Global Cyber Liability and Captive Insurance
November 10, 2017
The 2017 Bermuda Captive Conference panel titled "Impact of Cyber and Emerging Technology Risks for Captive Insurers, Insurance Solutions and Latest Risk Developments" focused on various facets of the global cyber liability insurance market and how captives are being used to insure this emerging risk.
The Commercial Market Numbers
The global general cyber insurance market is one of the fastest growing sectors according to John Masters, assistant vice president with AIG Bermuda, who shared the following global cyber insurance premium estimates.
Year | Premium Estimate Year-End |
2014 | ~$2 Billion |
2015 | ~$2.5 Billion |
2016 | ~$3 Billion |
While numbers vary, he shared that according to PWC's Global State of Information Security Survey 2016, cyber insurance premiums will surpass $5 billion by 2018 and will reach $7.5 billion by 2020.
Mr. Masters said that 5 to 6 years ago, globally, there were around 30 markets in the cyber liability insurance space. As of recently, there are well over 60 markets, and this number grows (it seems) on a monthly basis.
Likewise, he said that Bermuda has gone from just 3 carriers to 10 carriers that provide excess limits of liability. While no primary markets exist in Bermuda currently, the Bermuda excess markets attach at the first or second excess layer ($10 million to $20 million) all the way up to $500 million. Additionally, a primary solution for captives is currently being worked on in Bermuda.
Mr. Masters said that the overall market is reasonably good at insuring cyber exposures for large data holders (retail, financial institutions, large healthcare organizations, higher education organizations, technology companies, and telecommunication companies). However, there are some gaps in coverage, or coverage is more expensive for nondata holders (large energy producing (nonutility) companies and manufacturing companies).
Insurance Coverage in the Market
Mr. Masters said that existing cyber insurance covers losses for damages to or loss of information from information technology systems and networks (first and third party). Available coverages include the following.
First Party (costs)
- Traditional event management costs coverage that addresses postbreach costs and forensic investigation costs, public relations firm costs, notification costs (customers/consumers), and various other administration costs
- Business interruption coverage is readily available. For example, where a company's network is brought down, this coverage reimburses the insured for loss of income and associated extra expenses from network security failure.
- Cyber extortion coverage encompasses situations such as ransomware attacks, and an organization ends up paying bitcoin to get its directory up and running.
- Data restoration costs coverage is available when data is not correctly backed up and addresses the cost of recreating/replicating an organization's lost data.
Third Party (includes defense costs and liability damage coverage)
- Security privacy liability insurance takes care of damage to others that are caused by the failure of an organization's network security (including wrongful exposure of confidential information). On the privacy side, it covers costs and damages for failure to protect personal identifying information.
- Regulatory defense costs coverage with expanded coverage for fines and penalties
The panel shared that as a peril, cyber is tricky because it does not live in a silo like many other exposures. However, one cyber event can cause a directors and officers loss, an employment practices liability loss, a property loss, and a general liability loss. Cyber underwriters will either need to learn how cyber affects all other lines of business or underwriters for all other lines (property, casualty, financial lines, or professional lines) will need to obtain an understanding of how cyber risk may directly affect the risks they are underwriting. The latter seems to be the direction the market is heading. Dealing with a loss that can cross many insurance lines while containing the exposure in one place requires excluding it under all other lines—a difficult proposition to coordinate across the market.
For example, Mr. Masters said that a supply chain hit across the industry is something insurers and reinsurers are struggling to quantify. AIG now asks its insureds about their supply vendors, other service vendors, and major partners in order to collect this data to better understand the systemic risk that they have on their own books.
According to Mark Owen, vice president of Insurance Management at Aon Captive, the client side does not have a clear understanding of what the market is doing, and clients are also struggling to understand the nature of their own risk in the cyber arena. He concludes that understanding the underwriting will help the client's understanding. Currently, he finds that the market lacks consistency.
Captive Insurance
Andrew Halls said that captive insurers are reinsuring cyber coverage limits and retroceding the limits to reinsurers. The general retained risk that captives assume and do not reinsure out, he said, is not significant and that, presently, captives are predominantly retaining first-party coverages. Like Mr. Masters, he noted that related premiums afforded to captive insurers' cyber coverages are relatively small.
Mr. Halls said that currently, captives are insuring cyber risk through the deductible reimbursement structure, whereby a commercial insurer issues a policy with a retention that is insured into a captive. Also, captives will direct issue a cyber insurance policy from a captive to an insured for a $10 million or $20 million limit.
According to Mr. Halls, cyber liability is difficult to price because it is an emerging risk. Limited modeling drives pricing, but this can only be relied upon to a certain extent. Additionally, a commercial re/insurer may view the same model very differently from a captive. A commercial insurer will consider the total aggregate limit amount across all of its cyber policies and measure how much capital is needed to fund these limits on a worst-case scenario versus determining an estimated maximum loss based on a model.
He said that captive clients can determine the limit that they retain (within their captive) as a function of the amount of surplus capital or free cash in their captive. For instance, a captive might have $20 million cash in the bank and feel comfortable transferring this amount of risk to the captive because the captive finds that it can pay out $20 million if there is a loss in year one.
Eventually, the captive will put in place long-term pricing to maintain a favorable position. For example, the captive may use a 1 in 10 year price or a 1 in 20 year pricing rationale. From that starting point on, the captive takes an incubation strategy of developing its own claims experience to eventually present to the commercial market in order to purchase reinsurance, according to Mr. Halls.
Mr. Owen said that regardless of a captive's size, the amount of risk put into the captive can be scaled. He said that putting emerging risks such as cyber into a captive is best because the captive is not necessarily going to get the coverage it needs at an affordable price. Therefore, as Mr. Hall also shared, incubation is good because the captive can look at its own risk, build up its data, and make more informed decisions. It is also better to approach insurers with a certain level of information in hand.
Mr. Owen continued to explain that as the market develops, captives contribute to innovation. When something happens, money is needed quickly, and the ability to manage losses is key to efficient bottom line control. With skin in the game, captives have a vested interest in reducing the risk. Here, the captive (and its closely related insured entity) will devote a level of attention to understanding and developing the risk within the organization.
In this way, risk management advances to build up data and work with insurers to influence what that risk really looks like going forward. In short, the captive is taking a portion of the risk before it goes into the market and developing and managing the risk through the captive to harness the market.
(Photo above, from left, of panelists Andrew Halls, John Masters, Mark Own, and Kerr Kennedy is courtesy of the Bermuda Captive Conference and used with permission.)
November 10, 2017