Why and how cyber is increasingly being insured by captives

In particular, the growth in ransomware attacks and emerging systemic risk means that ensuring that these risks are managed and financed is becoming a more pressing issue facing a much wider range of companies.

Frequency has been driven up by increasing ransom demands, making ransomware a more lucrative activity and drawing more threat actors into the field. The advent of Ransomware As a Service (RaaS) means that it is now incredibly easy to get hold of the malware and associated tools needed to execute an attack, again driving up frequency.

On the severity side, there is an increase in so-called dual-prong attacks whereby the threat actor not only encrypts the victim’s systems, thereby preventing access, but also exfiltrates data and threatens to release that on so-called leak sites. This not only increases the leverage and impact on the insured, but also opens up new privacy related covers within the policy wording.

And whilst ESG frameworks are still developing and are somewhat inconsistent in approach, one thing is abundantly clear: that there is a growing expectation from investors for directors and officers to consider cyber risk as part of their approach to ESG.

Cyber insurance is also being increasingly demanded by lenders and contracting parties; we appear to be in the midst of a shift from this being seen as a luxury purchase to a near-compulsory purchase.

At Zurich, we have seen a marked increase in the number of enquiries about including cyber within the captive portfolio. Whilst historically many of these discussions have been speculative in nature, growing numbers are now being converted into viable captive solutions designed to address specific challenges.

So, as more companies are looking to wrap their arms around this risk, how can a captive be used as a practical tool to ensure a company is protected?

As we generate more and more data around cyber risk exposures, we can make better informed decisions around what covers to take into the captive. Over time, many risks have taken on the characteristics of more attritional risks (high frequency/low severity events), which are much more predictable and therefore can be more easily modelled.

At the same time, the market has also seen a number of large losses, occasionally eroding the full limit, so there is certainly a volatility potential. This risk profile fits quite nicely in a standard captive model, whereby the captive can assume some of the attritional losses and moderate risk excess as a deductible, and insure catastrophe risk in the traditional insurance or capital markets:

Often, we see hard market rates and a lack of appetite at a primary risk transfer level as being the main catalysts for putting cyber into the captive; however, deductible infills for local policies and small retentions with low limits to gain access to post-breach services have all been cited as motivation to explore options.

Additionally, some captives have developed bespoke wordings to ensure that their own specific risks are covered or to provide increased limits and/or cover which may not be widely available in the market. From an insurer perspective, this last point is actually beneficial because it means that risk can be incubated in the captive and the data gathered can inform future product development.

Some examples of potential structures are highlighted below:

As with any global insurance programme, consideration must be given to the needs of the local operations. A typical local limit is around US$5 million; however, many of our customers opt to buy a master policy only, as this allows for central control and a single point of contact for post-breach services. Because of this, policy issuance, servicing and claims handling are not necessarily required at a local level in the same way that they are for international property and casualty programmes.

Zurich is currently expanding our local offerings in the cyber space, but at present there is limited demand for this. This of course this may change over time.

As with any change to your programme, it is beneficial to seek the advice of your broker and captive manager. They will be able to provide advice around the optimum structure, taking into account the whole of your captive’s portfolio and the risks contained within it.

Your captive manager will also be able to provide a view of the captive domicile’s regulatory considerations, such as the solvency requirements. Cyber risk is a short-tail risk, so claims should be known and quantified very soon after they occur.

Insurers can support discussions with the regulator by providing their view of the exposure and sense-checking premiums; however, some regulators have voiced concerns around the potential for significant losses and may still expect to see the captive’s exposure capped and/or protected by reinsurance.

Whilst reinsurance is an important tool in terms of limiting a captive’s exposure, it is not necessarily a panacea for all risks. Cover may be difficult to put in place in some cases, due to tightening of capacity across the market, and there may be a lack of appetite if coverages that aren’t currently available in the market are sought.

By having skin in the game, reinsurers may be prepared to give preferential rates and additional coverages on the excess risk transfer layers, as it demonstrates a clear commitment to risk management. This may also mean that arbitrage opportunities are available to the captive, as well as the potential for additional income via reinsurance overriders.

Where reinsurance is purchased, concurrency should be sought, i.e. a follow-the-fortunes wording, so that if the captive pays, the reinsurance is also bound to pay. Fronters such as Zurich would ask for this to be the case, especially where they are reinsuring 100% of the risk to the captive, as it reduces the potential credit risk exposure as well as benefitting the captive itself.

In the near future, cyber insurance-linked securities (ILS) may provide an additional vehicle to do this; however, whilst there have been mutterings of new product offerings in the market, at the time of writing, these are yet to come to fruition.

In closing, cyber may seem like a daunting cover to consider for your captive. With careful consideration of the exposures being taken on with the advancements in modelling and access to vital post-breach services once losses do occur to mitigate total loss costs, a captive can be an extremely valuable tool in managing costs, adding diversification to the existing captive portfolio and potentially generating profits, and by ensuring that the right level of protection is being enjoyed by the business to continue operating, the captive can also help demonstrate to investors that cyber risk is being properly managed by the board.