Yes, there has been a significant increase in the purchase of cyber insurance, as we have seen cyber losses impact organisations on a more regular basis.
Have you seen an increase in cyber liability insurance in recent years? What are the reasons for this?
Peter Mullen: Yes, there has been a significant increase in the purchase of cyber insurance, as we have seen cyber losses impact organisations on a more regular basis. While 2014 may be viewed as the year of the retail breach, 2015 may be viewed as the year of the healthcare breach.
Given the evolving nature of technology, and growth in big data analytics, cloud computing, and the internet of things, we anticipate that organisational exposure to cyber risk will only increase.
Alec Cramsie: Yes, we have seen an increase in cyber liability insurance being purchased. It’s not only about the regulatory environment, particularly in the US where the regulatory environment has been in existence for some time, but also about awareness. I think many companies understand that it’s not if, but when, they are going to get a breach, and this is causing them to purchase.
How can captives effectively write this type of business? And does a captive complement a traditional policy?
Mullen: For the most part we have seen captives write cyber coverage as the primary layer typically to fund a very large retention to an excess risk transfer programme. Coverage issued by the captive will follow the terms and conditions of the excess market policy and we haven’t seen captives stray from this position to provide coverage that is broader than the market.
Cramsie:At the moment the structure of most cyber policies is around providing some kind of pre-or-post-breach help, and unless a captive has the capabilities of doing this, they are not really going to have the abilities to handle claims.
From a traditional captive perspective, it seems unlikely at the moment that most are that well positioned to provide a fully integrated solution.
Has there been an increase in the number of captive owners funding cyber risk?
Mullen: We manage roughly 1,100 companies and 18 months ago 1 percent of those companies wrote cyber. As of year-end 2015, this percentage has increased to 2.5 percent. By using a comprehensive risk assessment process, captive owners are developing a better understanding of the exposures they face and how to quantify them. This process allows them to make more informed decisions about risk retention, transfer and mitigation, for example, retaining risk in their captive.
Cramsie: We have certainly seen an increase in clients using their captives to consider taking risk. Most definitely the larger captive audience where they have an appetite to take bigger retentions and take more risk.
Why do you think some are still reluctant?
Mullen: There is really an industry-by-industry answer to this question. In a recent survey we conducted of our captive clients, roughly 60 percent of them said they were not currently buying cyber coverage. However, this percentage changes dramatically by industry. For example, 70 percent of companies such as retailers, healthcare organisations and financial services companies are buying cyber, whereas only 17 percent of critical infrastructure companies say they buy cyber.
Some larger clients have concerns that terms and conditions may be too restrictive or total limits may not sufficient enough for the catastrophic nature of the risk.
Cramsie: I think what it really comes down to is once a company has done its due diligence and figured out what its exposure looks like, it chooses to manage that risk in-house or pass it on through a risk transfer mechanism, or perhaps use the money to increase security or fund different areas of their business. It’s a choice, and some companies are just better positioned than others to deal with the risks internally, whereas others need to look externally and that’s where insurance becomes an viable option.
