An in-depth analysis of the trends, challenges and predictions of the Aon’s Cyber Captive Survey 2019
Historically used as a protection or funding tool, captives are now increasingly used in the cyber risk market, according to Aon’s recently published Cyber Captive Survey for 2019, which explores how captives can provide advantages to a company’s cyber risk financing strategy.
While captives are continuing to be implemented for “traditional purposes, such as greater control of insurance programmes, cost efficiencies for premium and capital, and enhanced claims handling”, as Aidan Kelly, associate director of global risk consulting within Aon’s risk finance and captive consulting practice, identifies, “the industry is also seeing the captive being deployed as a strategic risk partner for incident response management and improved IT governance processes”.
Other motivating factors that are currently propelling companies to turn to captives to insure against cyber risk cited by the survey include increased market access, cash flow or tax optimisation, and incubation of emergent risks.
Despite this evolution of risk and technology profiles, the survey also notes that many captive owners still use a “relatively unsophisticated approach to retention, limits and premium determination”.
Some industries are more openly embracing technological advancements; Aon’s cyber captive report highlights that more traditional industries are now identifying as technology industries, led by healthcare (of which 19 percent of companies self-classified as part of the technology industry) and energy (15 percent), followed by financial institutions, catering and life sciences.
But what are the benefits of utilising a captive for cyber risk? Although broadly it allows companies to operate outside of the traditional insurance regulatory environment, captives bring multiple additional advantages to companies looking to address cyber risk. This includes the development of a wider risk management structure, better understanding of financial exposure, specific and flexible client coverage (including intangible assets such as IP losses and reputational damage), access to reinsurance capacity and pricing, and the integration of incident response capabilities with captive insurance coverages and claims protocols.
Furthermore, captives can be used as a strategic risk management tool by a company chief security officer and chief information security officer to supplement risk financing processes.
Kelly also highlights the consequences of the development of digital technologies, which has seen market insurance solutions diminish in adequacy: “Our clients are increasingly relying on integrated technology solutions and their IT infrastructure to ensure their success, competitiveness and ability to adapt to an ever-changing business environment.”
He continues: “With this reliance on technology and need for automation and innovation, the associated cyber risks are becoming more materials, and enhanced cyber security and risk mitigation and transfer are essential.”
The evolution of technology also equates to an evolution of the threat landscape. Therefore, when considering whether to utilise a captive, a company must consider whether there is awareness from a government perspective, protection from a business resilience perspective, and balance sheet protection from an insurance perspective.
Kelly explains: “Understanding these risks, and developing a plan to mitigate or transfer these exposures, will protect our clients, their revenues, their data and that of their customers and aid business recovery and continuity should an event occur.”
In response to these developments in digital technologies, the captive industry has experienced changes in the coverage offered by cyber insurance policies and captive participation, as cyber risk now affects more areas outside of crisis and liability costs.
Aon’s survey indicates that this is primarily manifested in the coverage of business interruption (seen in 63 percent of surveyed captives) and regulatory (52 percent).
The survey highlights that 41 percent of captives are incubating cyber risk. In light of this statistic, Kelly explains: “Using a captive to incubate cyber risk is an effective play for many clients, and allows them to manage their exposures while the traditional insurance market evolves and expands to better understand client needs.” Understanding of how a captive can be utilised effectively requires awareness of the integration between economic drivers, such as automation and connectivity, technology drivers, such as artificial intelligence, cloud computing and blockchain, and strategic threats, which include disruption, data confidentiality, system integrity and supply chain risks.
Furthermore, Aon’s survey demonstrates that 41 percent of its clients’ decision making regarding cyber risk is based on judgment, while only 7 percent adopt an approach motivated by data and risk analytics.
Aon provides cyber risk financing strategies concerning the implementation of captives to encourage its clients to make better use of such analytics, ranging from feasibility studies, which identify the initial formation, structure and operation of a captive, to strategic reviews, which evaluate the captive’s benchmarked financial performance, efficiency of operation, corporate governance, and opportunities for optimisation.
Kelly states: “A captive can be an important component as either a risk transfer vehicle or as a risk funding mechanism for cyber risk, but it must also be part of the overall cyber strategy for the client and provide strategic control of this risk, rather than it being a disparate part of an uncoordinated approach not involving IT and legal teams.”
Following a clear industry trend towards using captives to combat cyber risk, Aon predicts a continuation of the premium growth for cyber risks in captives, following the survey’s projection of a 263 percent increase in gross written premium (GWP) over the past year. The survey cites this surge to be a result of an increase in cyber incidents and increased capital investment in digital advancements. Further predictions project an increase in the proportion of captives retaining cyber exposure from 3 to 34 percent over the next five years.
This is expected to be attained through the integration of cyber risk into a company’s broader risk management framework to ensure a more active role of risk managers and increased availability of capacity for coverage components, as well as chief information security officers leveraging captives as a strategic tool to extract value from risk management, such as quantitative risk analysis and total cost of risk calculations.
Aon’s threefold programme is expected to galvanise an expanded use of captives.
It consists of assessment to identify and map a client’s cyber risk, quantification to construct financial models to measure the exposures from the identified cyber risk, and design of the captive to evaluate the cyber risk transfer programme and build a network of insurance coverage.
Aon’s survey concludes by stating that “digitisation, cyber security, and market factors will continue to driver greater captive utilisation”.
Optimal captive cyber GWP will be achieved through changes in both company asset value from tangible to intangible (such as intellectual property, reputation and privacy regulations, which now account for 84 percent of total commercial assets for S&P 500 companies), and in the risk landscape from physical to non-physical, to incorporate cyber risk and the vital strategic role of risk financing.