The number of cyber incidents reported by firms outside the United States and Europe has grown considerably over the past two years. Companies are becoming more interested in seeking the most efficient ways to protect themselves from cyber risk, especially considering new data protection regulations, like the European Union General Data Protection Regulation, which places stringent requirements on personal data.
On the supply side, insurance coverage for cyber risk is not available for all industries, and there are material gaps in coverage where available despite the fast growth of premiums and high reported profitability of cyber risk insurance carriers.
Premiums for cyber insurance are expected to continue to grow, but the market for cyber insurance is quite concentrated. Many insurers are lukewarm or hesitant to provide coverage, including in developing markets like China. Insurance offerings seem to be lagging behind the ever evolving needs for cyber coverage.
Could captives be an attractive alternative for companies, supplementing and substituting for commercial and/or reinsurance?
Rather than transferring cyber risks to the traditional insurance market, a company could consider a captive as a platform to better manage risks, potentially resulting in ancillary risk management benefits across the insurance operations. Captives will face the same challenges as traditional insurers in developing well-defined insurance coverage and sound premium rates due to the constantly changing nature of cyber risks. But both coverage and premium rating become less serious considerations for captives given that they retain cash flows within their own ecosystems.
Captives have more incentives to implement procedures to improve the cyber risk management environment, both pre-loss and post-loss. Cyber risk management via a captive could more easily be advanced to board level rather than being a pure information technology (IT) function. And captive owners are also more likely to make strategic investments to improve the cyber security for the long term.