In December 2022 it was announced that Europe’s first group captive specifically designed for cyber risks would begin operating this year. David Beyon looks at how and why cyber risks are finding their way into the captive space
Cyber risks have not traditionally been associated with captive insurance vehicles.
It has increasingly become the norm for businesses to use captives as an self-insuring alternative to the insurance market, whether individual or mutually through group captives.
However, self-insurance is a scary thing without good data to support it. The risks passed to captives have tended to be high frequency but low severity. Cyber risks – fast-moving, dangerous threats – do not seem to fit the profile.
“Cyber risk is evolving quickly, which makes it a confusing area to navigate for many,” says Michelle Chia, head of professional liability and cyber at Zurich North America.
Many boards have not considered cyber risks as something for which to use their captive. Awareness of cyber risks is still patchy for many executives, while the insurance market is only just reaching maturity.
Valeria Ermakova, associate director for analytics at AM Best, says: “In the past, most captives did not offer cyber risk insurance to their parent companies, partly because cyber risk awareness was generally low, and partly because the overall cyber insurance market was too immature, which meant that captives did not have a way to benchmark their pricing and terms and conditions.”
This is why it was perhaps surprising to read that a first-of-its-kind cyber group captive (or mutual insurer) was approved by regulators in Belgium in December, to begin operating Mutual Insurance and Reinsurance for Information Systems (MIRIS) from January 2023.
“Cyber risk is probably the fastest-evolving risk the insurance market has ever needed to consider,” said Mark Pollard, MIRIS’s chief operating officer, at the mutual’s launch.
“In an industry where data and past experience shape the market response, this rapid evolution creates uncertainty, and consequently market volatility, which challenges the risk transfer objectives of the policyholders,” he added.
MIRIS will underwrite direct cyber insurance on behalf of its owner-members in European Union and European Economic Area countries. For its first two years of operation, some €25 million of capacity will be allocated to each member. This is expected to rise to €30 million in its third year.
“MIRIS is offering a net line excess of €10 million. There is no reinsurance behind this. It is all kept net by MIRIS,” Danny Van Welkenhuyzen, CEO, MIRIS, tells Captive Insurance Times. “Instead, pour capacity can be used in the members full tower or on specific layers. MIRIS does not write more than €50 million of any given layer.”
German chemical group BASF and its Belgian peer Solvay are among its founding members.
“We have currently 12 members and are aiming for a gradual increase on a year-by-year basis from companies throughout Europe. The aim is to reach 50 members by 2026,” Welkenhuyzen says.
Growing trends
AM Best’s Ermakova notes a trend toward turning to captives for cyber. “We have observed in recent years that more captive insurers have started to offer cyber insurance to their owners as the market has become more established and the need for cyber protection has increased,” she says.
Improving risk management capabilities is a prime motivation for putting cyber risks into a captive, Zurich’s Chia suggests. In the longer term, building better data can lead to stronger controls, among other benefits, she adds.
“Captives, whether single parent or group, enable companies to tap into alternative risk transfer models that best meet their risk management needs,” she says. “Cyber risk evolves quickly, and finding a solution to help increase cyber resilience is critical for companies. The use of captives can help strengthen enterprise risk management from a cyber perspective.”
At its launch, MIRIS emphasised its role in promoting and validating best practices in cyber risk protection, as well as providing risk transfer capacity to members. For instance, member companies’ chief information security officers and insurance managers will contribute to a risk control function that screens new members and shares risk management best practices.
“MIRIS is a mutual solution, which is a different approach to an individual captive. Each company contributes, so it’s about confidence between member stakeholders,” says Carlos Rodriguez Sanz, cyber product manager for Asia Pacific and Europe, AXA XL, an insurer involved in the setting up of MIRIS.
“If one company has a claim, they need to provide additional capacity, so it’s important to have the same cyber security minimum controls. For cyber risk, I don’t currently see this type of structure used elsewhere in Europe,” he adds.
Cyber insurance
There is a strong argument that captives are in a good position to offer cyber insurance to their parents, given their proximity to the policyholders, AM Best’s Ermakova emphasises.
