March 1, 2017 by Greg Meckbach, Associate Editor
Access to reinsurance, the difficulty of underwriting cyber coverage and the ability to have cash available in the event of a claim are among the reasons that more organizations are covering some of their cyber risk through a captive.
“The largest organizations are at least contemplating having that first layer in a captive,” Jim Swanke, head of captives consulting for Willis Towers Watson plc, reports of cyber risk.
That willingness to explore seems to be reflected in Aon plc’s report, Cyber – the Fast Moving Target, in which 8% of respondents “have indicated interest in underwriting cyber risk in a captive, and that trend is projected to increase threefold in the next five years.”
The report provides results of a survey of captive clients that the brokerage undertook in 2015.
Aon reported at the time that more than half of surveyed companies do not buy cyber insurance. Factors contributing to the low take-up “include the absence of meaningful capacity for larger companies, the inability to buy coverages most sought after (for example, business interruption and contingent business interruption), pricing, and uncertainties surrounding the insurance industry’s willingness to pay claims in untested waters,” the report states.
Michael Serricchio, senior vice president with Marsh Captive Solutions, says that from 2014 to 2015, “there was a 30% increase” in the number of company clients using a captive for cyber.
“Although we don’t have the numbers yet this year, we think there is going to be a significant increase this year as well,” Serricchio says. “You are going to see more captives writing cyber for various reasons for small, medium and large-sized clients,” he predicts.
Marsh Canada defines a captive as a legal entity formed primarily to insure the risks of one corporate parent or a number of similar corporations (for example, trade associations), thereby contributing to a reduction in the parent entity’s total cost of risk.
STRUCTURING A CAPTIVE
There are “two basic options” in structuring a captive, says Peter Mullen, chief executive officer of Aon Captive and Insurance Management.
By way of example, “the captive could issue a policy for, say, $100 million of limit and then behind the captive, buy reinsurance protection, for $75 million in excess of $25 million, the $25 million being retained in the captive,” Mullen explains.
“Option 2,” he continues, “would be the captive issues a policy for $25 million and then buys excess insurance, above the captive for $75 million in excess of $25 million.”
One benefit of covering cyber through a captive, Mullen suggests, “is gaining access to reinsurance capacity which you wouldn’t be able to buy if you just had a deductible.”
Courtney Claflin, executive director of captive programs at the University of California, would likely agree.
“One of the big advantages of owning a captive is direct access to reinsurance,” suggests Claflin, pointing out that the university covers its cyber risk through a captive insurance company.
“By including cyber risk in a captive, rather than simply self-insuring the risk, the company gets the opportunity to see
how the risk will behave in a formal insurance structure subject to underwriting and claims adjustment disciplines,” notes the Aon report.
“Over time, that experience and data can be used to negotiate program structure with insurance carriers and inform cost allocation of cyber loss,” it adds.
“One of the things that people will realize when they have a cyber breach is their coverage isn’t nearly as good as they think it is and, so, there are a lot of gaps,” Claflin suggests.
When shopping for cyber insurance, the university was not “getting very good terms and conditions,” he says. “We weren’t getting a good response from the marketplace, and I said, ‘Well, I might be able to help.’ I said, ‘Go write the policy you want. Put everything you want in the policy then let’s go to London and let’s shop it,'” he recalls.
Organizations that put the first layer of cyber risk into a captive “want to have the cash readily available within their own insurance company so that if a cyber event does occur, the cash is resident within the insureds themselves,” Swanke explains. “They are concerned that if they have a cyber event, they have to be almost immediate in their response to reduce the loss, and in that first layer, if they have the cash within their own captive, that cash can be deployed just as soon as they understand that they have had a loss,” he says. “I think for a number of our clients, that is one of the primary advantages that they see.”
Cyber risk is changing rapidly, especially with phenomena like “the Internet of Things and bring-your-own-device-to-work policies,” suggests Mullen, contributing to making cyber more difficult to underwrite than traditional property insurance.
“If you go to market with your property program, you might have several billion dollars worth of property exposed around the world, but it’s not going to change that quickly,” he says.
“As the world becomes more digitized, the exposure is increasing. Hackers are becoming more sophisticated in their approach. It is a much more complex risk than some of the standard risks that we would normally see.”
There are also challenges with regard to the underwriting process for major cyber risks, which Mullen says “can be very cumbersome and can take up to six months.”
Another challenge is getting a grasp of computer network security, he points out, emphasizing that an organization needs to understand its own risk profile and what assets need to be protected. “The underwriter has exactly the same issues,” Mullen comments.
“The underwriting process for cyber insurance requires a deep-dive into network security controls for an organization,” suggests the Aon report.
“In addition to completing an application, companies may need to engage with underwriters in a conference call or meeting in order to discuss key areas of risk, such as network security controls, vendor management, business continuity and incident response planning,” it notes.
Cyber risk “is one of those areas that has a lot of moving parts and pieces,” Serricchio says. “Ten to 15 years ago, it wasn’t around, so it is evolving from a coverage, terms and conditions perspective, a loss history perspective, premium pricing and capacity. It makes it challenging to price it,” he adds.
Mullen echoes Serricchio’s comments. “There is well-established science around how to arrive at your deductible and limit for a property program,” he says. “Not so with cyber.”
The data on cyber risk that underwriters are looking for “is constantly changing,” reports Joe DePaul, who is with the United States-based national cyber/errors and omissions risk advisor, FINEX, a division of Willis Towers Watson.
“There is not a great deal of data yet,” DePaul says of cyber risk. “We are looking at creating more information that can be used more broadly for underwriters for various industry groups,” he reports.
Insureds should try to avoid having differences in conditions between layers, DePaul recommends. “We don’t want there to be any confusion of what the underlying is covering and what the excess layers are covering,” he notes.
In a tower of risk, what is covered in the primary layer can be different from what is covered in the excess layer, Mullen explains.
“In the marketplace, there are about 60 carriers writing cyber,” he notes. “They are using different forms, so part of the challenge is having a form for the captive to issue that the market is willing to follow to build a consistent block of coverage,” Mullen says.
DePaul reports that Willis Towers Watson observes a “broadened and soft market,” in cyber.
“We see terms and conditions broadening as well. The marketplace has broadened to the point where we are now able to manuscript policies with ease with some of the markets that we do deal with, and captives come into discussion when a client will want to look at that as an option to really broaden [coverage] or really absorb some risk,” he adds.