With Cyber Insurance Premiums Bursting at the Seams, Can Captives Provide a Rational Risk Mitigation Reality?

A report from Aon examines how increased cyber attacks are affecting cyber and E&O lines.
By: | May 8, 2022
Topics: Cyber

Employees working from home, supply chain-related attacks, and ransomware incidents continue to be threats that can lead to costly business disruptions.  

These threats should spur organizations to look for ways to better protect themselves including improving their cyber security protections, working collaboratively with brokers to craft appropriate insurance price, terms and coverage and, for large organizations, creating captives.  

Those are a few of the findings of Aon’s 2022 Errors & Omissions and Cyber Market Review, which highlights strategies to manage risk exposure in the volatile and hardening insurance marketplace, and offers recommendations for clients to consider to better control costs.  

“As we work to prepare our clients for increased volatility and intensified cyber risks, we encourage decision-makers to develop and maintain a long-term vision,” said Christian Hoffman, Global Cyber leader at Aon.

“It’s important that business leaders align their cyber insurance program strategy with their continued cyber maturity efforts so they can make better decisions today and in the future.”  

“We believe it’s important to be transparent with our clients and the broader insurance marketplace, with respect to trends Aon is seeing across the risk areas that clients and insurers share concern for, and what’s happening to E&O and Cyber insurance as products, and from a claims activity perspective,” added Brent Rieth, U.S. Practice Leader, E&O/Cyber Broking at Aon.  

The Report at a Glance

As it prepared the report, Aon found the number of cyber attacks on organizations ticked slightly downward last year, but that didn’t compensate for the dramatic increases that had been reported starting in about 2018.  

Aon reports that ransomware attacks on corporations were up by 323% from the first quarter of 2019 to the fourth quarter of 2021. It also saw an average of two new errors and omissions (E & O) and cyber matters per day in 2021, and found that eight figure losses due to business interruptions were commonplace and the average days of business interruption was 22 days in the third quarter of 2021.   

Not surprisingly, those threats are associated with price increases for coverage which surged, particularly in the second half of 2021.  

Aon reports that in December 2021, E&O and cyber monthly pricing increased by 137.3% year-over-year. And E & O and cyber insurance placement often required a much more involved underwriting process.  

In addition, Hoffman said there was an uptick in the fourth quarter of 2021 in the number of clients reducing overall limit, due to either market capacity limitations or the increased cost of insurance. 

How Increased Attacks Are Affecting Insurers and Insureds 

Increases in threats have had numerous other impacts for both for insurers and insureds.  

For instance, the threat increase prompted insurers to review their overall exposure to systemic, aggregated and correlated risks related to the supply chain in recent months.  

It also prompted several insurers to review the breadth of coverage afforded for business interruption losses, with a focus on limiting their financial exposure to a systemic event by reconsidering waiting periods and restricting aggregate limit exposure, the report found.  

The report states that 60% to 70% of clients renewing in the fourth quarter of 2021 saw an increase in retention. Retention increases were exponentially more common in the middle market segment and Aon expects continued pressure from the market to increase retention levels.  

To keep their companies protected, Hoffman said businesses “need to establish a game plan. They need to make sure their companies are investing in cyber security controls. Not only does it make them more mature from a cyber security perspective, but it will have a direct impact on how the market perceives them and ultimately will affect insurance programs, pricing, coverage and terms.”  

Can Captives Provide A Measure of Relief? 

Another tactic, especially for large businesses to consider, is establishing a captive, which is a wholly-owned subsidiary created to provide insurance to its non-insurance parent company.  

The report found that captives should be considered by organizations examining their cyber/E & O risk financing approach.  

“At their core, captives can provide short-term relief from cost pressures by reducing premium outflow while bringing longer-term sustainability by using profits accrued to help build a more self-sufficient financing dynamic,” the report states.  

Another strategy that Hoffman recommends businesses follow is to begin their renewal process early. He said renewals in the cyber security arena used to begin about 60 to 90 days out, but that has increased to about 150 days out currently.  

“Really, it is a 365-day-a-year process now,” he said, noting that maintaining, updating and improving cyber controls throughout a company should be on-going.  

Anticipating Underwriters’ Questions

Hoffman said businesses should work with their brokers to anticipate underwriters’ questions about what a company is doing to protect itself from ransomware, software incursions and other threats.  

“Part of the dialogue with underwriters will be, ‘What is the control environment for the network today? How are you continuing to enhance it moving forward to becoming more mature? What does that roadmap look like (for making improvements)?’  And then, throughout the year, or at the next renewal, have you executed on that roadmap and what’s up next? The dialogue is constant.”  

Aon also finds that some industries and organizations are more prone to risk. These tend to be industries with decentralized security strategies and those that have heavy merger and acquisition growth strategies.   

“When an organization is decentralized you could have various subsidiaries or other parts of the organization that are not adhering to robust protocols and controls that are rolled out by the parent entity,” Hoffman said. “Organizations need to make sure that what is rolled out moves throughout an organization.”  

Companies involved in M&A activity have a similar risk.  

“When a company is making an acquisition they only get a certain amount of information as it relates to that target, specific to cyber security. They may not uncover everything or know everything in terms of what the risk,” Hoffman said.  

Looking forward, Hoffman does not expect pressure from insurers to increase this year.  

“The bar hasn’t been raised further in 2022,” he said. “Maybe there are some minor changes or incremental changes in what the insurers are looking for in terms of data information, but it’s not a wholesale change like it was in 2021.”  

Nonetheless, he encourages businesses to use data to better understand and strategize their needs.  

“More companies are relying on certain level of data,” he said. “They are starting to do a bit of deeper dive, working through their own unique scenarios for their organization and then applying those scenarios into a quantitative model to determine their maximum (level of coverage) and then, based on the cyber control environment they have, can determine what a probable financial outcome is.”  

Hoffman does not expect premium increases to be as dramatic in 2022 as they were in 2021.  

“We see the first half of 2022 as having similar challenges as we saw in 2021, and stabilization in prices coming in the back half of 2022,” he said. “We still think price increases will occur, but not in the magnitude that we’ve seen over the last year.” & 

Annemarie Mannion is a freelance writer. She can be reached at [email protected].

More from Risk & Insurance