Cyber risks have been confounding insurers and policyholders alike as those risks have evolved and expanded in recent years. Indeed, the risks have effectively outgrown the confines of standard commercial insurance coverage, and numerous insurers have developed new products, creating a market for cyber-specific coverages and policies. While predictions about growth in this market have generally been bullish, there are some signs it may be flattening. One recent survey notes only a slight uptick in take-up rate, rising from 24% in a prior survey to 25% in its most recent survey, of companies purchasing cyber-specific coverages.
Reluctance to enter this market may be driven in some part by the fact that premiums for these cyber-specific policies are relatively expensive and rising due to the numerous high profile data breach cases in the spotlight in recent years. And even in the more manuscripted arena of cyber coverage, one size does not necessarily fit all. Some companies’ risks may be too unique for a commercial insurer to appropriately underwrite and price. As one recent survey found, “[f]or almost half of the companies that have cyber and data privacy insurance, the biggest challenges they faced when purchasing the coverage was finding a policy to adequately fit their company’s needs (47 percent) or the cost (42 percent).” And for many companies, self-insuring may also be cost-prohibitive.
The benefits of insuring with captives
One option that can address some of these issues is insuring through a captive insurer. Captive insurers are insurance companies created as subsidiaries to act as the insurer for the corporate parent (or group of affiliates) exclusively. In many ways captives operate like an ordinary commercial insurer, writing policies, charging premiums, adjusting claims, etc. But there are important differences that can make them more attractive to companies with unique insurance needs, such as those with unique cyber risks. As one industry commentator noted:
Given some of the confusion in the insurance market and the complexity of the risks, the benefits of retaining those risks via a captive and thereby gaining a better understanding of the losses and expenses, having greater risk oversight, and potentially reducing the overall cost of risk may be very appealing. A captive can be a useful tool to retain risk within the burn layer and also assume broader cover not available in the traditional risk transfer market.
Nuno Antunes, et al “Addressing Cyber Risks with a Captive Solution.”
While many associate captives with large corporations that can afford to fund the necessary insurance operations and reserves, smaller companies have increasingly formed so-called “micro-captives” (captives that collect less than $1.2 million annually in premiums, as designated by current applicable IRS regulations, although that threshold is slated to nearly double in 2017, to $2.2 million).
There are a number of benefits to insuring with captives generally, such as greater control over coverage terms, better understanding of the insured’s risks, and greater flexibility . Captives are customizable in other ways as well, that may favorably impact pricing. Captives also provide a means of direct access to the reinsurance market. And there may also be tax benefits to using captives, including deductions of premiums paid by the insured and of unearned premiums received by the captive. Despite these benefits, companies do not yet appear to be tapping the captive market for their cyber insurance needs.
Where are the Cyber Captives?
Just a few years ago, as the cyber insurance market was still in its more formative stages, captives were seen as a possible, though largely untested option, to covering cyber liability. A reportedly small number of companies chose to insure cyber liability through captives at that time. But that small number does not appear to have increased substantially, if at all, as recent reporting indicates that only about 8% of companies are underwriting cyber through a captive. Id. at 107. And if that figure reflects any growth, it may be due simply to the modest growth in the use of captives generally over the last few years. However, and notably, that same survey indicates that the percentage of survey respondents that expect to insure cyber through a captive in the next five years is 23%, a substantial 15% jump. Id. Thus, while the use of captives for cyber remains relatively low at present, it may very well become a substantial contributor to the growth of premiums in the captive market.
Why Insuring Cyber Exposure Through a Captive May Make Sense
For many of the same reasons that insuring through captives generally makes sense, it may be a particularly helpful strategy for insuring cyber exposure, at least for some companies.
Despite the fact that well-publicized data breaches are driving demand, the expected tsunami of data breach class actions has not yet materialized. As revealed, for example, in Carlton Fields’ 2016 Class Action Survey, reported data privacy class actions ticked up only slightly from 2014 to 2015, representing 4.2% and 4.8% of those years’ respective class actions, and are still dwarfed by consumer fraud and labor and employment, each of which comprise nearly a quarter of all class actions (though, notably, the same survey respondents expect data privacy/security class actions to rise dramatically in the future). But companies are paying premiums for cyber coverages that reflect an expectation that these types of class actions will increase significantly, a prudent bet, no doubt, but an expensive one for the policyholder.
