This article was first published by Marsh here.
When insurance markets become challenging, as has been the case for several years in the cyber market, risk retention vehicles can help our clients manage their total cost of risk. Increasingly, clients are using existing captives and cells, or establishing new ones, as an integral component of their cyber risk management and insurance strategy.Sarah Stephens, International Head of Cyber, Marsh
Over the past few years, cyber insurance pricing experienced some of the highest increases of any product line, peaking at 133% in the US in December 2021. Fortunately, cyber pricing increases have steadily moderated since, with global cyber pricing rising by 28% in the fourth quarter of 2022, compared to 53% in the prior quarter.
As pricing rose and terms and conditions became less favorable for most organizations, many began to explore alternatives to the commercial insurance market, including using captive insurance. The number of Marsh managed captives writing cyber coverage increased by 13% in 2021, and by 127% over the past five years. Primarily the growth comes in the form of single-parent captives and cells. In fact, between 2020 and 2021, 40% of new cell structures managed by Marsh wrote cyber coverage. Marsh now has more than $70 million in cyber premium under management.
The healthcare industry shows the highest use of captives for cyber risk, with 19% of the industry’s captives writing it. Other industries showing increased captive utilization are financial institutions, retail/wholesale, manufacturing, and construction.
Using a captive to access cyber capacity
A business that sought cyber insurance in the commercial marketplace discovered the coverage it needed was difficult to obtain, as insurers had reduced capacity and raised deductibles. Facing higher costs to buy less cyber coverage than previously, the business turned to a cell.
The business opted to retain and self-fund both its program’s working layer and top layer via a cell in order to obtain the amount of cyber coverage it needed. This strategy enabled the business to buy more affordable commercial insurance for the middle layers, while ensuring an adequate amount of protection for its exposure. Use of the cell also provided a cushion to the business from future changes in insurance market conditions.
So why use a captive to insure cyber risk?
While it’s not a silver bullet, using a captive insurer provides organizations with flexibility and options for their cyber risk management strategy. For example, having cyber coverage in a captive allows them to pivot during or prior to a renewal in three key areas:
Cost
Helps reduce the total cost of risk by retaining an amount of cyber risk in the captive or protected cell. This reduces the reliance on third parties and captures costs and profits that are otherwise “leaked” to insurers. A captive can also be used to lower the cost of cyber liability by obtaining a high deductible cyber policy on the commercial market and “buying down” that deductible.
Capacity
Creates extra capacity from the captive or cell that may be challenging to find in the traditional insurance market. Also, the captive can provide access to international reinsurers and specialty insurers, which potentially can introduce new capacity, greater competition, and better pricing for cyber risks that are costly to insure or are not typically covered.
Captives used to manage cyber risk in excess and primary layers
Many organizations that use a captive as part of their cyber risk management do so in the excess layers. Not only can they potentially fund a larger retention, but putting the excess layer into a captive can make the primary coverage more attractive to commercial insurers. Captives are proven to work on retention layers ranging from US$250,000 to US$200 million, according to Marsh proprietary benchmarking data.
If the primary layer is funded through a captive, commercial insurers in the excess layer(s) will scrutinize the terms and conditions they are following and will want to make sure that the captive’s financials are acceptable. You can also expect them to take a hard look at any third-party administrator (TPA) or claims adjustor that the captive uses.
In either case, excess or primary, a captive can be used to set aside funding for areas in which cyber losses are anticipated.
The captive may also be able to access terms and conditions for additional coverages that the commercial markets may look to exclude, such as ransomware events.
A business faced both large premium increases and a decreasing limit year-on-year despite never having submitted a cyber claim.
The business felt the increases, although market-wide, were unjustified for their program based on a 0% loss ratio. Through its existing captive, the company had built a strong surplus. Having a high risk appetite coupled with a desire to increase control of their coverage and cost, it decided to write cyber coverage in its entirety directly from their captive. With strong cyber risk management in place, the company believed it could significantly reduce costs over time by retaining this risk, while simultaneously diversifying the portfolio of risks retained by its captive.
Conclusion
The ongoing changes in technology and digitization combined with the ability of cyber bad actors to keep pace means that cyber risk can be expected to be volatile for the foreseeable future. Using a captive insurer or cell as part of your cyber risk finance strategy can help set a steady course no matter the commercial market conditions.
For more information about using captives for cyber or other risks, contact your Marsh representative.