CYBER RISK: A CAPTIVE APPROACH
Smaller businesses—not just large corporate entities—can reap the benefits
By Michael J. Moody, MBA, ARM
Emerging risks have always been a challenge for the property and casualty insurance industry. Staying out in front of these new and evolving risks has proved problematic in the past. Take cyber risk as a case in point. Among the many difficult challenges are the lack of consistent coverage and credible loss data.
The need for quality cyber coverage is obvious. Steven Bauman, global programs and captive regional director in North America for AXA XL, confidently asserts that “at this point, it is not a question of if a company will encounter a cyber loss, but rather when they will have one.”
The uniqueness and fluidity of [cyber] exposures make it difficult to plan for changes in the loss matrix.
Headlines in national business and insurance publications continue to trace the increasing occurrence of cyber losses. Usually it’s the larger corporations that dominate the news. Among recent events have been hacks of Facebook—where 540 million records were affected—Capital One, State Farm, Target, LabCorp/Quest and DoorDash—a relative newcomer to e-commerce where a hack exposed nearly 5 million records.
As we know, cyber-related incidents and losses are not limited to large corporations. Hackers have found out just how easy it can be to penetrate small to mid-sized businesses.
Today, although cyber issues continue to evolve, it’s probably safe to say that cyber is no longer strictly an emerging risk. At the same time, it cannot be described as a mature market. And therein lies a challenge. The uniqueness and fluidity of the exposure make it difficult to plan for changes in the loss matrix.
One way to address cyber market challenges is to form a single-parent captive (SPC). This mechanism can be an excellent solution for large corporations as well as smaller and mid-sized accounts. It’s a tried-and-true approach. Over the last 50 years, captive insurance has become widely accepted as a valid risk financing mechanism. As Bauman points out, “Corporate risk managers, as well as their brokers, are more comfortable with captive utilization.”
Typically, a captive parent looks for risks that will offer predictable loss patterns. Because of the unpredictability of cyber losses, the parent company may not want to include these risks in an existing captive but instead will form a new captive specifically for cyber exposures.
AXA XL has been actively working in this space. The firm’s initial approach to using captive facilities for cyber exposures, Bauman notes, consists of two primary endeavors that support single-parent captives: fronting and reinsurance.
Fronting. Fronting involves the use of an admitted insurance company that issues a policy on behalf of a captive insurer. Fronting is essentially an arrangement that allows captives to comply with financial responsibility laws that require evidence of coverage.
Bauman comments: “Fronting is not required, at least not in the U.S., but around the world this could become a growing issue.” The U.S. situation may be changing after the California State Assembly introduced a bill in February that would require any business that contracts with the state, and has access to people’s personal information, to maintain cyber insurance coverage.
From a market standpoint, AXA XL’s approach considers the fact that cyber risks “cut across all industries” and apply to small companies as well as larger ones.
And smaller firms are exploring their options. Diane Toannon, president of Creative Web, a small boutique web design operation, explains, “While we are a smaller company, suffering a cyber loss could be fatal for our business.
“Our customers must have trust in us to maintain the security of their sensitive data,” Toannon adds. “Should we lose that trust, in all likelihood we would lose the customer as well.”
Toannon makes a valid point. A 2017 study by the Ponemon Institute indicates that 60% of small businesses that fall victim to a cyberattack close their doors within six months of the loss. This is a staggering statistic for small business owners.
Toannon believes a single-parent captive could be a viable option to address this critical risk. She and her broker are developing a captive feasibility study.
In addition to the fronted policy, a key issue is claims management. A comprehensive approach to handling cyber claims is critically important. Toannon observes: “Initial reactions to a claim—handling it improperly—can be fatal. Once a cyber event occurs, reputational issues can quickly arise, and by that point it may be too late to make a complete recovery.”
AXA XL, in conjunction with its cyber breach partner, Kiru Consulting, offers a number of services in addition to fronted policies: internal incident awareness campaigns; incident readiness evaluations that assess response to cyber events, and action plans that use the captive in innovative ways.
Reinsurance. The second element of AXA XL’s cyber captive program is reinsurance, which allows businesses to address the sizable and growing potential for claims. Reinsurance gives captives the ability to handle a range of high-value incidents.
It was just last year—in April 2019—that reports surfaced of 540 million or so Facebook user records being exposed. Each of these users represents a potential claim payout. Dollar amounts can add up quickly.
Initial cyber losses most commonly resulted from the hacking of customer account information. Hackers stole bank or credit card data, Social Security numbers and other personal data. These kinds of cyber events continue to occur.
A more recent trend involves ransomware, in which the hacker freezes access to data until a ransom is paid. This activity is relatively easy to accomplish and difficult to defeat. Hackers typically request payment via some form of cryptocurrency, which is not traceable. Some liken this activity to robbing the corner gas station without a gun.
Particularly vulnerable to ransom-ware attacks is the healthcare sector. Sensitive data on patients’ personal health is high on hackers’ lists.
Government agencies, including cities and counties, have proved to be frequent and easy-to-breach targets. Tampering with the power grid also has emerged as a cottage industry of sorts.
It’s widely accepted that captive insurers offer their owners a broad range of financial and tax benefits. With an appropriate reinsurance program, Bauman says, businesses can “put their toe in the water” while maintaining smaller retention levels. Then “businesses can step up their retention levels as the captive builds up reserves,” he adds.
The Allianz Risk Barometer 2020 report says: “Cyber risks, along with cybersecurity awareness, have rapidly grown over the last decade, fueled by companies’ increasing use and reliance on data and IT systems and the ever-evolving sophistication of hacks developed.”
The traditional admitted market is responding. Their offerings may work for many businesses and exposures—but not every risk. Although several cyber insurance offerings are available in the commercial insurance market, many off-the-shelf products have serious shortcomings.
Policy wording can cause coverage issues. Many customer business activities require specific coverages, and it’s sometimes difficult to find one form that fits most situations. This typically leaves insureds with gaps and/or overlaps in their policies.
Also, legal issues can arise when a cyber event occurs. Court interpretations may be entirely different from what an insurer’s legal department believed when coverage was being developed.
Captives can be an excellent solution because they can be designed to meet the specific needs of a corporation. As Bauman notes, the captive is free to pro-vide “total customization of the coverage.”
It is clear that cyber risks represent a serious and growing exposure. It also is clear that, regardless of the size of a company, a single-parent captive can provide a viable solution.
As Bauman says, “Every cyber expert I hear says it is ‘no longer if we have a loss, but rather when,’ so future growth is almost assured, since the cyber risk will continue to expand.”
Toannon’s company is one of many firms that are seeking an alternative approach as cyber risks expand. She believes that any mid-sized organization should consider a captive to handle this unique risk.
Forward-looking brokers would be wise to start a conversation with their business customers about this growing risk.
Michael J. Moody, MBA, ARM, is the retired managing director of Strategic Risk Financing, Inc. (SuRF), a firm that was established to provide consulting services to captive and other alternative risk transfer (ART) mechanisms. As a contributor, he continues to promote the benefits of the ART market by providing current, objective information about the market, the structures being used, and the players involved.