Captives have attracted interest as a method of alternative risk transfer for businesses facing cyber-liability issues, offering a way to track data for the developing exposure and tailor coverage to an organization’s specific needs.
But growth in this area has been mostly talk and little action.
In Vermont, the nation’s largest captive domicile, at least 18 of the 590 licensed captives are writing separate cyber risk policies, according to David Provost, deputy commissioner of captive insurance for the Vermont Department of Financial Regulation. He estimated many more insure against cyber exposures via endorsements to general liability policies, but the state does not track that information.
“Among those companies that have specific cyber policies, it’s clear that they are companies with large amounts of client data: hospitals, churches, retailers are conspicuous on the list,” Provost said.
A recent report from Aon indicated captive directors have seen interest in cyber coverage through captives rise by 7 percent in 2013, outstripping directors and officer liability, employee benefits, employment practices liability and credit/trade insurance. Captive directors noted, “Lack of appropriate cover in the commercial marketplace is driving clients to manuscript captive policies.”
The survey also found cyber risks may be underestimated by companies, despite frequent heavily publicized data breaches.
“The legal exposure, reputational harm and business interruptions from cyber attacks could wreak havoc on a company’s bottom line,” said Aon in a report.
ALSO READ: Captive directors say cyber risks are underrated
According to Anne Corona, managing director with Aon Risk Solutions’ financial services group, the costs, legal and tax requirements of setting up a captive purely for cyber risks may be prohibitive. Captives tend to be a long-term strategy for organizations, and a new risk isn’t the place to test the waters.
“There is a far, far greater number of insureds who use traditional risk transfer instead of utilizing the captive,” Corona told Advisen. “If the policy form is broad enough and the pricing makes sense, most insureds will use the traditional insurance market.”
Even businesses with existing, successful captives may not want to leap into cyber risk, since industry understanding and claims data are not at the same level of other established lines of business.
“They may not want claims surrounding the cyber exposure bringing down the captive,” said Corona.
However, she added, many insureds are “considering it and exploring it. Companies are always looking for different ways to insure risks.”
Corona also explained that if an organization has a contractual obligation with a business partner to carry cyber insurance, captive coverage might not fulfill the requirement as an alternative to traditional insurance.
Should capacity in the commercial insurance market diminish, or prices rise, captives for cyber risk may become more popular. A Marsh evaluation of the benefits of captives for cyber coverage noted the option allows businesses to address the risk and get an idea of the costs involved.
“Recent regulation … requires better notification around breaches, and the penalty for mishandling personal data is expected to be substantial,” said Matthew McCabe of Marsh’s cyber practice in the report. “When commercial insurance coverage for cyber risk is unavailable or prohibitively expensive, a captive can be used to build a statistical base, which can make securing coverage at acceptable terms and pricing easier.”
Data required for captives compels companies to evaluate the potential hit to revenue in the event of a cyber event, as well as assess their level of data protection and network security practices, according to McCabe. The Marsh report also found that companies can take a look at the protected health information, confidential financial information, and personally identifiable information they have stored, and the relationships they maintain with security vendors, cloud providers and other links in their supply chain.
Awareness of risk can only benefit organizations, in preventing claims and in pricing for captive reinsurance. Corona suggested that may be a by-product of writing cyber risk through captives, rather than a motivator.
“You’re going to track the claims activity and you’re going to understand the exposure,” she said “If you underwrite your cyber risk in your captive for five years and you don’t have any claims, you might have a better advantage.”
Bringing cyber coverage into captives has generated enough interest that the Vermont Captive Insurance Association (VCIA) has planned a webinar to educate its members on the options next week.
Richard Smith, VCIA president, told Advisen, “We’ve been hearing a growing need for folks in the captive industry to understand the pros and cons of putting cyber risk in a policy.”
Smith explained captives have been slower to take on cyber risk, since the traditional commercial insurance market has developed many options for coverage and it is a “fairly technical” risk.
“When you take something into your captive, you’re taking on the risk, and you hopefully have the capacity to understand the risk and mitigate it properly,” he said. With only 18 captives writing cyber out of nearly 600 active captives in Vermont, this new line of business isn’t nearly at the level of other risks insured through captives.
However, there can be advantages to insuring against cyber liability in a captive, as with any risk.
“You get more control over that risk,” said Smith. “You own that risk. You’re able to tailor mitigation that more readily meet the needs of your organization”
VCIA hopes to address concerns organizations have about cyber risk, he noted.
“We try our best to gauge the interests of the captive community and what’s on their mind. And clearly, cyber risk is one of the rising issues in the area of risk management,” said Smith.
He agreed that taking on cyber risk in a captive could offer organizations the chance to evaluate their own risk and “drill down into the particulars” of the exposure by building up data and experience.
“It’s an evolving risk. Cyber risk isn’t just someone hacking into your computer,” Smith said. Insuring against it also “requires a certain sophistication,” he added.
Aon’s Corona noted that ultimately, bringing cyber risk into captives will depend on an organization’s risk tolerance and risk philosophy.
“As this becomes a hotter topic, insureds are considering it from the risk manager’s and the whole organization’s risk management philosophy,” said Corona. “It is definitely an increasing part of the dialogue. Different solutions fit better for different insureds. It’s never one size fits all.”
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
