Cyber Captives 101: Is Self-Insuring the Right Risk Mitigation Choice for Your Business?
Cyber coverage is tightening. Could captives be the safety valve for businesses looking to manage this ever-threatening risk?
Courtney DuChene | June 1, 2022
Bring up cyber insurance coverage in any board room and you’re likely to be met with heavy sighs.
Policy rates are increasing as insurers struggle to make cyber lines profitable. Policy terms are tightening and risk managers everywhere are starting to feel the pinch on their risk-transfer pocketbooks.
“We have certainly noticed an uptick in the anxiety levels in many of the clients I spoke to about cyber solutions going forward and yet still the same anxiety stems from the exposure, the vulnerability and the fact that they are as yet unsure where their captive coverage begins and what role the captive could or should play,” said Adrian Lynch, executive vice president, North America, Bermuda and Cayman at Artex Risk Solutions, Gallagher’s wholly-owned subsidiary for alternative risk and captives.
“If I’m a CFO and if the cost of my cyber coverages are going to be doubling every four years, then I have to do something to take that pressure off my balance sheet and the captive if treated as a medium to long term strategic risk financing tool does in fact have a role to play in perhaps smoothing the impact on the CFOs P&L.”
As in many a hard market, grumbling over prices and term limits has led to talk of captive formations to manage cyber risks.
“We’re starting to see some of that chatter result in new business,” said Dan Petterson, director of examinations for the captive division of the State of Vermont’s Department of Financial Regulation.
Cyber Captives in Action
Previously, cyber captives have mostly been deployed by businesses which already had large captives programs.
“It was folks already with a well developed captive program now considering adding cyber,” said attorney Andrea DeField, partner at Hunton Andrews Kurth LLP, who has advised more than 15 clients on cyber captives.
“Now it’s almost flip-flopped as people who don’t have any captives are saying, ‘Maybe I need to get into captives because look what I’m going to have to pay for cyber.’”
The phenomena DeField observed is likely the result of “a classic hard market where cyber, arguably, is the hardest of those markets,” per Mario P. Vitale, CEO of Resilience Cyber Insurance Solutions. Some policy holders were seeing rate increases of upwards of 80% in 2021, Risk & Insurance® reported in February of this year.
The dynamic goes beyond rate increases, however. Underwriters are now expecting supplemental forms for ransomware exposures and other high-cost risks. They’re also scrutinizing a firm’s cybersecurity measures in order to ensure they have common safeguards, like multi-factor authentication, before writing policies.
Insureds may be turning to captives because they find these additional requirements burdensome. DeField expects the number of cyber captives she’s working on to double by next year. Petterson said that upwards 10% of the captive insurance companies domiciled in Vermont have some sort of cyber coverage built into the programs at this point.
Despite the chatter about cyber captives, not every company is ready to get in the game. Cyber captives tend to be a solution for larger companies, whose deeper pockets can allow them to self-insure their exposures.
“I’m actually not seeing an increase in businesses choosing captives or ceding their risk to captives,” Vitale said. His firm specializes in providing middle market cyber insurance solutions.
“The large accounts – those between $5 billion and $10 billion in sales – are the ones that are more likely to have captives.”
Are Captives the Right Risk Transfer Tool?
If you’re thinking of using a captive to manage some of your cyber risk exposures, scrutinizing the policy language will be a key first step.
“If you’re going to go through this whole time-intensive, labor-intensive, cost-intensive process of setting up a cyber captive, you want to take a good hard look at the language you’re using as the base cyber form and make sure it’s the best language that you can get,” DeField said.
“The nice thing about a captive is that you can tailor the coverage specific to your needs,” Petterson said.
“If you’re insuring your own risks, you learn more every year, you get better at pricing, and claims management and risk mitigation and captives just provide an opportunity to understand and control your risks at a more detailed level.”
And it’s important to scrutinize whether or not your cyber exposures are a good fit for a captive: “When you look at a captive, you’re looking at something that it intended to have little by way of volatility and should have material predictability,” Lynch said.
“The irony here is that it almost sounds counterintuitive because cyber being high in volatility , severity and high in complexity would suggest that it’s not necessarily a suitable fit for a captive. There is a role for cyber coverage within the captives however it needs to be strictly defined within a set of underwriting parameters and within the risk appetite limits of the parent company.”
If you decide to take your cyber exposures into a captive, it’s important to start as soon as possible because the process of setting up a captive can be taxing.
Businesses need to ensure they understand all of the regulatory and tax requirements that come with forming a captive and they’ll need to make sure they have the best possible policy language for their needs.
Companies will likely need to work with a captive manager, and probably an actuary, to make sure their captives are financially feasible and stand up to regulatory scrutiny.
“A cyber program is going to require a pretty big capital infusion depending upon the size of the program that you’re putting together. So, if you’ve got the capital, then that’s great,” Petterson said.
“We’d look at, for any coverage being proposed for a captive, does this line make sense for the captive? Is it feasible? Does it support the overall cyber strategy of the parent? Does the line appear to be appropriately priced?”
DeField says she recommends clients interested in forming a captive to manage cyber risk start six months to a year in advance.
“A mistake people make is they’re like, ‘Oh, well we’re just going to do a cyber captive,’ and they don’t realize the time and energy it’s going to take to do so,” she said.
“It’s likely going to be well worth all that time and energy, but you’re going to need to start early. So maybe it’s a one year plan where you renew with your commercial cyber insurer now and you start working on setting up the captive for next year.”