The Bermuda captive market is likely to see an increased interest in cyber insurance as captives continue to demonstrate their value to companies in managing cyber risk exposure, according to a new report by the Bermuda Monetary Authority (BMA).
The 2021 Bermuda Cyber Underwriting Report analyses cyber underwriting information based on annual filings by commercial insurers and reinsurers, groups and captive insurers to determine key statistics, findings and general recommendations for the industry on cyber underwriting.
The report highlights that the COVID-19 pandemic exacerbated the increasing interest and concerns around cyber risk, as well as the need for a robust cyber insurance market.
In this context, cyber threat actors exploited inherent cybersecurity weaknesses in remote working environments across business sectors. These vulnerabilities were accentuated by the rising demand for digitisation and higher levels of interdependence between organisations driven by globalisation.
These factors have resulted in rising demand for cyber coverage, prompting the insurance industry to improve its cyber underwriting practices.
Although cyber remains a small part of the overall Bermuda insurance market, it has grown steadily as a separate line of business, with gross cyber exposures rising from US$209 billion to US$223 billion over the past 12 months and net exposures increasing from US$70 billion to US$110 billion.
The BMA notes a steady increase in direct policies compared to reinsurance and package policies, although the latter is still used to manage overall cyber exposure.
In addition, cyber losses and loss ratios continue to rise, as might be expected in an evolving market. The report identifies that the increase in total incurred losses came from direct policies, consistent with the growth in premium, data breach, ransomware attack and network interruption.
Looking at captive insurance specifically, the report notes 24 captive insurers writing affirmative cyber coverage, compared to 20 the previous years.
Of total premium written across the Bermuda captive market, 68 per cent is written directly by the insurers, with the remaining 32 per cent written on a reinsurance basis.
The report notes: “Bermuda captives continue to serve their purpose as a risk management tool for companies seeking to manage their own cyber risk exposures, as evidenced by the significant increase in the cyber gross premiums written along with the increase in the number of captives writing cyber risk.
“The Bermuda captive market remains steady and versatile, accommodating both the new captive formations writing cyber-related exposures and the expansion of current captives adding cyber exposures or increasing premiums in existing cyber policies.”
As part of the information-gathering process to generate the report, insurers submitted cyber underwriting stress scenario tests, as derived from their own worst-case scenario analyses, to the BMA.
On analysing data from this stress testing and scenario analysis, the BMA notes continued resilience of the market collectively, measured by the net impact to the insurer’s capital levels post-cyber stress scenario.
Other identified trends as a result of self-assessment analysis include increased efforts to move from non-affirmative and package policies to explicit standalone cyber policies and incorporating cyber risk exposure assessment to portfolio performance evaluation.
At a governance level, the BMA notes that, in general, insurers are establishing both clear risk appetites and risk limits for cyber risk exposures at board level, and using specific board committees to regularly review and monitor cyber risk exposure.
As well as using reinsurance or retrocession contracts to transfer risk and increase capacity, insurers are increasingly seeking support from outside the traditional rate capacity, primarily through collateralised reinsurance and insurance-linked securities-based transactions.
Solvency self-assessment disclosures indicate that some insurers should enhance their cyber risk management practices to improve their overall cyber risk management framework.
With this in mind, the BMA will provide further clarified guidelines to the market, particularly regarding management of non-affirmative cyber risk exposure, stress scenario testing and compliance with the Insurance Sector Operational Cyber Risk Code of Conduct.