Advantage Insurance Management
Captives can solve the ever-evolving problem of cyber risk
Simon Kilpatrick of Advantage Insurance Management argues that although cyber risks can be severe, they can be solved by using a captive.
“They can also take layers of risk in combination with primary carriers and reinsurers to provide additional capacity.”
Simon Kilpatrick
Advantage Insurance Management
The past 20 years have seen the cyber risks faced by businesses grow exponentially in terms of their complexity, sophistication, and cost. While the commercial insurance market has reacted to these changes it has done so relatively slowly. This has allowed captive insurance to flourish as a solution to financing cyber risk.
Initially cyber damages were a result of becoming infected with a simple computer virus such as a denial-of-service attack spread by a malicious hacker. The cost to remedy such a breach was often the purchase of some antivirus software and a lost day or two of operations. Cyber criminals then began to target businesses’ customer data such as credit card information, usernames, and passwords. This stolen data was then auctioned off on the dark web.
Businesses that fell victim to data breaches incurred significant costs as they typically had to cover any damages as well as the costs of providing credit monitoring services for the affected customers.
As data theft crimes proliferated, the data became a less valuable commodity and the focus of cyber criminals once again shifted. They began to develop increasingly sophisticated methods to target businesses directly. Today, attackers can target a business by directly fooling an employee into performing a transaction or downloading a malicious file.
Attacks can also come indirectly by compromising a supply chain partner or breaching a cloud-based service platform. These attacks continue to evolve and increase in frequency and the cost of breaches continues to increase. According to the 2022 IBM Cost of a Data Breach Report, the average cost of a breach was $4.35 million globally, while the average cost of a breach in the US was $9.44 million.
As businesses became aware of these increasing cyber threats, they naturally looked to the insurance market for coverage. Commercial cyber insurance policies started to become common in the US market in the early 2000s. The early policies primarily covered computer virus claims and the basic costs to cure a data breach, but they excluded many of the risks associated with cyber breaches such as regulatory claims, fines and penalties and business interruption.
Pricing of cyber policies was pricey and inconsistent. As carriers did not yet have the historical data to refine their pricing they erred on the side of caution with higher rates.
When faced with a new line of risk, such as cyber, commercial carriers provide competing coverage products and try to improve their offerings as they gain increased understanding of the market. Initially premiums are set higher due to the lack of loss history and underwriting data and coverages are often basic with low limits and some key exposures excluded. Over time, the carriers develop their loss history and market data which helps them incrementally adjust their pricing, underwriting standards and coverages.
The problem is that, while the coverage changes happen as fast as the carriers can make them, they need time to analyse the broad market trends, design new forms and make all the required regulatory filings. For many business owners the changes happen far too slowly to be useful.
A fast-moving scene
Business owners with in-depth understanding of their specific needs and better-than-average loss control practices are often offered sub-optimal coverage at too high a price. This disconnect between the commercial carriers and their customers is further exacerbated when the line of risk they are trying to insure is itself evolving at an increasing rate. Often when faced with a sudden change in the risk landscape the commercial carrier’s only option is to narrow coverage terms or exclude a new risk entirely until it can be understood.
A captive insurance company is well placed to solve the problem of insuring a rapidly evolving risk. Captives operate in a legal and regulatory environment far more conducive to innovation and change than traditional carriers. A captive can collect loss history and underwriting data on its insured(s) far more easily than a carrier can collect market data. The captive can then price the specific risks of its insureds rather than the generic risks of the broad market.
The result is tailor-made coverage often priced lower than an ill-fitting commercial policy. As the risks faced by a captive owner change, it is usually possible to price any additional coverage required, and modify the captive’s business plan, in a matter of weeks or months, rather than years.
Captives have been used to cover cyber risks since the beginning. In addition to providing the coverage outright, they often provide complementary coverage to traditional policies such as exclusion buyback or deductible reimbursement. They can also take layers of risk in combination with primary carriers and reinsurers to provide additional capacity and allow for a complete coverage solution. Captives will often cover an emerging risk until the commercial market “catches up” and offers meaningful coverage at an attractive price.
The commercial cyber market has come a long way in the last 20 years and could be argued to be no longer an emerging risk. There is an understanding that the chance of a cyber attack, and the cost of such an attack if it occurs, can both be greatly reduced if the business targeted has strong cybersecurity measures in place.
Carriers have become far more sophisticated in evaluating a potential insured’s cyber risks. Today it is not unusual for carriers to conduct a detailed analysis of a potential insured’s cybersecurity defences, security policies, incident response plans and employee training practices. Carriers will often offer discounts if policyholders permit the carrier to conduct vulnerability assessments and provide additional training. These are all positive steps towards pricing risks more accurately on a per-insured basis much as the captives industry has been doing. However, it seems the game has changed and these measures are still one step behind.
It is no longer optimal to conduct an annual cybersecurity assessment, things need to happen in real time. Today, cybersecurity firms offer businesses the chance to use cutting-edge cyber defence strategies including the use of artificial intelligence and machine learning algorithms to identify vulnerabilities and predict future attacks. These strategies are often necessary because attackers are using similar technology against them, probing the business for weak spots.
An optimal insurance strategy would be one that can adapt to coverage needs just as quickly. As captives have historically been able to adjust their underwriting and pricing criteria far faster than the traditional carriers, it stands to reason a captive solution would be the best solution. The one drawback is that cutting-edge technology is expensive. While larger companies are already able to adopt these measures, many small to mid-sized businesses will not be able to develop a fully bespoke solution. The captive industry’s response to this problem will be to aggregate these smaller insureds to allow them to combine resources to access the technologies.
As a result of this we expect to see continued growth in both group captives and specialised programmes that are linked to top quality cybersecurity providers.
Simon Kilpatrick is president of Advantage Insurance Management. He can be contacted at: s.kilpatrick@aihusa.com
Share this page
Image credit: Video by DynamicDusk on Envanto