Cyber-security and risk control, utilising a captive

This year, The World Economic Forum Global Risks Report 2019 highlighted a major increase in the risk of cyber-attacks[1]. These attacks often led to theft of money, a loss of data and the disruption of operations, which can cripple an organisation’s ability to function. Financial loss from cyber incidents is also on the rise. A global study by The Ponemon Institute found that the average total cost of such an event was $3.86m in 2018[2]. This was up 6.4% from the year before.

Michael Stahel of LGT ILS Partners highlighted some specific examples in Captive Review earlier this year. In 2013, US retailer Target suffered at the hands of hackers who successfully exploited their point of sale system. During Thanksgiving weekend, 2,000 Target stores had 41 million customer card accounts stolen. The retailer suffered a total financial loss of $252m, while only $90m could be recovered from insurers. A further $18m was paid in multistate settlements to state authorities investigating the data breach[3].

As cyber-attacks become more frequent and increasingly harmful, businesses are becoming more aware that they must adapt their risk strategy. This will involve changing their operating models, and giving more thought to their insurance strategy.

The challenge for insurers

The lack of qualitative data, and data sharing about attempted or actual cyber-incidents, are key factors limiting the development of a mature cyber insurance market. Cyber coverage is still relatively new, and insurance and reinsurance carriers sometimes have insufficient capacity for what is being requested by corporate customers. However, insurers are investing research and capability into cyber coverages, and are acquiring more experience and gathering more data to support underwriting models. With more experience, traditional insurers can develop more comprehensive market solutions thanks to advanced risk modelling.

Despite the fact that there are more than 100 insurance carriers that offer cyber coverage, there are only a handful of global insurers offering meaningful capacity for large international corporate customers on a primary basis – thereby also leaving room for alternative approaches.

Limitations of traditional insurance

Cyber risk is still a difficult area for many companies to define. They are constantly evolving and full of complexities, and involve intangible data, which presents a challenge for many companies. Few owner/managers of small organisations know precisely what they need. As organisations increase in size and expand into different territories the complexity increases substantially.

Additionally, companies mitigate their cyber exposure in a variety of ways. Some companies are more exposed to data breaches, while others are primarily concerned about business interruption. Many companies opt to transfer risk using traditional insurance methods, but as there is no “one size fits all” approach, they may find that this has limitations. For example, there is a wide range of policy wordings currently available in today’s market, and given the myriad of exposures that a company may face, this can lead to potential gaps in coverage or a patchwork of coverages to address specific risks. Additionally, claims management approaches may vary widely, and for those multinationals seeking a DIC/DIL programme, this can further add complexity when and if a cyber incident strikes. The premium volume of the cyber insurance market is certainly the size of a few billions and has seen significant growth over the last decade, and while there are many benefits from the available range of cover, additional options can be sought – particularly by large, international companies.

Captives may also assess alternative approaches to reinsurance like ILS capacity, which could enable them to provide additional insurance coverages for the insurance fronter[4].

International programmes

For large, complex and centralised organisations a captive can be an appealing option. Captives can provide a number of major benefits; many of the issues in cyber insurance and global programmes can be managed by pooling the risks in a captive at a reinsurance level. There are three major benefits of using a captive in this way.

Firstly, jointly with the insurer a captive allows the organisation to define precisely what it wants to cover and what would be acceptable to exclude. This can provide risk managers with flexibility and control. The solution can be bespoke; it can include some non-standard elements but also remove some that are not required.

Secondly, the captive can provide a structured finance solution to the cyber risk problem. Because data on cyber insurance is currently limited compared to other long-established markets, cyber risk is more volatile. By pooling the risks from multiple regions, more data is available to improve loss management and analysis for future planning.

Thirdly, the quality of claims management can be improved. Large claims can be managed at a portfolio level and financed through the portfolio. If one region experiences a large claim, which can be up to 100% of the program, this can be managed through the captive.

Implementing a captive

We know from speaking to our customers that risk managers want globally aligned, controlled master programmes for all their exposures worldwide. We work with them to achieve control over their risks. Our solutions are designed to achieve cost efficiencies, oversight and contract certainty, and Zurich is now a leading underwriter of cyber risk.

Across the world, insurance partners need to keep on top of all the challenges, and continue to invest significant effort and resources into understanding the global landscape. One thing we can guarantee is that cyber-security will continue to be a challenge. Customers need their insurance partners to provide suitable products and react swiftly to events, and we know that our role is to design solutions able to meet these expectations.

 Paul Woehrmann, Head of Captives Services at Zurich