Are cyber captives right for your business?

Captives may be a solution to combat cyber insurance difficulties since they can help stabilize insurance costs and enhance coverage, but are they right for everyone?

The first step in evaluating the viability of using a captive to cover cyber risks is to determine whether taking on additional risk is sensible given your company’s financial strength, capital objectives and tolerance for risk. (Credit: kras99/stock.adobe.com)

Most organizations today face exposure to cyber and technology threats as they continue to expand, grow and operate. Data privacy and security breaches, business interruption expenses, investigative and restoration efforts and harm to an organization’s reputation can be damaging and costly.

The FBI’s 2021 Internet Crime Report highlights an unprecedented increase in malicious cyberattacks last year alone. When losses increase across the industry, this causes rates to increase and coverage to be limited, all while limits decrease and insureds’ retentions increase. Because of this, it’s tempting to think that captives may be a solution to combat cyber insurance difficulties, since captives can help stabilize insurance costs and enhance coverage. But are cyber captives right for everyone?

When considering a captive, companies should take a long-term, strategic approach as captives are rarely a quick fix. Your captive insurance program should be coupled with a comprehensive risk management program that includes practices such as multifactor authentication and ongoing employee training so losses are minimized and program benefits are maximized. If you’re going to finance your cyber risk exposure through a captive insurance program, you need to understand the financial impact so you can calculate the potential reward against the costs.

For example, the first step in evaluating the viability of using a captive to cover cyber risks is to determine whether taking on additional risk is sensible given your company’s financial strength, capital objectives and tolerance for risk. We have seen that cyber captives do particularly well when supported by strong captive financials.

Why is this? Captives are typically used to underwrite high-frequency, low-severity, predictable claims that pay out over many years. Cyber insurance claims are the opposite. They are usually low-frequency, high-severity events that are difficult to model and predict, making the potential for severity in claims greater than for other types of claims. Additionally, when losses do occur they are paid out quickly. This means a captive’s financials should be able to support a full retention cyber loss without it going upside down, which is often difficult to do for brand new captives. This is why financing cyber risk through a captive is more advantageous and realistic for mature captives that have accumulated significant capital and surplus to more easily support the unpredictable and rapid payout nature of cyber losses.

For organizations with well-established captives that hold considerable underwriting surplus, adding cyber liability may be a sound strategy that can protect your bottom line from fluctuations in the standard cyber insurance market. If the past two years have taught us anything, it’s to expect the unexpected. Back in 2019, who could have anticipated a global pandemic that directly impacted our need to conduct business online at an unprecedented level, not to mention the effects on business of power outages and disruptions brought on by severe storms and online service provider failures since that time?

If your organization has a well-established captive and is interested in adding a cyber liability component, you may wish to consider these options:

  1. Retention funding: Use your captive to fund your current cyber retention. This could be an advantageous option because you retain access to the crucial incident response vendors that the primary carrier provides while still being able to transfer large or catastrophic losses to an insurance company.
  2. Layer ventilation: Consider taking a layer of the excess tower placement — either the full layer or through a quota share.
  3. Coverage expansion: Write a Difference in Conditions policy in the captive to fill gaps in coverage or common exclusions related to cyber. For example, cyber incidents that are caused by ransomware or resulting bodily injury losses stemming from cyber incidents.
  4. Unique exposures: Provide primary coverage for organizations and risks that are uninsurable, or that cannot get cyber coverage in the traditional insurance market.

Financing cyber risk through a captive insurance program may be possible now, or further down the road, depending on the current state of your risk financing program and your organization’s short-term and long-term strategic objectives.

Blair Garland serves as producer, captive and alternative risk solutions at The Graham Company.

Margaux L. Weinraub, CPCU, ARM, CPLP, CCIC serves as cyber practice leader at The Graham Company.

Related: