The cyber insurance landscape has never been more challenging for corporate insurance buyers. Increased retentions, huge premium increases, and narrowed coverage terms all have corporations searching for alternative solutions for cyber liability. Many companies are asking whether a captive insurance company can provide relief from the increasing prices for commercial cyber insurance.
Unfortunately, starting a captive insurer for the primary purpose of insuring cyber liability is unlikely to be a cost effective replacement for commercial cyber insurance. Forming a captive is not a cheap or simple transaction. Captives require substantive strategic resources, regulatory capital, and operational costs, all of which in total make traditional cyber insurance often look like a smart purchase (even at higher premiums).
One caveat to this analysis is: For large organizations with well-established captives that hold significant underwriting surplus generated from other coverages, adding cyber liability may be a sensible potential strategy to mitigate the impact of a hardened cyber market.
Let’s look at captive insurers in detail.
What is a Captive Insurer?
A captive insurer is a licensed insurance company providing insurance for designated risks to its corporate parent company. Often called captives, these policies offer many benefits, including:
Cyber Insurance: Using Captives
Most corporate insurance buyers considering a captive for cyber insurance are reacting to recent rate increases and coverage reductions by commercial cyber insurers.
The first step in evaluating the viability of using a captive to cover cyber risk is to determine whether taking on additional risk is sensible given your company’s financial strength, capital objectives and tolerance for variability in insurance costs.
As difficult as recent cyber rate increases have been, exposing a company to a large potential loss may not be worth the benefit of removing a cyber premium from the commercial insurance market. As previously noted, using a captive to write cyber coverage does not eliminate the risk. It simply creates an alternative for organizations to retain and finance cyber risk via actuarially-determined premiums to be paid from the parent company to the captive.
Captives are typically used to underwrite high-frequency, low-severity, predictable claims that pay out over many years. Good examples of these risks are workers’ compensation, general/products liability, medical malpractice, and errors and omissions. These types of risks are easy to model using traditional actuarial methods and are well-understood by captive regulators.
Cyber insurance claims, by contrast, are low-frequency, high-severity events extremely difficult to model using even the most cutting edge analytical tools. The volume of historical large cyber claims is small compared to other coverages, so models relying on industry data are imprecise at best. The nature and scope of cyber attacks is evolving quickly; cyber loss forecasters have to rely heavily on assumptions and theory to develop expected loss.
Finally, the potential for severity in cyber claims is greater than for other types of claims. Similar to the severity that drives commercial cyber premiums, the loss funding needs for captives are actuarially-based, informed by market prices and overseen by insurance regulators.
Cyber Captive Challenges You’ll Face
Cyber Liability also poses an array of financial challenges for captives beyond the exposure to losses.
- Regulatory Capital Requirements: Insurance regulators require captive insurers to hold capital to cover losses actuarial expectations. Because the potential for cyber severity is so great, regulators could require risk capital in the millions of dollars to support captive cyber programs with limits of $5 million or more. To determine capital requirements, conduct a cyber captive feasibility analysis. Determining capital rules requirements depends on the amount of cyber limit provided by the captive and the client’s financial strength. One thing is imminently clear: The capital requirements for a large cyber captive will be material for most companies.
- Fronting Fees and Collateral Requirement: Many companies determine the need for a commercial insurer to “front” their captive and issue cyber insurance policies (to comply with contractual requirements from customers or regulatory requirements, for example). In these scenarios insurers will charge fronting fees between $50,000 and $100,000 per policy and will require collateral in amounts of at least 25% of the policy limits, satisfied by cash trusts or letters of credit.
- Increased Premium Taxes: Cyber coverage directly issued by the captive (not fronted) may require self-procurement taxes to be paid to state regulators equal to two to five percent of the underlying captive premium.
Our recommendation is to carefully consider the above financial challenges first prior to investing the time and cost into conducting a feasibility study. Many companies will conclude that the opportunity cost of risk capital trapped in a captive, fronting fees, captive operational costs and premium taxes disqualify a captive as the solution to the hard cyber market.
Cyber Insurance as a New Line for a Mature Captive
For companies with existing captives that already have stockpiled capital, adding cyber is a more viable proposition. The captive’s underwriting surplus could address some regulatory risk capital requirements without requiring the captive’s owner to transfer new capital into the captive. Such cyber strategies include:
- Increasing the ground-up self-insured cyber retentions and using the captive to underwrite part or all of the increased retention. Bumping up the attachment point of commercial insurance can help mitigate industry rate pressure and stimulate insurer competition.
- Using the captive to underwrite whole layers within the tower if pricing exceeds reasonable levels, whether through a policy issued directly by the captive or by a fronted policy issued by a commercial insurer (and reinsured by the captive).
- Captive insurance could participate in a quota-share basis with commercial insurers for layers above the primary self-insured retention. If loss modeling shows current total limits are inadequate, the captive could “stretch” available insurance market capacity by retaining a percentage of the limit on a managed basis.
Many risk advisors, insurance brokers and captive managers recommend captives as solutions to premium increases in the cyber insurance market. Considering the financial challenges of a captive covering claims for data privacy, regulatory infractions, ransomware and cyber-related business interruption, evaluate the financial and strategic costs of using a captive for cyber insurance.
Related Blog Posts
Every company has cyber risk. Learn how Cyber Liability insurance can help your company manage this risk and protect your business now.
Get the answer to the question on the minds of many CISOs and company executives: If we are the victim of a cyber attack, should we pay the ransom?