Tailor made

Cybercrime is one of the fastest evolving risks for businesses, with a report from Cybersecurity Ventures predicting that by 2019 ransomware alone will breach a businesses’ cyber security every 14 seconds.

The 2017 Crime Report by Cybersecurity Ventures also identified the “cybercrime epidemic” as the greatest threat to every company in the world, suggesting it could cost the world $6 trillion annually by 2021.

The Equifax data breach and the WannaCry ransomware attack in 2017 exemplified the magnitude of the impact that cyber attacks can have, in terms of both finance and business interruption.

Not only is the attack surface widening as the number of interconnected devices worldwide increases, with the internet of things predicted by Cisco to reach 50 billion by 2020, but the volume and variety of threats posed by cyber risk is also growing.

Jeff Sharer, senior manager in the insurance and actuarial services practice of Ernst & Young, explains: “Cyber risk is not exposure to one specific risk; instead, it is exposure to a group of risks, which differ in technology, attack vectors, means.”

He says: “As the cyber threat landscape evolves exponentially as firms become digital, the cyber risks that were once considered unlikely are now becoming regular occurrences. Meanwhile, the cyber risks that were once unimaginable must now be viewed as a potential occurrence.”

Companies are beginning to take cyber risk increasingly seriously, but there appears to be a gap between awareness and action.

Aon’s Global Risk Management Survey 2017 found that while cyber risk was perceived by the participating companies as the the fifth top risk (number two for participants with annual turnover of over $1 billion) just 33 percent had purchased cyber insurance.

Anup Seth, managing director of Aon’s Global Risk Consulting practice, says that this is due to a lack of coverage available.

Historically, cyber risk coverage has focused on data loss, however, with the cyber threat landscape changing, the type of coverage required by companies is broadening making it difficult for the commercial market to keep up.

Seth explains: “It’s because the product that was available until the middle of last year wasn’t really covering the exposures that they had. If you look at who was buying cyber it was what we would call the data holders.”

“The product that was available, let’s call it cyber 1.0, was really covering the loss of data. Other companies have other exposures relating to cyber and they felt that that particular product wasn’t addressing their exposures and their needs.”

Captive solution

This is where the alternative solutions offered by captive insurance companies can be advantageous.

A captive’s flexibility allows companies to have broader policies that recognise cyber as a standalone peril and address all of the exposures and needs.

Where historically coverage is focused on data loss, one of the key benefits of using a captive is that it allows an organisation to include coverages specific to their exposures that would not usually be addressed, such as business interruption or physical damage resulting from a cyber event, and write those policies through their captives.

In addition to broader and more flexible coverage, using a captive also offers a pricing advantage.

Seth suggests: “With the captive taking the equal retention, the excess layers will obviously be an increase layered factor type approach or you may choose to buy a large quota share excess of the captive retention. Either way, you will make a saving when you look at your total cost of risk.”

Captives can also be beneficial for an organisation’s post-breach response. They can allow organisations to have a predefined process in place in the case of a cyber breach to reduce business interruption, one of the most concerning consequences of cyber attacks for businesses.

According to Seth, putting cyber insurance through your captive, and having a pre-defined claims management and response process, will help to reduce business interruption in the scenario of a cyber attack.

“That’s another big advantage. Having that claim and cyber response team all mapped out prior to actually binding your policy,” Seth adds.

“This will not only influence the insured loss, but also the economic loss from a parent company, and limit their reputational damage and brand impact.”

The advantages a captive can offer work best in a combined structure alongside commercial insurance. Either using the captive to supplement commercial insurance and fill the gaps left in the policy or using the captive to write the coverage’s primary layer while using an excess-of-loss programme and reinsurance to purchase additional limits.

Salil Bhalla, AIG’s UK head of complex multinational accounts, says a combined approach is ideal “as very few captives can provide sufficient capacity for cyber risks without the support of the commercial market. Very few captives will have the underwriting appetite, balance sheet strength or technical expertise to provide the full limits required.”

Bhalla explains: “The size of the captive retention will depend on its risk appetite, with most captives taking a very cautious approach towards cyber risk. Ideally the captive needs a partner with both cyber underwriting and captive fronting capabilities to provide a seamless cyber insurance solution.”

Review first approach

Vital to structuring captives correctly for cyber coverage is the identification and understanding of the danger posed to a company by cyber, and the impact that an attack may have.

