Cyber has fast become a risk at the top of the agenda for captive owners and prospective owners alike. As the hard market leads more and more to investigate the feasibility of introducing varying levels of cyber risk to a new or existing captive, Captive Review spoke to Kim Guerriero, principal and consulting actuary at Milliman, about the strategies and challenges risk professionals should be considering before deciding to retain their own cyber risk
Captive Review (CR): Commentary in the market suggests rate rises in cyber are stabilising after a couple of years of 100%+. Does this stabilisation make cyber more or less appealing to captive owners thinking of insuring this risk through a captive, and if so, why?
Kim Guerriero (KG): While rates are stabilising or possibly even decreasing in some industries, they likely aren’t going to decrease to the levels they were pre-2021. In addition, the market mandated significantly higher retentions in the last couple of renewals, and the higher retentions are here to stay.
Funding cyber through a captive, whether it be a primary layer or an excess layer, is still an attractive option so long as it makes sense for the business.
CR: What have been the challenges in writing cyber in a captive historically? How can these challenges be overcome?
KG: In many organisations, the risk management department and the IT department may not have worked together closely in the past. To write cyber in the captive, the risk manager needs to work with the chief information officer (CIO) or the chief information security officer (CISO) to better understand the IT systems and the vulnerabilities the company faces when it comes to cyber threats.
CR: What is the best approach to writing cyber in a captive to protect against a catastrophic loss?
KG: The best approach will depend on the needs of the company and the specific insurance market it faces. One company may have a high cyber deductible that it wants to fund through the captive. Another may have a missing layer in its cyber excess tower. A third may have difficulty getting coverage for a certain type of cyber attack and wants to write a difference in conditions policy.
CR: Is it now more feasible than ever before for captive clients with no/minimal loss history in cyber to write this risk in a captive? How much cyber exposure can these clients take on?
KG: The more risk managers and IT departments work together to understand the cyber threats the company faces, the more feasible it will be for companies to put cyber into their captives. Again, it depends on the captive as to how much risk it can take on.
The challenge with cyber is that it’s different from many captive coverages. It’s a low frequency, high severity coverage and claims tend to pay out quickly.
Questions to ask are: Can the captive fund a full-limits claim? And, do the cash flows allow for a full-limits claim to be paid out quickly?
Captives that are more mature and have well-established surplus and reserves may be better equipped to add cyber to their portfolio. In addition, captives with several coverages that have diversity of exposure may also be better suited to add cyber.
CR: For clients with a history of substantial cyber losses that are struggling to find coverage in the commercial market, how can a captive help them? And, is it feasible for them to write this risk in a captive?
KG: For companies with substantial cyber losses, a captive can help depending on what the company’s needs are and where they are struggling to find coverage. In situations where a company is having trouble getting a certain type of cyber coverage due to its historical losses, a difference in condition policy may be helpful.
The captive can write the full cyber policy and then cede back everything to the commercial market, except for that specific coverage. Another example is the company may have fewer options in the commercial market and may be faced with taking a much higher deductible.
This is where the focus on risk management is critical. It’s imperative to have the risk management department work with the IT department to understand why these losses occurred and where money can be spent to avoid these (and other) losses in the future.
Most likely, a company that has cyber losses has identified its areas of IT vulnerabilities and has put measures in place to prevent similar losses from occurring going forward.
CR: What interest has Milliman seen in adding cyber to a captive programme in 2023? How does this interest compare to 2022 as well as prior years?
KG: Due to market conditions of higher rates, increased retentions and reduced capacity, the interest to put cyber into captives is still growing. The difference in 2023 is that the commercial market has appetite for negotiations.
The commercial market has capacity for cyber again and they are looking to take on risk. This is a change from 2021 and 2022, when a company may only have received one cyber quote from the commercial market and they were ‘informed’ what their deductible was going to be in order to obtain coverage. The newfound capacity means that a company may have more choices in 2023.
CR: Are prospective captive owners turning to captives for the first time owing to the challenges in the commercial cyber market? And, can cyber be written as the only risk in a captive or should first-time captive owners look to support cyber with other risks?
KG: General interest in captives is still growing. Cyber has been considered in most feasibility studies we worked on in the past couple of years, which is different from even just five years ago when cyber was rarely included in the basket of coverages. However, that doesn’t always translate to it being written by new captives at the outset.
CR: How problematic is the lack of known loss data on cyber for captive owners thinking of writing it in a captive, and how can captives overcome this?
KG: The lack of company-specific data is a challenge. The good news is actuaries have the necessary tools and access to industry data to help captives price cyber. Using rate filings for commercial carriers, actuaries can price cyber for the requested layer, whether it be a primary layer or an excess layer.
Actuaries can also help with quota shares, difference in condition policies, or including an aggregate limit on the policy to limit the risk the captive is taking on.
CR: What are the common pitfalls with writing cyber into a captive and how does Milliman help clients avoid these?
KG: Risk mitigation is important to any successful insurance programme. With cyber, there is the added feature of working with the IT department to understand all the cyber-related risks and vulnerabilities of an organisation. Some industries tend to be riskier than others, like healthcare and higher education due to the decentralised nature of the IT security.
Fast-growing organisations may have more cyber vulnerabilities if they are still developing strategies and determining appropriate resources for IT infrastructure.
Taking the time to understand the cyber-related risks of an organisation and its risk tolerance can go a long way to making it feasible to finance cyber risk through a captive.
Whenever forming a captive or taking on new risk, it’s important to work with your strategic partners to ensure the viability of the new business venture, including working with your actuaries to help you price and reserve for such new coverages.