Milliman's Kim Guerriero Discusses Cyber Risks and Captive Insurance Trends

Editor's Note: We recently caught up with Kim Guerriero, a principal and consulting actuary with Milliman's Boston office, to gain insights into key trends in the alternative risk market. With nearly 2 decades of experience, Kimberly has worked extensively on captive formations, funding studies, and regulatory rate reviews and has provided expert testimony on several high-profile 831(b) captive cases. In this interview, she shares her perspective on the evolving cyber-insurance landscape, the role of captives, and the challenges facing organizations as they navigate these complex issues.

1. What key factors should a captive insurance company consider when deciding whether to add cyber-liability coverage?

When considering adding a new risk to a captive, the company should assess the risks it faces and how the captive is currently being used to manage those risks. Specifically, it should evaluate what coverage it is currently purchasing in the commercial market or planning to buy, and identify any pain points. From a cost-benefit perspective, and depending on the organization's risk appetite, it can then determine whether it makes more sense to place the coverage in the captive or continue purchasing it commercially.

Another key consideration is the type of coverages already in the captive—whether they are long-tail or short-tail, or low-frequency and high-severity. A diverse range of coverages can benefit the captive, provided they are not overly correlated. Since cyber claims tend to be low-frequency, high-severity, and can result in swift payouts depending on the incident, it is crucial to evaluate the liquidity of the captive's assets to ensure it can quickly pay out a full-limits cyber claim. Lastly, the captive owner should ensure robust cyber-security risk management practices are in place, which may involve the risk manager working closely with the chief information security officer (CISO) or information technology (IT) department.

2. How has the cyber-insurance market evolved in recent years, and what trends are driving these changes?

The cyber-insurance market has experienced significant volatility in recent years. In 2021 and 2022, we saw substantial rate increases and higher retentions, followed by relatively stable rates and even some decreases in 2023 and 2024. Direct written premiums nearly doubled between 2020 and 2022 but remained flat from 2022 to 2023. At the same time, cyber policy counts rose by more than 10 percent from 2022 to 2023, likely indicating that policyholders are retaining more risk or that rates are decreasing. These shifts have been driven by improvements in IT infrastructure and cyber hygiene, increased competition from new entrants in the cyber market, and additional capacity from existing insurers. The growth in reinsurance has also supported this expanded capacity.

3. Can you explain the importance of cyber hygiene and its impact on underwriting practices?

Cyber hygiene refers to the practices an organization implements to safeguard its digital environment. This includes activities such as regular software updates, strong password policies, secure network management, data encryption, and employee training to identify phishing and other cyber threats. Good cyber hygiene is crucial for underwriting, as it directly influences how underwriters evaluate an organization's risk, set premiums, and determine applicable coverages, exclusions, or conditions.

4. What role does reinsurance play in the stability and growth of the cyber-insurance market?

Reinsurance plays a vital role in the cyber market by providing risk management, financial stability, and expanding capacity. Cyber risks are often highly correlated, with a single event potentially impacting multiple policyholders. Reinsurers help mitigate this aggregated risk by distributing it across a broader portfolio. They also provide captives with access to third-party resources and vendors for loss control and cyber-incident response. Reinsurance serves as a financial buffer, absorbing large claims from major cyber events, and it enables new or smaller insurers to enter the market with the support of reinsurance backing.

5. How has the rise of AI-driven cyber attacks influenced the decision-making process for captives considering cyber coverage?

Pricing cyber insurance has always been challenging due to the rapidly evolving nature of the risks, and artificial intelligence (AI) is yet another factor reshaping the threat landscape. AI can automate various aspects of cyber attacks, analyze social media to create personalized phishing emails, and test large volumes of username-password combinations across multiple platforms, making AI-driven attacks especially difficult to defend against. Since a captive is a long-term commitment, adding new coverage—particularly for cyber—requires careful consideration. With the increasing complexity of cyber risks and the rise of AI, it is more critical than ever for organizations to maintain strong risk management practices, ensuring close collaboration between the risk manager, CISO, and IT department.

