The Cyber Talent Crunch Impacts Us All

By: Michelle Chia | June 20, 2025

Michelle Chia has two decades of cyber, technology, and professional liability insurance experience. She spent the past ten years building teams that experienced triple digit growth while optimizing operational efficiency, developing innovative and customer centric products and services, and engaging in public private partnership to advise on policy and to build resilience. Prior to joining AXA XL as the Chief Underwriting Officer for Cyber, Design and Select Professionals in the Americas, Michelle was the Head of Professional Liability and Cyber at Zurich North America, which became a top ten cyber insurance carrier. Michelle graduated Tufts University with a Bachelor of Arts in Economics and a Bachelor of Arts in Child Development. She also received her Master of Business Administration at The Wharton School of the University of Pennsylvania.

In cybersecurity, there’s no shortage of threats. In fact, according to the Honeywell 2025 Cyber Threat Report, ransomware attacks jumped by 46 percent in the first quarter of 2025. That’s troubling. But what’s even more concerning is the alarming shortage of people capable of preventing these attacks.

The global cyber talent crunch and its impact should concern us all. It is reshaping the way cyber insurers need to operate, exposing businesses to greater risks, and creating vulnerabilities that bad actors are all too ready to exploit.

Demand outpacing supply

The global cybersecurity workforce gap stood at over 4 million professionals as of 2024, says the 2024 ISC Cybersecurity Workforce Study. Despite efforts to boost training, reskilling, and automation, demand continues to outpace supply.

According to the World Economic Forum’s Global Cybersecurity Outlook 2025, the cyber skills gap has already increased by 8% since 2024. Two out of three organizations report moderate-to-critical skills gaps, including a lack of essential talent and skills to meet their security requirements. Only 14% of organizations are confident that they have the people and skills they need today.

Volume isn’t the only problem. It is also the lack of expertise. Cybersecurity is evolving so rapidly that traditional career pipelines can’t keep up. AI, cloud infrastructure, ransomware-as-a-service, supply chain attacks all demand highly specialized skill sets that most professionals simply don’t have yet or can develop quickly. Meanwhile, the attack surface for cyber criminals is growing with every new device, platform, and remote worker added to the network.

The result is a strained, under-resourced cybersecurity workforce. That puts pressure on insurers, who rely on accurate data and resilient security infrastructure to underwrite risk. It also puts pressure on our clients who may struggle to recruit the expertise needed to build a strong cyber risk posture.

How it’s impacting cyber insurers

Effective cyber underwriting depends on understanding a client’s cyber hygiene, infrastructure, and threat exposure. Without enough skilled professionals to gather and interpret that data, many insurers could be flying blind. Inconsistent risk assessments and outdated models are leading to mispriced policies and unexpected losses.

The landscape of cyber threats is continually evolving, and insurers are recognizing the need to stay ahead of these trends. A low-risk six months ago might now be a hot target. While it may be challenging to find experienced cyber underwriters, risk consultants, and claims specialists, this also presents an opportunity to develop talent through training programs and partnerships with educational institutions. AXA XL, for example, formed the Cyber Academy to help its underwriters keep pace with changes in the cyber landscape. Through the Cyber Academy, underwriters can pursue continuing education and industry credentials like their Certified Cyber Insurance Specialist (CCIS) accreditation.

When breaches occur, insurers are committed to supporting their clients through incident response. As cyber claims become more complex, the need for specialized talent within claims departments is growing. Insurers are aware of this and are focusing on recruiting and training professionals with the necessary technical fluency. This strategic investment can lead to more efficient claims resolution and enhance customer satisfaction. Many insurers are also exploring collaborations with external experts and investing in tools that can streamline response efforts to reduce response times and manage costs effectively.

Ultimately, while the cyber talent crunch presents challenges, it also encourages innovation and collaboration within the insurance sector. By embracing these opportunities, insurers can better support their clients and navigate the evolving cyber landscape.