However, while data privacy class actions get the headlines and drive up fear of large scale data breaches, and correspondingly drive up premium charges for cyber coverage, many companies face different types of cyber threats, with different types of exposures. For example, one emerging risk which is only recently gaining public attention, is a “ransomware” attack. These attacks do not seek to obtain or exploit private data for personal gain, but rather simply shut a user out of a network, or disable the network altogether, so that the user has no choice but to pay a ransom to get the system back up and running. Indeed, the very nature of these attacks hampers access to data about the claims experience, as these claims often go unreported. While some companies have recently disclosed ransomware attacks as a means expose and prevent future such attacks, many companies choose to simply quietly pay these ransoms to continue their operations with the least amount of disruption possible.
Another example is the theft of trade secrets and intellectual property by governmental actors and competitors. One recently discovered method involves targeting law firms working on sensitive transactional matters, such as mergers. As one commentator recently noted, “[l]arge law firms are now being targeted by [hackers] particularly during M&A discussions, where the legal firm and the negotiating parties typically open their systems to each other whilst transmitting vast amounts of confidential data to one another over the Internet.”
So depending on the industry, the cyber exposure may differ markedly, and standard cyber coverage currently available may not be the best fit for players in such diverse industries as health care, legal, energy, technology, and finance, each of which may have unique exposures, and some of which may be valued quite differently.
Another way that cyber coverage may be customized through the use of a captive is the underwriting of “occurrence” versus “claims made” coverage. The cyber-liability products currently available on the market are typically written on a claims made basis. This means that only claims made against the insured during the policy period are covered. This allows insurers to underwrite with greater precision, since they do not need to account for so-called “long tail” exposures such as asbestos or environmental pollution that may occur during a given policy period, but for which no claim may be made against the insured until injury manifests years, and sometimes even decades later. Occurrence-based coverage, on the other hand, potentially provides coverage for claims made long after the policy period has ended, if the underlying occurrence that led to the claim occurred during the policy period.
As one commentator noted, “[b]ecause occurrence-based coverage applies to incidents that occur during the policy period, there is generally a longer time horizon for claim reporting and payment, allowing for a build-up of captive reserves. Some companies would simply prefer to retain the premium dollars for this relatively new coverage area in a captive rather than pay a commercial insurer.”
Does this make sense, however, for cyber exposures? It of course depends on the type of exposure at issue. But one can imagine scenarios where cyber claims may not arise until well after the underlying event that causes them. Most companies are not even aware they have been hacked. Indeed, the Director of the FBI noted that “[t]here are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.” Thus, depending on a company’s unique exposures, and whether they may be more or less prone to longer tail type claims, it may make more or less sense to write occurrence-based coverage through a captive.
Access to the Reinsurance Market
Another important benefit to insuring through a captive generally is direct access to the reinsurance market, which is a wholesale, international market through which insurers can hedge their own risks for potentially catastrophic losses that would challenge reserves. Direct access to reinsurance may therefore be especially apt for cyber exposure given the uncertainties that still surround underwriting, and in particular predictive valuation of the still undeveloped claims experience and the possibility of a catastrophic liability. There may be cost-savings, insofar as reinsurance can be obtained at a lower cost for a captive as it cuts out intermediary commissions and fees.
Another highly motivating factor for forming a captive is cost-savings. And that is an especially motivating factor when it comes to cyber coverage, which, as discussed above, is growing increasingly expensive in terms of premium costs.
As discussed above, there may be tax benefits to using a captive. However, any company considering entering the micro-captive captive should carefully consider the nature of the risk-shifting and risk-distribution, as the IRS has increasingly been scrutinizing micro-captives to ensure they are acting as true insurers, and not tax-avoidance vehicles. However, assuming an appropriate risk-shifting/distribution model, qualified micro captives have the added benefit of no taxation on premium income, even earned premium. They are taxed only on investment income.
But there may also be hidden costs beyond simply premium dollars that could potentially be avoided through use of a captive. One example is the cost to a company to simply gain access to the commercial cyber coverage market. Underwriters in the commercial cyber market are increasingly employing standards that must be met in order to access coverage. But these standards may be more or less applicable to any particular insured, and by using a captive, an insured may have greater flexibility regarding underwriting standards, and the concomitant costs.
The combined potential tax savings, premium savings, and underwriting savings may or may not outweigh the burdens of forming and operating a captive, including third party management costs, which are typical for micro-captives without the necessary expertise to operate an insurer. But there are enough possible cost-saving variables that companies frustrated with the commercial cyber insurance market may find worthwhile to investigate.