Cyber captives -Is it time
?Is It Time to Form a Captive?
With premium prices increasing, one might be tempted to form a captive to help manage the risk. Seasoned underwriters are having difficulty mitigating cyber risk, so it should be expected that captive management teams would face similar and familiar challenges. The overarching issue is that cyber is a sizable insurance market, and it is relatively new. There just isn’t enough good data and loss experience to properly underwrite the risk.
Cyber is, still emerging and evolving. But whether or not it’s a new insurance line, so much in cyber is conditional — it is dynamic and changing, and that is driving the number and nature of the claims that insurers are seeing.
If considering a captive, one should consider that major insurance companies, with assets far beyond the amounts held by most captives, are better able to absorb the volatility of losses in the cyber market.
Things to consider for Captive Cyber
A captive owner considering insuring cyber risk will need to make sure that they have an adequate amount of capital backing the effort, not just for year one, but for scenarios in which some years’ losses could be significantly worse than others.
If preparing a captive feasibility study, it is important that managers understand fully the kinds of limits under consideration
Some companies are being practical in exploring the captive route, given the difficulty of the commercial cyber insurance premium and underwriting environment.
Some people may not have a choice because they can’t get their commercial cyber insurance policy renewed
Others may get it renewed, but it’s triple the price which makes a captive solution more attractive
Ballooning claims
In 2017, one major cyber writer showed a trended ultimate loss and allocated loss adjustment expense (ALAE) ratio of 37.2% in its cyber insurance line. In 2020, that loss ratio had risen to 97.6%. The company had a somewhat less difficult time in 2021 but its cyber insurance loss ratio still stood at a difficult 88%.
The cyber security firm NetDiligence calculated the average cost of a breach in 2018 for companies with more than $2 billion in revenue at $2.9 million. In 2019 that average incident cost grew to $5.9 million and in 2020, stood at $10.4 million.
Looking at steadily rising premiums and steadily rising losses, “It’s similar to bailing water out of a leaky boat. The boat will continue to fill up until the hole is fixed. Assuming or thinking things may improve doesn’t necessarily make it so. That seems to be the immediate future for the cyber market.
Risk incubator
Applying captives to emerging risks, such as cyber, presents challenges and opportunities. When commercial insurance coverage for cyber risk is unavailable or prohibitively expensive, a captive can be used to build a statistical base, which can make securing excess coverage at acceptable terms and pricing easier. It can also be used for covers that might not be readily available in the market such as future lost revenue or first-party loss of inventory due to technology failure. It is also possible to arrange cover for highly correlated risks, such as cyber and reputation, which may not be packaged in the commercial market.
It is possible to use the captive as a ‘risk incubator’ for cyber threats by using the intelligence gained as a way to understand the exposure better and make more informed decisions about how to manage and finance the risk.
Captives are starting to play a role insuring cyber risk. For now, the process is gradual as cyber is a relatively new and evolving exposure for many captive owners. But as the market matures and captive owners improve their understanding of the risk, pricing becomes more predictable. As such, this is likely to drive even more interest among captive owners in addressing cyber risk through their captives.