Exploring captive insurance solutions to manage the cyber coverage crunch
Capacity has not increased in the cyber market and premium rates are rising.
The frequency and severity of cyberattacks continue to escalate at an unprecedented rate. Cybercrime costs are estimated to grow by 15% year-over-year from 2021 to 2025, reaching nearly $10.5 trillion annually, according to a recent report by Cybersecurity Ventures. This trend is propelling cyber risk mitigation to the top of business leaders’ concerns, as well as making it one of the highest expense items on the balance sheet.
As businesses scramble to secure cyber coverage, the cyber insurance market has stalled. Despite the demand, there are no signs of increased capacity and premium rates are rising. According to the Council of Insurance Agents & Brokers (CIAB), the first three months of 2022 saw cyber insurance premiums increase by an average of 27.5%.
In another troubling development for businesses, insurance companies are tightening terms and introducing more technical underwriting requirements for certain cyber coverages, particularly for organizations that do not have sufficient cyber risk controls in place. Meanwhile, the hardening of the cyber insurance market has driven commercial market costs to levels never seen before and steered leadership toward alternative solutions to transfer risk. This unique combination of factors is incentivizing organizations to explore captives, a risk transfer tool, as an alternative means of controlling costs while mitigating risks.
Cybersecurity threats continue to worsen
It’s important to understand the many cybersecurity threats that continue to impact the cyber insurance market.
Russia–Ukraine Conflict
The full impact of the Russia–Ukraine conflict on cyber warfare remains to be seen; however, it is anticipated that Russian cyberattacks will increase. Although attributing cyberattacks to specific actors or organizations is difficult, suspected Russian-sourced cyberattacks were a growing concern among U.S. businesses even before the invasion of Ukraine.
Moreover, in April, the cybersecurity authorities of the U.S., Australia, Canada, New Zealand and the U.K. released a joint advisory in which they warned organizations about the potential for increased Russian-aligned cyberattacks on a global scale.
Attacks becoming more sophisticated
In 2020/21, the number of cyberattacks and data breaches was 15.1% higher than the previous year, ThoughtLab reports. The developments in sophistication and severity also pose major concerns: Cyber criminals are utilizing more insidious methods of cyberattacks, including social engineering and ransomware. While many strides are being made in cybersecurity, threat actors are constantly evolving their tactics to stay one step ahead.
In the last two years, threat actors have vastly increased their sophistication, incorporating new techniques that make detecting attacks more challenging. Sophistication also concerns the speed of cyberattacks; threat actors are now able to build off of one another and “leapfrog” their way forward at an accelerated pace.
Cybercriminals use the Dark Web as a starting point to share illicit content, then move to other channels to build upon this shared knowledge. Cybersecurity experts are fighting an uphill battle to keep pace with these criminals who are collaborating and leapfrogging over cybersecurity strides.
Mounting cloud security challenges
The cloud is designed with usability and accessibility in mind, and most businesses have adopted some degree of cloud computing. The global public cloud service market is expected to reach $623.3 billion by 2023, according to a Cloud Computing Market research report. This is, in part, because the cloud has the potential to be more secure than traditional on-premises solutions.
Nonetheless, there are challenges: Inadequate cloud security strategies, lack of sophistication with cloud infrastructure within organizations and general lack of expertise present significant risks to organizations.
First, a shortage of cloud expertise frequently results in an organization’s misconfiguration of cloud security settings, which is a leading cause of data breaches, the global intelligence firm IDC found in a 2020 study. IDC revealed that eight in every 10 U.S. companies have experienced a data breach as a result of cloud misconfigurations.
Second, because many businesses are relatively unfamiliar with cloud infrastructure, a lack of additional security review is common, leaving data exposed to potential intrusion by threat actors. Without expertise in cloud security controls and appropriate cloud configurations, many businesses misunderstand where a cloud service provider’s responsibilities end and their own begin.
