The role of captives in managing cyber risk

The threat of a cyberattack ranks at or near the top of most risk managers’ lists of concerns. Managing and mitigating a company’s exposure to a cyber event is a critical part of the overall risk programme. Cyber is an evolving, volatile risk. Steven Bauman, head of the global programmes and captive practice in North America at AXA XL, explains why now could be the time to start writing cyber risk in captives.

Why are risk managers starting to include, or considering writing, cyber risk in their captives?
Captives have proved themselves to be very well suited to handling stable, non-volatile risks. But in recent years, more and more captive owners have started to explore placing more volatile, or emerging, risks in their captives too. And cyber is one such risk.

There are several important benefits to writing cyber within a captive.

Firstly, using a captive enables parent companies to cost-effectively plan for and fund cyber risk. Given that most companies are likely to experience a cyber event at some point, it makes sense to have funds set aside to cover costs arising from an attack.

In addition, managing cyber risks – which are ever-evolving – within a captive can allow the risk manager to monitor the risk and to capture, and analyse, data on the company’s vulnerabilities. It also enables the risk manager to keep track of the global costs, both indirect and direct, of cyberattacks on the company.

How can this help the management of cyber risk?
Using a captive to help manage cyber risk can give a risk manager a much better understanding about the company’s cyber risk profile, on an international level. Having better data and a deeper understanding of the cyber threat can enable risk managers to align their cyber risk management with the company’s overall risk profile and appetite.

Risk managers can structure policies to suit their company’s specific requirements. And having centrally collated data on the lessons learned from cyber events can help the risk manager to identify how and where cyber defences need to be improved. This will help risk managers not only to reduce the likelihood of potential attacks but also to enable a swift, effective response should an event occur.

How does writing cyber in a captive enable risk managers to benefit from diversification?
Today’s captives are likely to employ a strategy of risk diversification. Cyber is more than likely to be uncorrelated with other risks in the captive, making it a nice fit.

Assuming cyber risk into the captive may also yield higher premiums for the captive; with so many experts saying it is a matter of ‘when, not if’ a cyber event will hit a company, losses not covered by a captive programme or by ‘traditional’ insurance policies will be a direct – and unwelcome – hit to the corporate balance sheet. Diversifying to include cyber within the captive helps the company better prepare for the costs of an event.

In addition, many captives have now reached a certain level of maturity. They have proved their worth and gained the confidence of senior management over time. They also may have substantial capital and surplus and be keen to take on potential volatility.

What should risk managers consider if they intend to start writing cyber in a captive?
Risk managers should talk to their captive domicile’s regulator and ensure that they keep up to date with any regulatory changes – local and global – that might affect cyber coverage.

It is also important to work collaboratively with fronting and reinsurance partners – to tap their expertise to shape the captive underwriting. A multiline programme supported by structured reinsurance can help the captive to mitigate the impact of any unexpectedly large losses.

By creating a sharing programme with fronting and reinsurance partners, captive owners can share their risks and rewards. This helps to build better long-term partnerships.

Contributed by Steven Bauman, head of the global programmes and captive practice in North America at AXA XL