Captive owners advised to tread carefully with cyber risks
Cyber liability risks can be effectively covered through captive insurers, but organisations should scrutinise their potential exposures and the consequences of taking on such high-severity, low-frequency risks before placing them in a captive, a panel of experts in the US said.
In addition, if organisations opt to self-insure, they should check that they don’t lose access to ancillary services that insurers provide to cyber policyholders, they said.
Companies considering covering cyber risks via a captive should thoroughly examine their information technology infrastructure, said John O’Neil, assistant vice-president, corporate insurance risk manager, at Massachusetts Mutual Life Insurance.
“Sit across the desk from whoever is responsible for IT security in your company and ask them the hard questions,” he said during a session at the Vermont Captive Insurance Association’s annual conference.
In addition, risk managers should inform their senior executives before they put cyber risks into the captive, O’Neil said.
“Make sure they know that you’re thinking about putting cyber in your captive. Don’t let them come and ask you the question, ‘Why is cyber in our captive?’ when you file the first claim,” he said.
One of the advantages of placing cyber risk in a captive is that companies can tailor their coverage, but if they are using excess insurers, the insurers need to be comfortable with the wording. If they are not, the captive owner must be aware of the exposures covered by the captive that the insurers will not follow, O’Neil said.
In addition, if the captive is used to cover a large cyber deductible, the coverage should be structured so that claims paid by the captive are counted against the retained risk to ensure excess coverage kicks in at the expected level, he said.
Captive owners should also ensure that they continue to have access to cybersecurity support, ransomware negotiators and other services that are often packaged with cyber coverage, said Kim Guerriero, principal and consulting actuary at Milliman.
“If you structure the policy in such a way, you don’t have to lose access. So one of the ways to do that is through a large deductible policy,” she said.
Captive owners should also be prepared for potentially significant losses if they cover cyber risks, said Mike O’Malley, managing director at Strategic Risk Solutions (SRS).
Cyber claims are unlikely to occur frequently, but when they do occur they can be large, he said.
When SRS advises captive owners on cyber risk, it runs a five-year stress test and shows them the actuarial results, he said.
“We walk through the concept of, ‘Are you ready to recapitalise the captive if you have a big event?’” he said.
This article first appeared on our sister website Business Insurance. For further news from Business Insurance, please click here.