“Captive insurers understand their owners’ operating environment, technological infrastructure and any interconnectedness within the group, and therefore should be able to tailor policies well to suit insureds’ needs, as well as to assist their owners with risk management, which could reduce reinsurance premium over the longer term,” she says.
Net limits retained by captives for cyber risks are generally low, Ermakova stresses, with this line being fronted or significantly reinsured to the external market. This suggests an important enduring role for the reinsurance market.
“Cyber is a complex line of business, and captives may not have the scale or diversification to take on such a high-risk class. This is where reinsurers may be able to assist with policy wordings or claims settlement, which can be particularly time-sensitive in terms of a need for rapid incidence response,” she says.
Cyber cover being offered by captives may include first-party: protection against business interruption. Third-party would include paying for legal defence costs, or the cost of regulatory fines and lawsuits, Ermakova adds.
“Given difficulties faced by the market in recent years with cyber reinsurance capacity and exclusions, captives can help their owners to fill any gaps in coverage, at least temporarily,” she says.
“To minimise insurance costs for the owner, and depending on the available capacity, a captive may participate in lower or higher layers of the programme, ceding less expensive middle layers into reinsurance. Similarly, a captive may be “buy-back” deductible in order to reduce overall insurance spend for the owner,” Ermakova continues.
“MIRIS aims to provide additional capacity and, in the longer term, stabilise the market for its members. That depends on the members being exceptionally well protected against the risks,” MIRIS’s Pollard says.
Rate rises
Rises in rates in the past two years, across insurance as well as reinsurance markets, have been a factor in encouraging some firms to consider captives for cyber risk. Insurers have tightened policies by limiting exposure to so-called silent cyber – cyber risks residing within policies bought for non-cyber risks – and adding exclusions to cyber policies.
“Initially, cyber insurance was significantly under-priced, as there was no sufficient claims history to base the pricing on. The growing frequency and severity of losses, beginning in 2020, has led to a hardened market and more risk-adjusted pricing, alongside reduced capacity,” says AM Best’s Ermakova.
In response to the rise in the frequency and severity of cyber claims, a number of insurers scaled back their participation in the market or moved to higher layers. Buyers have centralised buying and raised deductibles to find sufficient capacity while limiting rate increases. This has created gaps for the lower layers of coverage – taken up by the captives.
“We see more requests for the involvement of captives in cyber programmes. We see this strategy among clients to optimise retention globally, to manage price and global capacity to cover the exposure,” says Marine Charbonnier, global programmes and captives regional director for Europe at AXA XL.
“Captives are being used to fill gaps in capacity. What we are seeing is more of the first layers taken within captives. However, it is not a comfortable risk for these captives, because the captive has to price the risk, analyse it and produce a business plan to finance it in the case of claims.”
AM Best’s Ermakova notes that group captives, pooling resources and expertise, may be useful strategies against cyber threats – albeit ultimately reliant on reinsurance markets for their spikier risks.
“Bringing together capital and knowledge makes sense, especially in such a complex and fast-evolving line as cyber. At the same time, focusing just on cyber brings significant risk of volatility and accumulation of losses, given potential interdependencies, such as if several insureds use the same cloud provider, for example,” she says.
“Such structures need ways of managing these accumulations, either through strict limitations in coverage, or through significant reinsurance and retrocession protection. Additional reinsurance protection could also come from the insurance-linked securities market, given the rising interest in cyber from the capital markets,” she continues.
In the event of a catastrophic loss, discussions are taking place in the US about creating a government insurance backstop for cyber risk — similar to existing government-run structures created for terrorism, flood and natural catastrophe events.
“If implemented successfully, such backstop could allow insurers, including captives, to be more confident in accepting cyber risk and minimise the protection gap in cyber,” says AM Best’s Ermakova.
While cyber risks continue to change rapidly, insurance products will continue to mature, and capacity availability at different levels of the insurance and reinsurance markets will continue to shift.
All of which makes for an interesting albeit challenging environment for cyber risk transfer.
“Like cyber risk, cyber group captives is an evolving space,” says Zurich’s Chia. “The development of these types of solutions will enable more organisations to access cyber insurance products and cyber risk control services that meet their risk management needs. We have identified this as an area where we can help organisations strengthen their cyber resilience and will be excited to share more about our capabilities in the near future. Stay tuned!”