A review first approach, which involves cyber risk assessments and exposure analyses prior to the production of a cyber policy, is therefore critical to ensuring the appropriate coverage is purchased.

Seth suggests: “Getting that exposure analysis done is really critical. That will drive your premiums, it will drive the underwriting process and also the sort of coverage that you can get.”

“It’s almost akin to an engineering report. When insuring a property most underwriters will insist on an engineering report so we are trying to follow the same logic. If you’re a cyber underwriter and we’re now treating this as a separate standalone peril, you want to see the cyber resilience review,” he adds.

Enhanced regulations

An additional consideration in cyber coverage is the upcoming implication of the General Data Protection Regulation (GDPR) on 25 May 2018. GDPR aims to provide enhanced and uniform regulations for data protection in regards to personal information for all individuals across the EU and will impose a number of requirements ensuring data is properly acquired, held and protected by companies.

AIG’s head of cyber, Europe, the Middle East Africa, Mark Camillo says: “The area that is receiving the most attention from companies is the potential fines and penalties that can be levied—up to 4 percent of global turnover.”

“Due to the potential increase in costs and exposure, more companies will want to make sure that their insurance addresses data security and privacy concerns, whether through a captive or through commercial insurance.”

Looking ahead

While commercial insurance is evolving in cyber, and advancements in coverage are predicted this year as cyber begins to be recognised as a standalone threat, the benefits that captive insurance offers for cyber risk coverage means that it will likely remain an extremely viable alternative solution in a market that is expected to see huge growth over the next few years.

From its 2017 cyber report, Aon expects global premiums for cyber to be between $5 billion and $7 billion in three to five years time, up from around $2 billion in 2017.

Seth suggests that captive insurers will play a part in this growth.

He explains: “All the signs are there for this area to grow significantly and encouragingly we are seeing that the market has also evolved and is providing broader coverage and certainly the captives have an important role to play in facilitating this risk transfer process.”
The latest features from Captive Insurance Times
With the scope of cyber threats evolving, and commercial insurance unable to offer suitable coverage, captives can provide a tailored alternative solution to meet individual company exposures
Equity income strategies can be useful for captive insurers protecting their portfolio. Eric Hovey and Frank Lee of Payden & Rygel explain
Join Our Newsletter

Sign up today and never
miss the latest news or an issue again

Subscribe now
Senior insurance executives give their predictions for the captive insurance industry in 2018
Vittorio Zaniboni of Generali Employee Benefits discusses the evolution of fronting networks to help captives better manage their people risk
In 2018, insurers will face an environment filled with uncertainties and concurrent risks that haven’t been experienced at this magnitude for some time, according to Anjanette Fowler of Madison Scottsdale
Dennis Silvia and Tony Weller explain why risk retention groups are a viable solution in the insurance marketplace
The US tax reform will bring sweeping changes across nearly every aspect of the tax code. John Dies explains the implications for foreign captives
With the scope of cyber threats evolving, and commercial insurance unable to offer suitable coverage, captives can provide a tailored alternative solution to meet individual company exposures
Domicile profiles
The latest domicile profiles from Captive Insurance Times
Jay Branum, director of captives at the South Carolina Department of Insurance, discusses his predictions for the industry, and explains what the domicile has in store for 2018
Tanya McCartney, CEO of BFSB, explains how The Bahamas are honouring their commitment to tax cooperation and transparency
Asset Servicing Times

Visit our sister site
for all the latest asset servicing news and analysis

Tennessee’s governor, commissioner, general assembly and business community have all worked together to create ‘explosive growth’ in the state’s captive insurance industry. Julie Mix McPeak explains more
Newly-appointed chairman of CCIA Michael Maglaras suggests that the future is bright for state’s captive industry
Although the Isle of Man is currently focusing on updating its regulatory framework, Solvency II, Brexit and the Asian market all hold big opportunities for the island
Debbie Walker of the North Carolina Department of Insurance tells Becky Butcher why the state is among 2017’s standout performers
Experts convene to talk to Becky Butcher about the stability that Guernsey represents in a challenging financial and political environment
In an era of increasing uncertainty, Tamatoa Jonassen suggests that the Cook Islands can be a bridge to financial security in a captive
The latest interviews from Captive Insurance Times