistent across corporate functions” with only 38% of risk teams involved in the assessment of cyber risk compared to 86% of IT teams.
Aon urged captive owners to treat cyber risk as an enterprise risk, identify and map their cyber risk to the business and technology profile of the parent company, build financial models to quantify balance sheet exposure, assess the viability of captive utilization and ensure their risk financing strategies reflect the complexity and materiality of the cyber exposure.
True retention?
According to Paul Macey, president of captive manager USA Risk Group, most health care organizations he sees using captives to address cyber risk to date only do so to manage retentions and deductible reimbursements.
“This is not the same as writing and retaining cyber risk,” he argued.
“We still don’t see many health care organizations running cyber risk through their captives because there is so much volatility and uncertainty in that line of business right now — and the commercial market has the capacity to respond and is still relatively inexpensive,” Macey said.
However, Lynch insisted that genuine cyber risk transfer is being undertaken.
“Not everybody is writing cyber risk yet, but more of a consistent approach is being taken and some true risk is now being retained within captives.” &