The role of captives in cyber risk

Cyber liability is an issue no organisation can afford to ignore and now is the time to be thinking about whether risk transfer, retention or a combination of both is the right solution for the risks a business faces.

Cyber is no longer an emerging risk. It is a risk that is already seeing losses – AIG saw as many claims notifications in 2017 as in the previous four years combined, receiving the equivalent of one claim per working day. AIG’s claims statistics show that more than a quarter of cyber claims (26%) received in 2017 had ransomware as the primary cause of loss, followed by data breach by hackers (12%).

Currently, when most think of cyber policies, it is about financial losses, fines and penalties, liabilities and loss of income, but looking ahead there are likely to be other ramifications such as property damage or bodily injury.

Captive participation

Given some of the confusion in the insurance market and the complexity of the risks, the benefits of retaining those risks via a captive and thereby gaining a better understanding of the losses and expenses, having greater risk oversight, and potentially reducing the overall cost of risk may be very appealing. A captive can be a useful tool to retain risk within the burn layer and to also assume broader cover not available in the traditional risk transfer market.

There are benefits to a captive’s involvement, particularly when an insurance carrier fronts and shares the risk with the captive. For example, the fronting carrier may not wish to offer net capacity on a primary basis for certain risks (or industry sectors) for which the company is seeking protection. In this case, the captive could bear the primary layer of risk, thereby providing a solution that may not otherwise be available in the traditional market — or is available, but at terms that may not be viable for an insured.

Including new lines such as cyber also helps to provide greater diversity and stability for a captive. Under the provisions of Solvency II, there is an incentive for a captive owner to diversify its portfolio of exposures. Insuring cyber in the captive in addition to property and casualty creates an additional risk diversification, which may support the captive’s capital requirements because the additional line is not correlated to the other business. This may have the impact of reducing the overall levels of capital that the captive needs to hold in order to maintain the minimum solvency level.

Determining how best to utilise a captive depends on the sector and the requirements of the insured; for example its exposures, where coverage is required (and available), and contractual obligations. There is no one right way of structuring the risk sharing when the risk is being fronted and then reinsured to a captive. Ultimately though, the deal needs to make sense to both parties. A captive may provide the primary layer of insurance but equally, it could also provide excess of loss, or quota share coverage depending on the market capacity restrictions applicable at the time.

“It is possible to use the captive as a ‘risk incubator’ for cyber threats by using the intelligence gained as a way to understand exposure and make informed descisions"

Nuno Antunes

Risk incubator

Applying captives to emerging risks, such as cyber, presents challenges and opportunities. When commercial insurance coverage for cyber risk is unavailable or prohibitively expensive, a captive can be used to build a statistical base, which can make securing excess coverage at acceptable terms and pricing easier. It can also be used for covers that might not be readily available in the market such as future lost revenue or first-party loss of inventory due to technology failure. It is also possible to arrange cover for highly correlated risks, such as cyber and reputation, which may not be packaged in the commercial market.

It is possible to use the captive as a ‘risk incubator’ for cyber threats by using the intelligence gained as a way to understand the exposure better and make more informed decisions about how to manage and finance the risk.

Captives are starting to play a role insuring cyber risk. For now, the process is gradual as cyber is a relatively new and evolving exposure for many captive owners. But as the market matures and captive owners improve their understanding of the risk, pricing becomes more predictable. As such, this is likely to drive even more interest among captive owners in addressing cyber risk through their captives.

The growth in the cyber insurance market is an opportunity for multinational clients, their brokers and carriers. What was once considered to be limited to a few markets covering risks non-admitted on a global basis, is now at a stage where locally admitted coverage is more widely available in many countries around the world. The benefits to a business of insuring its cyber risks on a controlled master policy basis with locally admitted policies covering their overseas subsidiaries, ensures compliance with local requirements and claim handling incountry, for example. Selecting a carrier with an extensive worldwide footprint is therefore an important consideration for clients and brokers.

This article first appeared in Commercial Risk Europe's Captive Survey 2018.