Our clients are feeling the heat too

The impact on businesses, our clients, is just as serious—if not more so. Many organizations may struggle to allocate the budget or establish the brand presence needed to attract top cybersecurity talent, which can leave them exposed to potential vulnerabilities including:

Increased Risk Exposure: Without in-house cyber experts, businesses are often unaware of their true risk exposure. They may be running outdated systems, missing patches, or leaving critical data unprotected, leaving lots of open opportunities for cybercriminals.
Trouble meeting insurance requirements: Insurers, recognizing this increased exposure, are tightening underwriting requirements or raising premiums—especially for companies that can’t demonstrate strong cyber hygiene. Some businesses are even being denied coverage entirely.
Compliance Pressure: Regulatory requirements are mounting. From GDPR to CCPA to sector-specific rules, compliance is non-negotiable. But compliance isn’t plug-and-play. It requires continuous monitoring, risk assessment, and documentation. Without experienced cyber pros, companies struggle to stay compliant, opening the door to fines and penalties.
Dependence on Third-Party Vendors: To fill the gap, many businesses outsource cybersecurity functions. This can be effective, but it creates its own risks. Relying on third parties increases supply chain vulnerabilities and makes it harder to respond quickly to incidents. Plus, the same talent crunch means vendors themselves may be stretched too thin to provide high-quality, timely support.

What can be done?

While there’s no quick fix for the challenges posed by the cybersecurity talent crunch, there are several promising paths forward for both insurers and their clients.

Insurers and businesses alike should prioritize investments in internships, apprenticeships, and internal training programs to cultivate the next generation of cybersecurity professionals. We also need to rethink hiring criteria, placing greater value on aptitude and adaptability rather than strictly adhering to traditional credentials like college degrees.

Public-private partnerships can play a bigger role in addressing the talent gap. Collaboration between governments and industry groups can help establish broader cyber training pipelines that begin as early as high school. By fostering interest in cybersecurity careers from a young age, we can build a more robust workforce ready to tackle these evolving challenges.

Automation and artificial intelligence (AI) will have a role to play too. While these technologies won’t replace cybersecurity professionals, they can enhance their capabilities, allowing them to achieve more with fewer resources. Areas such as threat detection, risk scoring, and incident triage are well-suited for automation, which can free up human talent to focus on more strategic and complex tasks.

Insurers should particularly embrace AI-powered underwriting tools and risk analytics to mitigate their reliance on scarce talent. This approach not only streamlines processes but also enhances the accuracy of risk assessments for our clients.

Final thoughts

While the journey ahead may be challenging, a strategic focus on education, collaboration, and technology can pave the way for a more secure future in cybersecurity for both insurers and their clients.

The cyber talent crunch isn’t just a staffing issue—it’s a systemic risk multiplier. It’s distorting underwriting, delaying incident response, and making it harder for businesses to protect themselves.

Addressing the talent gap requires a collective effort—training new professionals, investing in smarter tools, and rethinking the way we approach cybersecurity. Until we do, every business is playing defense with a shrinking bench. And that’s a game none of us can afford to lose. &

Navigating the Changing Landscape of 831(b) Micro-Captives: How Recent Regulations are Reshaping Risk Strategies

As IRS scrutiny intensifies and new reporting requirements emerge, organizations utilizing micro-captive insurance companies face critical decisions about their risk management approaches. Understanding the evolving regulatory environment has become essential for captive owners seeking to maintain compliance while maximizing benefits.

By: Pinnacle Actuarial Resources, Inc. | July 1, 2025

The origins of the 831(b) election reveal much about both its intended purpose and the subsequent scrutiny it has faced. Created as part of the 1986 tax reform act under President Reagan, the provision wasn’t originally designed for captive insurance companies at all.

