Organizations Should Look to Captive Insurance in Financing Cyber Risk

Woman reading and researching information on a screen

April 25, 2022 |

Woman reading and researching information on a screen

Deterioration in the cyber-insurance market has made captive insurance an option organizations should include in their approaches to financing cyber risks, according to Aon.

"At their core, captives can provide short-term relief from cost pressures by reducing premium outflow while bringing longer-term program sustainability by using profits accrued to help build a more self-sufficient risk financing dynamic," Aon says in its 2022 Errors and Omissions (E&O) and Cyber Market Review (April 11, 2022).

Using captives to finance those exposures allows organizations to replace overly expensive insurer capital with organizational capital, Aon says, as well as allows the organization to concentrate its risk transfer budget on securing coverage for volatility that it might not be able to tolerate on its balance sheet.

The Aon report notes that the company's "2021 Captive Benchmarking Survey" found that cyber-insurance premiums in captives had increased 650 percent since 2018. "However, the extent of captive utilization to address the needs of organizations facing these conditions remains disproportionately lower than the extent of these challenges," the Aon report says.

According to Aon, a recent survey examining captive insurance use for cyber suggested that less than 10 percent of the company's captives under management worldwide are currently providing cyber insurance. But, the Aon report says, "The prominence and ubiquity of cyber risk suggests that captive use can only continue to gain traction."

For an organization's captive cyber-insurance strategy to have the greatest benefit, it should be based on an alignment between an organization's risk and network security functions, Aon says. "This can help drive maturity around insurance purchasing behaviors, while emphasizing risk governance and claims control," the Aon report says.

Of those captives under Aon's management that are writing cyber coverage, 55 percent are in North America while 45 percent are in the rest of the world, the Aon report says.

Of captive parents using their captives to write cyber coverage, financial institutions and healthcare organizations are most likely to do so, Aon said. Some 30 percent of Aon-managed captives covering cyber risks are based in the two industries, according to the report. "This may be intuitive given the risk profile of each segment, and the typically higher levels of risk maturity in these industries given stricter regulation and the potentially devastating consequences of a cyber attack or data breach," the report says.

The Aon report suggests that captives can be doing more to assist their parent organizations in addressing their cyber exposures. The report notes, however, that while risk financing maturity is improving, it's still at an early stage.

Only 22 percent of organizations Aon surveyed that place cyber risks in their captives use deterministic/stochastic modeling to support their cyber-risk financing strategy, the report says. Meanwhile, 38 percent rely on market benchmarking as their basis for captive cyber premium, 27 percent on broker guidance, 9 percent on management intuition, and 4 percent on qualitative analysis.

The Aon report also suggests that the range of rationales for using captive insurance to finance cyber risks also fails to demonstrate a distinct cause of use, which is common in immature risk classes.

Cost efficiencies and premium reductions were the most frequently cited reason for writing cyber insurance in the captive, mentioned by 35 percent of those surveyed. Some 25 percent cited access to insurance/excess and reinsurance, 16 percent mentioned increased control of insurance programs, 11 percent identified enhanced governance and incident response, 7 percent mentioned coverage enhancements, 4 percent cited risk incubation, and 2 percent identified enhanced control of claims processes.

"The risk community continues to strive to understand the underlying risks facing organizations while educating network security departments of the potential value of insurance and the role a captive could play within this dynamic," the Aon report says. "Many of the organizations surveyed use the captive in a 'transactional' manner and in reaction to the prevailing market conditions. More generally, this correlates with a lack of maturity in insurance purchasing patterns for cyber insurance."

Aon says its analysis suggests that the longer-term dynamics of captive insurance use for cyber risks have not yet become clear.

At present, however, Aon found there are two tactics that are most common in the way organizations look to use their captives to address cyber risks.

  • Organizations use their captives to increase the primary cyber-insurance market attachment points. Such an approach can help shield the cyber-insurance market from lower-cost incidents that captive parents can address internally, according to Aon. This approach helps avoid negative insurance market reactions while also focusing available risk transfer capacity on risk levels more meaningful to the organization.
  • Captive insurance is used to fill gaps in excess layers to complete the layer and free up additional cyber-insurance capacity.

"These approaches also enable the group to demonstrate alignment of interest, and the higher deductibles may enable more meaningful conversations with alternative primary markets," the Aon report says. "However, although effective, these approaches are based on managing an insurance market going through a maturation process."

The Aon report notes that increased reliance on technology—along with growth in cyber attacks—makes cyber risk potentially both a high-frequency and high-severity exposure. Consequently, organizations need to take a more nuanced approach to placing cyber risks in their captives than they might with other liability classes, Aon says.

"Cyber, although no longer emerging, can still be considered in the 'incubation' phase for captives, mainly because the traditional risk management approach and the network security communities are not yet fully aligned," the Aon report concludes. "However, reframing the captive from a tactical, transactional play to something linked to the broader maturity development of risk will help accelerate this alignment."

April 25, 2022