Despite the hardening market and capacity restrictions driving captives as an attractive risk management option for organisations’ cyber risk, sufficient and reliable cyber data for captive insurers remains severely lacking.
This is according to a new market segment report by A.M. Best, ‘US cyber: the hardest of the property and casualty markets’. The report finds that the cyber market continues to grow, citing a 75 per cent increase in direct premiums in 2021.
A.M. Best adds that ransomware attacks, aggregation risks and social engineering scams remain critical challenges for the insurance industry.
The report notes: “Given their flexibility, captive insurers can customise policies that can mitigate the growing threat of these attacks. As a result, parent organisations can more quickly assess the damage and devise a plan of action toward recovery.”
It adds that captives are being utilised as a strategic tool to provide cyber coverage, owing to proximity to the parent company — physically, culturally and enterprise-wide.
However, with the exception of risk retention groups (RRGs), captive insurers do not generally file with the National Association of Insurance Commissioners (NAIC). Statutory filings required on a jurisdictional basis do not tend to demand specific data for cyber programmes.
NAIC data for 2021 found that RRGs wrote around $19 million in cyber premiums with limited coverage, with some pure captives writing multi-million dollar limits and premiums.
The report identifies that many domiciles have shown interest in having captives provide the same level of detail as the NAIC cybersecurity and identity theft insurance coverage supplement to improve future transparency.
In addition, captives are using third-party technology and forensic cyber consultants to help with underwriting, as well as conduct regular monitoring of the parent’s cyber security policies, procedures and testing.
The report notes that, in recent years, cyber managing general agents (MGAs) and managing general underwriters (MGUs) have created their own captive or specialty insurers. In doing so, they retain a share of each risk they underwrite, demonstrating a long-term commitment to underwriting a profitable and sustainable book on a global scale.
Furthermore, MGAs and MGUs benefit from working closely with their policyholder to recommend measures to improve their cyber profiles and practices,and insurance brokers, and with brokers to create customised coverage.
Cyber risk modelling is naturally improving as more data becomes available. For example, threat vectors are being modelled with stochastic simulations of frequency and severity scenarios (although these are not close in maturity to more established natural catastrophe models).
Although these models have not yet been real-world tested, A.M Best argues there is value in modelling as the process of validating assumptions, parameterisation, discussing results, and comparing events gives insureds and underwriters a better understanding of cyber risks overall.
Looking forward, A.M. Best recommends that, as cyber insurance only grows as a critical element of a company’s risk management strategy, insurers will need to develop clear risk appetite guidelines for how much cyber risk to assume, as well as limits on the nature of the risks underwritten according to industry, geography and size of the insured.
The report concludes that regulators globally should consider requiring that insurers break out cyber metrics in their financial statements, as this will help to improve accuracy and consistency of these metrics, allowing stakeholders to analyse trends and profitability to develop best cyber practices.