“The original legislative intent was for small, farm mutual insurance companies,” said Rob Walling, FCAS, MAAA, CERA, Principal and Consulting Actuary at Pinnacle Actuarial Resources. “Farmers and others in rural areas were having trouble getting insurance coverage as there simply wasn’t a market in the traditional insurance sector.”

These small mutual insurers, often operating at the county level, struggled to acquire sufficient capital to pay claims when disasters struck. The 831(b) election was designed to allow these entities to build up retained earnings on a tax-deferred basis, ensuring they could remain solvent when facing severe weather events like tornadoes or hail.

The captive insurance industry, always seeking innovative solutions to risk financing challenges, recognized that 831(b) could benefit captives meeting the requirements of the Code. The fundamental concept remained consistent: building up retained earnings on a tax-deferred basis to prepare for severe claims, whether from supply chain disruptions or myriad other difficult to manage risks.

However, this evolution has consistently drawn IRS attention and skepticism. Walling explained the reasons behind this scrutiny: “The IRS has disliked captive insurance companies generally, but particularly 831(b) captives making an 831(b) election from the beginning. In my personal opinion, this originates from the multiple ways some of these micro-captives were deferring or avoiding taxes.”

This provision in the Code creates what some view as a double tax advantage. Operating companies can deduct premiums paid to their captives as ordinary business expenses. Then, by making the 831(b) election, the captive can defer taxes on underwriting income. In some cases, companies further extended tax benefits by using captive proceeds to purchase life insurance policies or structuring ownership through generational family trusts.

“In the bad old days, some promoters had websites where ‘tax’ appeared in 72-point font while ‘insurance’ was relegated to 8-point font,” Walling noted. “The IRS targeting these promoters has caused some programs to shut down and others to completely redesign.”

The tension between tax planning and legitimate risk management continues to define regulatory approaches to these structures. While many captive insurance companies serve genuine risk management purposes, the IRS remains vigilant about the minority of those that are motivated by tax considerations.

New Regulatory Requirements and Industry Response

The introduction of new reporting requirements for insurance companies making an 831(b) election has created significant ripples across the captive insurance landscape. These regulations, which went into effect in January, have prompted organizations to reconsider their risk financing strategies and captive insurance companies.

Walling identifies three distinct ways the industry is responding to increased regulatory scrutiny. “The ‘fighters’ are continuing to challenge the IRS position,” he said. “There’s significant activity happening, especially with the political changes in Washington that might offer some hope.”

These challenges are taking various forms, including legislative actions aimed at reining in the IRS and judicial proceedings in different venues. Recent court decisions, like Ankner’s victory in U.S. District Court, may have diminished some of the IRS’s momentum regarding promoter cases.

A second group, which Walling calls those who are ‘fleeing,’ has chosen to exit the 831(b) space entirely. “They’ve concluded that the benefits of an 831(b) simply aren’t worth the cost, potential regulatory overhead, or audit scrutiny,” he explained. “We’re seeing a number of captive owners leave the captive insurance marketplace entirely to pursue other forms of insurance, or more commonly, shutting down their 831(b) captive to explore alternative risk financing strategies.”

The third and perhaps most interesting category includes the “adapters,” who are finding ways to evolve their approach while maintaining captive insurance companies. Some are converting from 831(b) to 831(a) entities, which removes the premium cap limitations while preserving many benefits.

“They can write more premium, offer more coverage types, write coverages that don’t fit typical micro-captive models, provide higher limits, and write occurrence forms instead of claims-made forms for certain liability coverages,” Walling said.

This conversion process often becomes an opportunity for expansion rather than merely a regulatory response. “Many organizations realize they don’t need separate group captives, medical stop-loss captives, and enterprise risk captives,” noted Walling. “They can consolidate their risk financing into fewer captive insurance companies, creating operational efficiencies.”

Other adapters are choosing to remain within the 831(b) framework while modifying their approaches to meet reporting requirements. They’re working to increase loss ratios and exploring different risk distribution methods beyond traditional risk pools.

