Leading European multinationals create cyber mutual to counter capacity crunch

Seven leading European multinationals from different sectors have teamed up to form a new mutual insurance company to provide badly needed cyber coverage as the commercial market fails to deliver adequate protection.

MIRIS has been incorporated in Belgium. It is applying for a licence to operate from Brussels and offer European and worldwide cyber coverage to members based in the European Union (EU) and European Economic Area (EEA).

The founding members include BASF, Airbus, Michelin and Solvay.

The plan is for the first policy to incept on 1 January 2023.

The company’s website says that during the first two years of operation, MIRIS will allocate up to €25m of capacity to each member. The mutual will operate in co-insurance with the insurance market, taking the wording and pricing from the market. The minimum attachment point for MIRIS will be €10m.

“Depending on the underwriting performance of MIRIS, the capacity granted is expected to increase to €30m in the third year,” the website says.

The details emerged the day after risk managers for both Airbus and BASF took part in a lively debate at the GVNW annual conference about the potential use of mutuals to deliver more consistent and less volatile coverage for corporations.

German risk and insurance managers in particular have felt poorly treated by the commercial insurance market during the last three to four years, as they faced dramatic price increases and dwindling capacity for key lines.

GVNW president Alexander Mahnke has consistently warned insurers that if they continue to focus on exclusions rather than innovation to help customers deal with challenging risks, such as cyber, they will become increasingly irrelevant.

The formation of MIRIS surely sends a strong warning signal to the market that their leading customers have had enough and mean business.

MIRIS will only offer cover to member firms. “Membership of MIRIS is predetermined and exclusive. It is a ‘capitalised mutual’ and membership is only granted after payment of the capital. This is different from the ‘commercial mutuals’, where the payment of premium confers membership,” it explains.

To become a member, companies will need to go through a screening process to approve their financial strength and cyber risk management capability, says MIRIS.

“The board of directors of MIRIS gathers the output of the screening process and decides whether to submit a membership application to the general meeting of all the members, who then decide whether to accept the new member,” the mutual explains.

There will be only one type of member. All members pay the initial capitalisation and participate in the general meeting, and have one vote at that meeting. “Furthermore, to ensure the continuing status as a mutual association, all members must maintain an insurance policy at all times during their membership (new members have a ‘grace period’ so that their first policy aligns with their annual policy cycle),” explains MIRIS.

It is hoped that regulatory approvals will allow the new cyber mutual to incept its first policy at the turn of this year. After that, individual members’ policies can incept at any time during the year, to reflect the annual renewal date chosen by the member.

MIRIS will be a European insurer but the founders have done their homework to ensure that it can issue coverage for worldwide cyber risks.

“MIRIS is a European insurer and can only accept members from the EU and EEA. Its licence application is for direct insurance but its Belgium domicile means it can also accept incoming reinsurance where necessary. It can cover the activities of its members worldwide (subject of course to sanction limitations), but through policies issued in Europe. It has been through a stringent anti-trust review to ensure that the members’ activities outside Europe are not in breach of local competition regulations, and steps have been taken to address issues which have arisen,” explains the new mutual insurer.

MIRIS will have a sharp focus on risk management to help ensure that the mutual works.

Chief information security officers from member companies have formed a group to screen new members. This is important because MIRIS said its success depends on maintaining an aggregate risk profile better than the wider market. The group will also share cyber risk management best practice between members to help ensure standards are maintained.

Potential members will be interested to hear how premiums are set. “Because it’s a mutual association, MIRIS collects an ‘annual contribution’ and not a premium, although in practice it works in the same way. The share of the risk taken by MIRIS will be priced at the same level as the market leader premium, but with a percentage discount,” states MIRIS.

The mutual will not pay brokerage, unless the insured member elects to include brokerage in its gross premium.

The initial plan is not to buy reinsurance so that the mutual can remain independent of the conventional market and its cyclical nature.

“The objective of MIRIS is to provide capacity irrespective of the conventional market fluctuations. The business plan has been created on the basis of no inward reinsurance, however MIRIS is free to buy reinsurance if favourable opportunities arise,” it states.

Solvency is another key factor in the success of the mutual idea. MIRIS explains it will start with “adequate” capital to comply with Solvency II, and apply a “conservative” underwriting model.

“Actuarial stress tests show a very low probability of depletion of the required capital reserves. If this were to happen, the members will be subject to ‘supplementary calls’, similar to the mechanism used by P&I clubs,” explains MIRIS.

The mutual will not pay dividends to its members because it is a not-for-profit mutual association. Its underwriting surplus will go into a reserve account, where it will accumulate and be available to underpin capacity granted to members.