6. Could you walk us through the differences between stand-alone cyber-insurance policies and packaged policies?

Stand-alone cyber-insurance policies are designed specifically to address cyber risks, offering more comprehensive and tailored coverage compared to cyber extensions included in packaged policies. Stand-alone policies typically cover a broader range of incidents, such as ransomware, social engineering attacks, and data breaches, with higher policy limits and more detailed provisions for first-party costs like business interruption, ransomware payments, and data restoration. They also tend to include specialized risk management services, such as cybersecurity training and real-time risk assessments, which are not usually offered in packaged policies​.

On the other hand, packaged policies, such as those added to a businessowners policy (BOP), generally provide more limited coverage for cyber incidents. These policies may exclude key protections, like first-party coverages (e.g., ransomware negotiations or forensic investigations), and may have lower policy limits, leaving gaps in coverage. Packaged policies might be adequate for smaller businesses with lower exposure, but they often lack the depth of coverage needed for more complex cyber risks.

7. What are the potential risks of aggregation and model divergence in cyber insurance, and how can captives mitigate these risks?

Cyber risks are highly correlated, meaning a large-scale event, such as a ransomware attack, can impact multiple policyholders simultaneously, resulting in significant aggregated losses. This risk is magnified when a captive insures multiple entities within the same industry or geographic region, increasing the concentration of exposure. Supply chain vulnerabilities also present a challenge, as a cyber incident involving a shared service provider could lead to numerous claims. Captives can mitigate these risks by diversifying their portfolios across industries and regions, stress-testing for catastrophic scenarios, and managing exposure through lower policy limits, coverage exclusions, or the use of reinsurance.

Model divergence presents another challenge, as accurately modeling cyber risks is difficult due to limited historical data and the rapidly evolving nature of threats. Captives can address this by validating and benchmarking their models against both historical data and emerging risks. They should also incorporate a mix of modeling techniques and expert judgment, stay informed about industry advancements, and collaborate with peers to enhance their understanding of cyber risks.

8. How does the loss ratio in the cyber-insurance market compare to other commercial lines, and what does this indicate about the profitability and sustainability of cyber coverage?

Evaluating cyber-loss ratios is challenging because we can only rely on calendar-year loss ratios, while accident-year ratios are available for most other lines of coverage. Calendar-year ratios often lag behind accident-year or underwriting-year figures. Additionally, the nonadmitted market is not reflected in National Association of Insurance Commissioners (NAIC) data. However, the NAIC's Cyber Supplement indicates that pre-2020 cyber-loss ratios appeared highly profitable. The higher loss ratios in 2020 and 2021 drove the rate increases observed in 2021 and 2022, which in turn have led to more favorable loss ratios in 2022 and 2023. For cyber to remain profitable, insurers will need to keep investing in robust risk management, underwrite risks carefully, and manage reinsurance strategies to mitigate aggregation risks.

Cyber Calendar Year Incurred Loss and Defense and Cost Containment Expense (DCCE) Ratios

Source: NAIC Cyber Supplement, S&P Global Market Intelligence.

9. Can you provide a case study or example where a captive added a significant layer of cyber-liability insurance and the outcomes of that decision?

In 2021, a client faced a challenging renewal. In 2020, they had received several cyber-insurance quotes with terms similar to their expiring policy, which featured a $5,000 deductible. However, by 2021, they received just one quote, and it came with a significantly higher $250,000 deductible. Confronted with this steep retention, the client turned to their well-capitalized captive insurance company, which was already writing a mix of long-tail and short-tail coverages. This allowed them to take on the cyber risk through their captive, avoiding the prohibitively high deductible in the commercial market.

10. What are the most common types of cyber claims that captive insurers should be aware of, and how can they prepare for them?

Ransomware remains the most prevalent type of cyber claim, and preventing these attacks requires a multilayered defense strategy that integrates advanced technology, user education, and strong security protocols. Social engineering attacks, particularly phishing schemes, are also on the rise, where victims are deceived into transferring money or sensitive information. To combat these evolving threats, captive insurers and their owners must remain vigilant by regularly reviewing and updating their security practices, ensuring they stay ahead of the latest attack methods.