Captives Seen As Cyber Option
At a time of heightened concern about data breaches and other cyber exposures, a small number of risk specialists are using captives for cyberrisks, while others are still weighing the pros and cons of the cyber-captive alternative.
“I’ve worked with four different companies on captives in this area,” said Jim Swanke, director of risk consulting for Towers Watson.
One of Swanke’s clients set up a captive specifically to address cyber-related liabilities, while two others used existing captives that were covering multiple coverage lines and added cyberrisk. The fourth company added cyber exposures to a captive with a single coverage line, Swanke said.
Swanke is based in Minneapolis and focuses on financial and strategic planning issues including captive insurance company design.
Some are going the captive route to secure coverage through manuscript policy language that is broader than what they can purchase in the commercial market. An example of this is occurrence-based coverage wording.
Because occurrence-based coverage applies to incidents that occur during the policy period, there is generally a longer time horizon for claim reporting and payment, allowing for a build-up of captive reserves.
Some companies would simply prefer to retain the premium dollars for this relatively new coverage area in a captive rather than pay a commercial insurer. Utilizing the captive to access the reinsurance market may also be attractive, Swanke said.
That said, these strategies are more the exception than the rule right now.
One challenge: Cyberrisk is a high-severity, low frequency risk that does not easily lend itself to a captive solution.
“Captives do better with more predictable high-frequency, low-severity risk resulting in a large probable number of claims” requiring lower capitalization rates, observed James Murray, director of Aon’s Captive and Insurance Management operation in Burlington, Vt.
Standard Market Remains Competitive
The market for cyber coverages is very competitive at the moment, if one includes the participation of excess and surplus line companies like Markel, which is charging a minimum premium of just $1,500 for $1 million in insurance limits for its own data breach claims-made policy.
Specialty underwriter Hiscox, meanwhile, is calling for a minimum premium of even less — just $999 for lower-hazard types of coverages written for smaller companies, according to Matt Donovan, assistant vice president and underwriting leader of Technology and Privacy at Hiscox in Atlanta.
The Hiscox program is also claims-made, and would normally include data breach mitigation coverage. This sort of coverage is among the most-used part of the cyber policy these days. There are rules in 46 states that require companies to notify individuals when there is a data breach putting private personal information at risk.
Both Markel and Hiscox offer maximum limits of $10 million in such cases.
Still, given the enormity of the risks in question and the costs at stake, Murray acknowledged that a large number of risk managers are talking with their brokers about whether the captive approach makes sense for them in today’s cyberspace, even if only a small number are using a captive for the risk at this point.
It seems like everyone is looking at all possible options when it comes to cyberrisk.
“Almost every client I’ve seen is continuing to reevaluate how it handles cyberrisk, and by that I mean privacy risks including health care data and credit card information,” said Bob Parisi, Network Security and Privacy practice leader at Marsh in New York.
Parisi said the decision to insure one’s cyberrisk exposures using a captive comes when the client is an aggressive user of captives already, where the risk manager is with a large company and has a sophisticated view of risk and where — in some cases at least — the company’s professional liability is uninsurable in the commercial marketplace because they’re in a heavily litigious area.
Watch for New Email Threats
From a data security perspective, the health care industry is among the most highly exposed businesses given the wealth of patient information it holds. This past May, Andi Baritchi, managing principal of Security Consulting at Verizon Business, spoke at a health care conference and suggested that 2013 will be marked by the prevalence of malicious emails.
Baritchi estimated that one in five emails contain malware and that of the billions of spam emails sent each day, 92 percent of them have potentially malicious web links. Baritchi made his comments to the Huffington Post.
“Traditional anti-virus and firewall defenses can no longer be trusted to prevent these web-borne threats,” he said to that news outlet.
Of course, now, it’s not only health and technology companies that are at risk. Currently, everyone from lawyers and accountants to medical professionals to educational institutions may find reasons to consider the purchase of cyberrisk insurance either commercially or via a self-insured option like a captive. Exposures exist even for retailers like gas stations and supermarkets.
Risk experts considering the use of a captive to insure their first-party property and third-party cyberliability risks might want to consider the following goals and advantages:
* The ability to “buy down” one’s deductible or serve as a cyberrisk reinsurer. Aon’s Murray said he has a client using its captive insurer to cover a high deductible, in order to get better pricing for that part of its coverage package.
Marsh’s Parisi said that where insurers are participating in a large “cyber tower,” he has seen a few fronting arrangements where the captive acts as a reinsurer — though with the market as soft as it is now, that usually is not required to fill in gaps in cyber insurance programs.
“Limits of $200 million are available for all coverage lines under cyber” — including data breach mitigation — said Parisi, adding that Marsh has placed several such programs.
“Realistically, market capacity for a single entity probably maxes out at about $300 million,” he said. Other experts note that even if the cyber insurance market becomes less competitive, using one’s captive as a reinsurer means extra charges in the form of ceding commissions and fronting costs.
* The ability to receive better policy terms through their captive. Towers Watson’s Swanke said that a lot of the cyber coverage being offered out there is on a claims-made basis, but several of his clients are able to write cyberrisk insurance using a manuscript policy occurrence form. This way, he said, they are able to build up solid reserves in their captive to use for their cyberrisk losses down the road.
Then too, there are the typical benefits of the captive strategy to consider, such as:
* The ability to avoid the volatility of commercial insurance pricing and policy term restrictions over time. Today, many coverages are relatively inexpensive but that may not always be the case.
* The ability for your captive managers to have their own say as part of their panel of cyberrisk underwriters.
* The ability to structure your insurance program more easily given that the captive can fill any gaps in coverage that could materialize over time.
“My professional opinion is that if someone has been operating a captive for many years it would be a very easy next step to add cyber coverage to that captive,” said Swanke.
Also, he observed, whereas it’s mostly large, Fortune 500 companies opting for such a strategy today, this could change pretty quickly. Small to medium-sized organizations are exposed to cyberrisks as well and will likely move towards captives as a risk financing solution.
“Anybody that is holding the personal data of individuals now knows that information is sacred,” and that it’s terrible news if that data is lost or stolen. “We are seeing a greater frequency of loss than at any time in the past,” said Swanke.
“The big advantage to having a captive is you basically control the captive and the scope of coverage,” he said.
Claim payments from a captive are also typically faster than those from commercial insurance, said the Towers Watson executive.
Do Your Homework
“Of course, like any captive arrangement, you still need a game plan and to do your homework vis a vis actuarial and legal considerations,” he added.
As for where to house a new captive focusing on cyberrisk, experts said most of the major U.S. captive domiciles are open to such arrangements. Murray pointed to two domiciles, Vermont and Montana, with experience in this area.
On this point, Murray offered a single caveat. “While there is no niche domicile, it’s always easier if your captive is not one of the first to bring this risk to a state without experience in cyber. That’s always a little more challenging,” he said.