As Cyber Risks Grow, So Do Captive Insurance Cyber-Risk Premiums

The cyber risks confronting organizations continue to grow, and, as they do, captive insurance companies are playing an increasing role in managing cyber exposures.

The COVID-19 pandemic has increased cyber risks for many organizations as employees are forced to work remotely, making the need to address the exposure even more critical.

A recent Market Segment Report from A.M. Best examining trends in the universe of Best-rated captives noted that cyber risk has become a profitable line of coverage for captive insurance companies.

Cyber risk is one of the fastest-growing lines for captives and is generating "exceptional results" for the alternative risk transfer vehicles, Best said in its report titled Commercial Market Dislocation Could Provide New Opportunities for Captives To Fill the Void.

Best said that approximately 15 percent of the US captive insurance companies it rates write cyber-insurance policies for their parents or members. Captive insurance companies generated $18.2 million in premium through both stand-alone and packaged policies in 2019, a 5.7 percent increase from 2018, according to data from the National Association of Insurance Commissioners (NAIC).

The premium figure might be higher still when considering captives that don't file NAIC statements, Best said.

Captive insurance companies that filed with the NAIC reported 77,719 cyber-risk policies in force in 2019, according to Best's report, with nearly $2.0 million in direct paid cyber losses during the year and a direct paid loss ratio of 11.4 percent for the year.

In a recent Best webinar, Michael Serricchio, managing director at Marsh Captive Solutions, said Marsh has seen a 95 percent increase in cyber insurance being written in Marsh captives over the past 5 years.

"Companies are putting cyber in," he said. "They're doing it in a very smart way." One attraction is that cyber-liability insurance policies are included under the Terrorism Risk Insurance Act (TRIA), Mr. Serricchio said. In addition, cyber risk can diversify large captives' portfolios of risk. "So, it's a nice portfolio effect," he said.

The Best report cited the COVID-19 pandemic's impact on cyber risks, noting that the large-scale shift to remote working in response to shutdowns and social distancing imposed to reduce the pandemic's spread has increased the risk of cyber attacks against all manner of organizations.

In addition, Best pointed to the possibility of political and diplomatic tensions with rogue nation states potentially increasing cyber-risk exposures.

"Companies and institutions need to be almost hyper-aware of this threat and devise effective methods and measures to prevent or mitigate it," the Best report said. "Among those methods and measures are affirmative and stand-alone policies with clear and definitive language, as well as coverage and exclusions/inclusions that are detailed and clearly defined, to minimize or avoid disputes and litigations when a claim is presented."

Given the mounting risks, the Best report suggests that cyber-insurance coverage will continue to grow in captive insurance companies.

During the recent Best webinar, Fred Eslami, associate director at A.M. Best, acknowledged that 2019's cyber-insurance premium growth in Best-rated captives was lower than in 2018, when cyber-risk premiums in captives grew 15.9 percent from the prior year.

But he suggested that the slowdown in the growth of cyber coverage in captives is likely attributable to the fact that cyber coverage was cheaper in the commercial market than what the captive would charge and that writing cyber coverage requires significant expertise.

"They're including cyber in their captives very prudently, and they're not rushing," Mr. Eslami said. "We have seen some of our group captives that specifically want to have this line of coverage so they can provide a menu to their members."

There's other evidence of organizations increasingly looking to captive insurance companies as they try to address their cyber-risk exposures. The Bermuda Monetary Authority (BMA) reported that cyber-risk premiums written in Bermuda-domiciled captive insurance companies grew 53.6 percent in 2019.

According to the BMA, the 2019 activity included $61 million in gross written cyber-risk premiums in captives and net captive premiums of $31 million. Of those captive cyber-risk premiums, 56 percent were on a direct basis and 44 percent were written as reinsurance.

Aon's 2019 Cyber Captive Survey found dramatic growth in cyber-risk coverage in captives. According to Aon, gross written premiums in captives increased 263 percent over the prior year, with health care and energy the most active industries.

Among the reasons cited most often by survey respondents for placing cyber coverage in captives were greater control of the insurance program and achieving cost efficiencies.

The Aon survey found, however, that while the growth of cyber-insurance premiums in captives outpaced that in the traditional cyber-insurance market, which experienced 50 percent growth over the same period, the increase in the number of captive insurance companies remained relatively low in comparison to the number of companies purchasing cyber coverage from traditional markets.

But the Aon report estimated that the number of captive insurance companies writing cyber coverage could grow by 34 percent by 2024, with the high-end possibility of global cyber-risk premiums written in captives reaching $2.9 billion, approximately 20 to 22 percent of total cyber-insurance premium spending.

As cyber risks grow, and organizations get a better understanding of the extent of their exposures and the need to protect against them, it appears the role of captive insurance in addressing the exposure will continue to grow as well.