Frances Jones explores how captives can provide cyber coverage gaps after last year’s hard market conditions
Adding cyber coverage to a captive is a recurring and common conversation at insurance conferences. Cyber has been trending in captives for a couple of years now.
Discussion has increased as a result of last year’s hard market conditions in cyber — this was characterised by steep pricing increases and tighter terms and conditions. This left companies seeking coverage during that period with limited options.
This year, the hard market for cyber appears to have eased. Marsh’s, ‘US Cyber Purchasing Trends’ report published in May 2023, finds that cyber insurance pricing increases moderated for the fifth consecutive quarter. Its figures show cyber premiums rising 11 per cent on average in the US in the first quarter of 2023, compared to 28 per cent in the prior quarter.
Notable to this industry, the report also finds: “The number of Marsh-managed captive insurers writing cyber coverage increased 75 per cent from 2020 to 2022.” Captive insurers writing cyber coverage is reflective of Marsh clients seeking to “regain a sense of control”.
Cleo Curl, group insurance director at Landsec, explains her line of thought when considering using a captive for her group’s cyber coverage.
“The captive exists to support the strategy of the parent. At the beginning of 2022, we were looking at obtaining some cyber coverage. It was probably the worst time to be looking at cyber insurance as there wasn’t much capacity in the market. So we started to look at how we could add cyber to the captive, to help us access the markets out there and any other options such as using it for a deductible infill.”
Cyber in conception
Aon’s managing director Paul Sykes considers the stage of infancy that cyber coverage is in when considering the lifecycle of the wider insurance industry.
“Cyber is a real problem child within the industry. I think we may have gotten beyond the terrible twos, but cyber is not quite a stroppy teenager yet. It is very much a new and evolving risk.”
The rate at which captives are taking up cyber risks is reflective of its level of risk maturity — low in comparison to the volume of discussion witnessed by the industry.
Speaking at Airmic, Sykes says a large data set showed the figure of captives up-taking cyber was ‘as small as eight per cent penetration’. He makes an educated guess that that number will have risen to ‘15 per cent globally by the end of the year’.
AXA XL’s Owen Williams affirms: “It’s a frequently occurring topic, but I will say you can discuss it, but putting it into practice is a whole other story.
“Our take-up rates around putting cyber into captives have been highest in the US and Europe, and I predict it will be followed by the UK.”
Sykes concurs: “Recently, I’ve seen a real velocity of cyber uptake into captives, Guernsey have witnessed lots of strong, stable captives that have cyber in them.”
Confronting cyberattacks — in the context of the ongoing Russian invasion of Ukraine — was recently a big debate at Lloyd’s of London. War coverage requires contract certainty for coverage of state-sponsored cyber operations. Lloyd’s Tom Allebone Webb reflects on the cyber developments in the market.
“A while ago, when cyber at Lloyd’s was written as part of property, it got to a stage of maturity where we effectively had to say: ‘No, you’ve got to model it, you’ve got to price it differently and cover it under a separate policy.”
“We think that the time is right for cyber war and we’ve asked for that to be excluded from standard cyber policies and to price the model differently.”
Primary or excess?
Primary coverage in cyber liability is a type of policy that insures against cybercrime and attacks on computers, networks and data. The volume of cyber attacks led Lloyd’s of London to mandate new cyber war exclusion wording — effectively, language to manage systemic loss.
Recurring events such as ransomware attacks — where a subject’s data is held for ransom — leads most other cyber risk, alongside other technology breaches including hacking.
Excess liability is insurance coverage that is activated once the limits of your primary coverage have been exhausted. Captives writing excess cyber coverage is more typical than the former.
When evaluating the type of cyber coverage Landsec needed, Curl notes: “With the primary on cyber, we wanted to have instant access to all the technical support that we needed.
“We looked at trying to build a tower so that we found there was more capacity at the top end of the market, over US$20 million. Following that, we thought about acquiring a primary and filling it in in the middle and buying the excess layers at the top.”
Williams elaborates: “Writing primary cyber is not just about providing capacity. It’s about all the services that go with it, such as post-loss crisis management. However, I would argue that’s easily managed, you just need a fronting partner who can perform those services as part of the financing services. There’s actually no reason why that should stop captives writing primary coverage.
“A captive coming in on layers is particularly common in cyberspace. We’re seeing that cyber rates on an excess basis are starting to ease quite a lot now. Nonetheless, the primary rates are holding much firmer, this would suggest more bang for your buck in moving your captive onto the primary rather than the excess.”
Data-driven
Data is the lifeblood of insurers. As technology proliferates, the amount of data companies are amassing is only increasing.
With the rise of AI platforms, and the threat of them being used for criminal purposes, it appears that the demand for cyber insurance to protect data will only increase. There is potential for captives to provide this coverage along with it.
In the executive summary of its ‘Cyber Summit’ Lloyd’s of London predicts that the cyber market is going to treble in size from £13 billion ($16.8 billion) in 2022 to £35 billion ($45.3 billion) in 2030.
Curl says: “Is there a place for cyber captives using a captive as an incubator? Insurers are always talking about good quality data.
“You actually create your own data, then bring it out to the market. I’ve heard people using it on that basis. Once you’ve got it in your captive, you can access other markets, and that initiative might be a more attractive proposition than the traditional insurance market.”
