Cyber Captive

Captives Seen As Cyber Option

Using captives to help address the growing threat of cyber risk.
By: | August 1, 2013 • 7 min read

At a time of heightened concern about data breaches and other cyber exposures, a small number of risk specialists are using captives for cyberrisks, while others are still weighing the pros and cons of the cyber-captive alternative.

“I’ve worked with four different companies on captives in this area,” said Jim Swanke, director of risk consulting for Towers Watson.

One of Swanke’s clients set up a captive specifically to address cyber-related liabilities, while two others used existing captives that were covering multiple coverage lines and added cyberrisk. The fourth company added cyber exposures to a captive with a single coverage line, Swanke said.

Swanke is based in Minneapolis and focuses on financial and strategic planning issues including captive insurance company design.

Some are going the captive route to secure coverage through manuscript policy language that is broader than what they can purchase in the commercial market. An example of this is occurrence-based coverage wording.

Because occurrence-based coverage applies to incidents that occur during the policy period, there is generally a longer time horizon for claim reporting and payment, allowing for a build-up of captive reserves.

Some companies would simply prefer to retain the premium dollars for this relatively new coverage area in a captive rather than pay a commercial insurer. Utilizing the captive to access the reinsurance market may also be attractive, Swanke said.

That said, these strategies are more the exception than the rule right now.

One challenge: Cyberrisk is a high-severity, low frequency risk that does not easily lend itself to a captive solution.

“Captives do better with more predictable high-frequency, low-severity risk resulting in a large probable number of claims” requiring lower capitalization rates, observed James Murray, director of Aon’s Captive and Insurance Management operation in Burlington, Vt.

Standard Market Remains Competitive

The market for cyber coverages is very competitive at the moment, if one includes the participation of excess and surplus line companies like Markel, which is charging a minimum premium of just $1,500 for $1 million in insurance limits for its own data breach claims-made policy.


Specialty underwriter Hiscox, meanwhile, is calling for a minimum premium of even less  —  just $999 for lower-hazard types of coverages written for smaller companies, according to Matt Donovan, assistant vice president and underwriting leader of Technology and Privacy at Hiscox in Atlanta.

The Hiscox program is also claims-made, and would normally include data breach mitigation coverage. This sort of coverage is among the most-used part of the cyber policy these days. There are rules in 46 states that require companies to notify individuals when there is a data breach putting private personal information at risk.

Both Markel and Hiscox offer maximum limits of $10 million in such cases.

Still, given the enormity of the risks in question and the costs at stake, Murray acknowledged that a large number of risk managers are talking with their brokers about whether the captive approach makes sense for them in today’s cyberspace, even if only a small number are using a captive for the risk at this point.

It seems like everyone is looking at all possible options when it comes to cyberrisk.

“Almost every client I’ve seen is continuing to reevaluate how it handles cyberrisk, and by that I mean privacy risks including health care data and credit card information,” said Bob Parisi, Network Security and Privacy practice leader at Marsh in New York.

Parisi said the decision to insure one’s cyberrisk exposures using a captive comes when the client is an aggressive user of captives already, where the risk manager is with a large company and has a sophisticated view of risk and where  —  in some cases at least  —  the company’s professional liability is uninsurable in the commercial marketplace because they’re in a heavily litigious area.

Watch for New Email Threats

From a data security perspective, the health care industry is among the most highly exposed businesses given the wealth of patient information it holds. This past May, Andi Baritchi, managing principal of Security Consulting at Verizon Business, spoke at a health care conference and suggested that 2013 will be marked by the prevalence of malicious emails.

Baritchi estimated that one in five emails contain malware and that of the billions of spam emails sent each day, 92 percent of them have potentially malicious web links. Baritchi made his comments to the Huffington Post.

“Traditional anti-virus and firewall defenses can no longer be trusted to prevent these web-borne threats,” he said to that news outlet.

Of course, now, it’s not only health and technology companies that are at risk. Currently, everyone from lawyers and accountants to medical professionals to educational institutions may find reasons to consider the purchase of cyberrisk insurance either commercially or via a self-insured option like a captive. Exposures exist even for retailers like gas stations and supermarkets.

Cyber-Captive Advantages

Risk experts considering the use of a captive to insure their first-party property and third-party cyberliability risks might want to consider the following goals and advantages:

* The ability to “buy down” one’s deductible or serve as a cyberrisk reinsurer. Aon’s Murray said he has a client using its captive insurer to cover a high deductible, in order to get better pricing for that part of its coverage package.

Marsh’s Parisi said that where insurers are participating in a large “cyber tower,” he has seen a few fronting arrangements where the captive acts as a reinsurer  —  though with the market as soft as it is now, that usually is not required to fill in gaps in cyber insurance programs.

“Limits of $200 million are available for all coverage lines under cyber”  —  including data breach mitigation  —  said Parisi, adding that Marsh has placed several such programs.

“Realistically, market capacity for a single entity probably maxes out at about $300 million,” he said. Other experts note that even if the cyber insurance market becomes less competitive, using one’s captive as a reinsurer means extra charges in the form of ceding commissions and fronting costs.

* The ability to receive better policy terms through their captive. Towers Watson’s Swanke said that a lot of the cyber coverage being offered out there is on a claims-made basis, but several of his clients are able to write cyberrisk insurance using a manuscript policy occurrence form. This way, he said, they are able to build up solid reserves in their captive to use for their cyberrisk losses down the road.


Then too, there are the typical benefits of the captive strategy to consider, such as:

* The ability to avoid the volatility of commercial insurance pricing and policy term restrictions over time. Today, many coverages are relatively inexpensive but that may not always be the case.

* The ability for your captive managers to have their own say as part of their panel of cyberrisk underwriters.

* The ability to structure your insurance program more easily given that the captive can fill any gaps in coverage that could materialize over time.

“My professional opinion is that if someone has been operating a captive for many years it would be a very easy next step to add cyber coverage to that captive,” said Swanke.

Also, he observed, whereas it’s mostly large, Fortune 500 companies opting for such a strategy today, this could change pretty quickly. Small to medium-sized organizations are exposed to cyberrisks as well and will likely move towards captives as a risk financing solution.

“Anybody that is holding the personal data of individuals now knows that information is sacred,” and that it’s terrible news if that data is lost or stolen. “We are seeing a greater frequency of loss than at any time in the past,” said Swanke.

“The big advantage to having a captive is you basically control the captive and the scope of coverage,” he said.

Claim payments from a captive are also typically faster than those from commercial insurance, said the Towers Watson executive.

Do Your Homework

“Of course, like any captive arrangement, you still need a game plan and to do your homework vis a vis actuarial and legal considerations,” he added.

As for where to house a new captive focusing on cyberrisk, experts said most of the major U.S. captive domiciles are open to such arrangements. Murray pointed to two domiciles, Vermont and Montana, with experience in this area.

On this point, Murray offered a single caveat. “While there is no niche domicile, it’s always easier if your captive is not one of the first to bring this risk to a state without experience in cyber. That’s always a little more challenging,” he said.

Janet Aschkenasy is a freelance financial writer based in New York. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.


That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.


Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]