Captive Insurance Plays a Growing Role in Addressing Cyber Exposures

Editor's note: This is an excerpt from an article that originally appeared in Captive Insurance Company Reports (CICR). You can read the full article in the September 2021 issue of CICR.

With every new news report of a ransomware attack or a data breach, cyber risk grows as a concern for organizations of all types. It's also become an increasingly challenging exposure to insure. Not surprisingly, captive insurance is stepping up to address the challenge.

With cyber insurers looking to come to grips with mounting losses, rates and retentions are rising, limits are being reduced, and underwriting scrutiny is becoming more intense. In some cases, insurance buyers might find coverage for certain exposures simply isn't available.

As it has with other difficult-to-cover risks, captive insurance is being used more and more often to provide part of the cyber-risk financing solution.

"For the last 12 months, two areas of coverage have seen remarkable increases in retentions or deductibles, depending on the policy structure: [directors and officers] and cyber," said Michael Maglaras, principal of Michael Maglaras & Company. "Cyber because of what appears every day in the papers."

Ransomware attacks are one of the areas experiencing significant increases, drawing insurers' attention. In its Aon Global Market Insights Q2 2021 report, Aon noted that the frequency of ransomware attacks increased nearly 500 percent from the first quarter of 2018 to the fourth quarter of 2020. Along with the frequency have come growing costs and damages, with insured losses expected to reach $20 billion this year.

In the United States, cyber insurers are concerned about the aggregation of risk, and many are now deploying less limit, the Aon report said. While most cyber-insurance coverage towers can be renewed at expiring total limits, underwriting scrutiny is high, and supplemental applications are commonplace, according to the report. Buyer loss control and cyber-risk mitigation strategies are critical to securing coverage, Aon said. US cyber retentions are increasing, particularly in the middle market, and rate increases are significant.

As cyber risks grow and securing affordable or adequate cyber coverage in the commercial markets becomes more difficult, captive insurance is playing a growing role in organizations' cyber-insurance programs.

In a Market Segment Report last year, A.M. Best noted that cyber insurance has become a profitable coverage line for captive insurance companies and that approximately 15 percent of the US captive insurance companies it rates write cyber-insurance policies for their parents or members.

As they turn to captive insurance as part of the solution to their cyber risks, captive parents are doing so in a variety of ways.

Michael O'Malley, managing director at Strategic Risk Solutions (SRS), said his firm has a number of clients placing cyber risks in their captives. "We've a few interesting ones," Mr. O'Malley said.

One client made a strategic decision a few years ago that the commercial market's cyber-insurance forms weren't appropriate for its risks and that available limits were insufficient, he said. They decided to place a sizable cyber-risk limit in their captive above a retention. "Then they buy insurance out the back of the captive for a significant amount," Mr. O'Malley said.

Another client decided to look to captive insurance after commercial market cyber-risk premiums spiked. Their approach was to work with their insurer to take a quota share of the primary cyber-insurance layer "to take some of the premium back that was going into the market that they thought was excessive," Mr. O'Malley said.

In both cases, the captive parents took the step of putting cyber risks directly into their captives in consultation with their information technology departments.

A captive insurance company provides an added risk-financing option to organizations that realize that cyber events can have a significant bottom-line impact.

"Those phishing incidents can be somewhat material," Mr. O'Malley said. "What's happening is that these captive owners are looking at their cyber policies for breadth of coverage and deciding what's out there."

In some cases, the decision to look to captive insurance to address cyber exposures is a response to broader market conditions, with premiums increasing across a variety of lines, he said.

For one SRS client using its captive to cover cyber risk, "I think what was driving them was just that there was a decrease in capacity available and a spike in cost for several different lines," Mr. O'Malley said. "For some exposures it's a laundry list of challenging problems and cyber is just adding to it."

Mr. Maglaras sees clients taking a similar approach to using captive insurance to address cyber risks, and for similar reasons.

"There are remarkably robust increases in deductibles" for cyber insurance, he said. It's not uncommon for a company that had a $100,000 cyber insurance deductible now seeing its deductible increase to $250,000 or $500,000, Mr. Maglaras said.

"That's a meaningful possible hit to my operations in a quarter," he said, and clients are using their captive insurance to reduce that impact.

As cyber-insurance deductibles reach a point where they're more difficult for some organizations to manage, "we've seen captives funding deductibles," Mr. Maglaras said. They can use the captive insurance company's surplus to provide a deductible reimbursement program from the captive for the commercial cyber-insurance policy.

"The other thing we're seeing in 2021 is a limits decrease," Mr. Maglaras said. "We don't have any clients in our stable of clients who got a renewal in 2021 where the renewal is the same as it was last year."

In those cases, "we are seeing the use of the captive to augment, not substitute for," commercial insurance, Mr. Maglaras said. "We don't have any clients who've decided to forgo commercial cyber." Instead, some are adding excess cyber limits in the captive, he said.