This evolution reflects the micro-captive industry’s historical adaptability and innovation. “The industry constantly learns from tax court cases, regulatory oversight, and various other inputs to improve programs,” Walling said. “As I observe managers active in the micro-captive space, I see constant growth and evolution. Their programs rarely remain static as they develop new coverages, new risk distribution approaches, and methods to incorporate additional unrelated risk.”

For a deeper examination of these approaches, readers can visit Pinnacle’s detailed analysis at Fight, Flight, or Adapt: Approaches to New Micro-Captive Regulations.

The Critical Role of Actuarial Expertise

Rob Walling, FCAS, MAAA, CERA, Principal and Consulting Actuary, Pinnacle Actuarial Resources

As organizations navigate this complex regulatory terrain, specialized actuarial expertise has become increasingly valuable. It is important to identify innovative and experienced actuaries that bring unique insights into helping captive owners make informed decisions about their risk financing structures.

“As an actuary with experience as an expert witness in tax court, I have a backstage seat to what’s happening between the industry and the IRS,” Walling explained. “This provides me with firsthand knowledge of what IRS attorneys and tax court judges care about.”

This perspective proves invaluable when helping clients determine whether to fight IRS challenges, convert to different structures, or pursue alternative risk financing approaches. Pinnacle assists organizations in triaging cases to determine whether they should proceed to tax court or reconsider their approach if problematic factors exist.

For many clients, the decision between remaining an 831(b) captive insurance company or converting to an 831(a) entity represents a critical strategic choice. While the premium-setting process doesn’t fundamentally change between these structures, the conversion creates opportunities to reconsider and optimize risk portfolios.

“I’ll give you an example,” Walling said. “I work for a very large home builder in the Southeast who intentionally limited the number of coverages in their 831(b) insurance company to stay within the premium threshold while maintaining massive self-insured exposures. Converting from a B to an A entity, without being subject to that premium maximum anymore, allowed them to bring a significant amount of coverage into the captive that they previously had to exclude.”

Understanding the nuanced differences between these structures requires specialized knowledge. For instance, while 831(b) entities don’t pay taxes on underwriting income, they also can’t deduct underwriting losses. Conversely, 831(a) entities pay taxes on gains but can deduct losses.

“One of the things that people don’t talk about much regarding 831(b) insurance companies is that in a scenario where they paid a million dollars in premium and had a $1,500,000 loss, they don’t get to deduct that half million-dollar loss,” Walling noted. “Whereas an 831(a) entity gets to take an additional deduction for the loss at the captive level.”

Actuaries like Walling bring value through their understanding of the insurance fundamentals that must remain consistent regardless of tax election. “Both 831(b)s and 831(a)s are insurance companies, first and foremost,” he emphasized. “The issues of risk transfer, risk distribution, insurability of coverages, and operating like an insurance company in the generally accepted sense for a company of that size remain unchanged between the two.”

Perhaps most importantly, experienced actuaries help organizations focus on the fundamental purpose of captive insurance: managing risk effectively. “There’s tremendous value in really listening to and understanding the insured operating company, their risks, and the concerns that keep them up at night—whether they’re currently insuring against those risks or not,” Walling said.

In an environment of regulatory uncertainty, this focus on risk management fundamentals provides a solid foundation for captive insurance companies that can withstand scrutiny while delivering genuine value to their parent organizations.

“When navigating moments of regulatory turbulence, it’s crucial to have service providers who truly know what they’re doing,” Walling advised. “It’s really important to have captive managers, auditors, captive attorneys, and actuaries who don’t just have experience, but possess genuine expertise.”

To learn more, visit https://www.pinnacleactuaries.com/.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Pinnacle Actuarial Resources, Inc. The editorial staff of Risk & Insurance had no role in its preparation.

A full-service actuarial firm, Pinnacle provides your business with data-driven research backed by clear communication. Our expert Consultants work with you to look beyond today’s numbers in planning for tomorrow.