Cyber liability and captives

SRS webinar examines legal and jurisdictional considerations

By Michael J. Moody, MBA, ARM

Despite the continuing soft insurance market, it appears that growth in captives continues to gain momentum. In fact, captive growth has managed to persevere through the majority of the current soft insurance market. There are, of course, a number of reasons for this; but without question, one of the most frequently noted reasons has to do with control. Many insurance buyers are growing tired of trying to manage the ebb and flow of their commercial insurance costs in an industry that still cannot properly price a product.

Early on, owning a captive insurance company was a pretty innovative approach to risk financing. Those organizations that did so were certainly in the minority of insurance buyers; but today, many buyers are aware of the advantages of captive ownership. Captive ownership is no longer considered cutting edge. At this point, the alternative risk transfer market, which is made up primarily of captives, has been estimated to be over 50% of the commercial insurance business.

Many times, early entrants into the captive movement were "forced" into a captive, either because of the limited market availability or because of poor loss experience on the part of the buyer. However, those days are gone. Most captive experts agree that the most advantageous types of accounts for captives are those with good loss experience. These are the accounts that are frequently subsidizing other insurance buyers that have poor loss experience.

Cyber risk

Recently, captive manager Strategic Risk Solutions (SRS) held a Webinar about cyber risk and captives. In structuring the Webinar, SRS segmented the topic into three areas: legal considerations, insurance market considerations, and captive insurance issues. The Webinar provided an insightful presentation with regard to the various legal and jurisdictional considerations. Special emphasis was directed at health care institutions because they have particularly complex issues to deal with regarding the sensitivity of their data.

While most people would correctly conclude that financial services operations represent the highest target industry segment for cyber issues, many would be surprised to know that health care is the second most popular target. In fact, data obtained from health care-related organizations is the most prized type of information a hacker can obtain. Not only does it provide financial data, but also health-related information.

A popular approach being used by hackers today occurs when they do not find an immediate buyer for the data. The hackers then contact the company they just hacked and sell the data back to them, in essence "blackmailing" them. This is becoming a frequently used, low-risk tactic for the hacker. The hacked company does not have to make known that the event even happened. Typically law enforcement is not called, and the company's reputation remains intact.

From the insurance coverage standpoint, cyber liability has become the "drug of choice" for the insurance industry. While many insurance carriers are fighting tooth and nail to maintain market share in commercial auto and general liability areas, cyber liability is a whole new market for them and, thus, a whole new revenue stream. As a result, the marketplace has had numerous entrants coming into it over the past few years. These new players are more than willing to provide significant competition for carriers that have already found their way here.

Competition in this market can take a number of different forms. New entrants can and frequently do offer pricing competition because, at this point, no one really has any idea what the correct price for the coverage should be. They are also providing significantly different policy forms and coverage options. As a result, coverage forms vary significantly from one company to another, and care must be taken to understand what the scope of coverage is.

For the most part, high policy limits are available. Additionally, there appears to be a large number of excess cyber liability coverage options available in the current marketplace. By and large, it appears that pricing is flat across most business segments—the exceptions to the flat pricing being financial service organizations and health care institutions. From a coverage standpoint, Lloyd's of London has been leading in innovation in this important area and continues to bring new product enhancements to the market. One of the major selling points for domestic carriers is that, frequently, there are mitigation services available to their insureds, which may not be available under a Lloyd's contract.

Coverage for cyber liability is gaining acceptance in many market segments. Again, as noted previously, the health care market represents one of the more complex areas for coverage due in large part to the confidentiality of the health-related information. From an overall experience standpoint, lost, stolen and missing laptops still represent the largest issue. To this point, federal laws have been the driving force behind this coverage. However, state laws now present major concerns, with 46 states already enacting notification laws that are stricter than federal laws and frequently in conflict with federal legislation.

Cyber liability and the captive insurance company

From an initial review of the feasibility of including cyber liability in a captive insurance company, one would find it difficult to justify. At this point in time, carriers in the marketplace are abundant and, for the most part, the exposures to cyber liability claims are quite dramatic and evolving daily. Both of those situations would typically signal a type of exposure that would not routinely be included within the captive insurance company. However, many industry experts believe that change in the cyber liability area will come quickly, resulting in wild swings in premium and coverage options. Further, cyber liability, while not a primary risk exposure for most organizations, is a key risk for almost any business operation and thus should be included as part of an overall long-term risk-financing strategy.

Under the current insurance market conditions, captive owners may consider using their current captive for deductible "buy downs" on their cyber coverage. As noted above, excess cyber liability coverage is readily available, and this may be an ideal time to establish a relationship with an excess carrier. By using excess liability coverage, business owners can custom design the primary coverage to meet their specific needs. Many times this will result in reducing the gaps in traditional market coverage.

It should be noted that cyber liability is an emerging risk and at present a moving target for most corporations. Factors to be considered include mobile devices (smartphones), employer-employee privacy issues, cloud computing, and international exposures. While traditional market carriers typically provide specialized risk mitigation services to their insureds, these are usually provided by a third-party service contactor. But it should also be noted that these services can be obtained by the captive owner on an unbundled basis.

At the end of the day, having cyber liability within an existing captive can help spread the risk, as well as provide a possible method of better deploying surpluses obtained by the captive and putting them to use by providing capacity for this exposure. Additionally, regardless of the policy selected from the conventional market, there are frequently gaps in the coverage that end up being self-insured anyway. Finally, for some insurers that are providing this coverage, their first reaction to a claim is to send out a "reservations of rights letter," casting doubts that the loss will be covered anyway. When the coverage is provided via the captive, coverage is usually not in doubt. So, while conventional wisdom may suggest that cyber liability would not make a good candidate for the captive, further review may be required. For those wishing to obtain additional information about this topic, a replay of the Webinar is available on the SRS Web site (www.strategicrisks.com/webinars.php.)

Conclusion

The recent explosion of cyber liability claims has focused attention on this important area of coverage. For the most part, many businesses are not aware of the changes that are occurring with regard to the state notification laws, or the array of coverage options available today. As such, most have never given consideration to using a captive to develop a strategic approach to this increasingly important coverage. Obviously, for agents/brokers who wish to differentiate themselves from competitors, this can provide an ideal topic to initiate a conversation with existing clients as well as prospects.