Third, organizations must address a lack of security in cloud-based, customer-facing applications. Businesses create user-friendly interfaces for customers or employees to quickly access data in the cloud, but without appropriate security controls for these interfaces, they become exposure magnets for threat actors.
Finally, in the event of a successful intrusion, the increased expansiveness of the cloud increases a business’s potential attack surface.
Hard times ahead: Why this stalled cyber insurance market is different
As cybersecurity threats have grown, so has the demand for cyber insurance. In addition, carrier loss ratios have gone up, which has caused carriers to pay closer attention to cyber coverage. This scrutiny has led to greater industry-wide recognition of the uncertainty around cyber threats and the lack of data available to foster better underwriting capabilities.
At the same time, numerous large-scale cyberattacks, such as WannaCry, Petya and Notpetya, simultaneously impacting hundreds of businesses have prompted concerns about aggregation and systemic risk. These factors have produced a hardening trend in the cyber market as carriers reduce supply; increase premiums, deductibles/retentions and co-insurance; tighten terms; and introduce new underwriting technical requirements.
The hardening cyber market also presents long-term opportunities for organizations. First, organizations are incentivized to improve their cybersecurity to positively impact their total cost of risk. Second, the hardening market fosters partnership, collaboration and transparency between insureds and insurers, which will likely lead to new and innovative avenues for controlling the total cost of risk.
The growing appeal of captive insurance solutions for cyber
Captive insurance is an alternative to self-insurance, in which a parent group, or groups, creates a licensed insurance company to provide coverage for its members. Its primary purpose is to insure the risks of its owners, and its insureds benefit from its underwriting profits. Instead of paying to use a traditional commercial insurer’s money, the owners invest their own capital and resources. This can mean higher risk when large claims occur, but it can also save premiums for smaller, higher frequency claims because the company retains the money otherwise paid to traditional insurers.
A captive can also be used to provide coverage and limits that are not widely available in the market. Captives are particularly appealing to companies that have unfavorable loss histories, operate in high-risk ventures or face unique vulnerabilities that traditional insurers will not cover.
Among the most compelling aspects of captive solutions is the ability to tailor solutions and coverage to meet a company’s unique risk exposures while also providing better control over claims decisions.
Challenges of captive development
Developing a captive cyber program is neither cheap nor simple, especially in cases where a pre-existing captive is not already being used. In addition to requiring a significant upfront investment of capital, establishing a captive cyber program requires time and effort to better understand the nature of the risks and to build out the infrastructure, expertise, vendor relationships and processes necessary for managing the incident response process and handling cyber claims. Cyber claims are unique from other business lines’ claims because they are extremely time-sensitive, which requires expertise from experienced professionals.
Expertise in cyber claims handling is in high demand — and costly. Finding the best and most cost-efficient talent could lead to the consideration of outsourcing the cyber claims handling function.
Additionally, building out vendor relationships to maximize cost savings and expedite the incident response timing (another potential source of cost savings) is key. Traditional insurers with cyber coverage and third-party administrators that specialize in cyber have established relationships and preferred pricing with qualified vendors, which insureds can leverage.
Cyber captive: Is it right for your business?
Not only are organizations with existing captives for other lines of business considering adding cyber liability (first- and third-party), there is also significant interest in starting captives for the primary purpose of insuring cyber risk.
All of these factors, such as cyber claims expertise, vendor partner relationships and the upfront investment, should be considered when strategizing and building out the infrastructure of a captive program in order to achieve cost savings for businesses. Yet only time will tell whether captives prove to be a lasting, viable and cost-saving alternative for cyber risk.
Shushanie E.K. Liesinger, (shushanie_liesinger@gbtpa.com), J.D., CIPP/US, is the team lead and operational director of Gallagher Bassett Specialty’s Cyber Practice Group. She leads and directs all operations and claims functions across GB Cyber, including developing practice group standards, best practices, and strategic and tactical approaches to increasing the company’s footprint within the rapidly expanding cyber market.
Related:
Litigation trends in cyber insurance coverage for wire fraud