// . //  Insights //  Cyber Risk And Captive Considerations

By James Coyle, Adrienne Harrell, and Jeff Trichon

With cyber insurance premiums more than doubling for many clients in 2021 and many insurers looking to restrict coverage provided by cyber policies, we are seeing an increasing number of clients considering insuring their cyber risk through their captive.

The questions we are most often asked are:

  1. How can I set an appropriate captive premium for cyber risk given commercial rates are so volatile?

  2. What is the capital impact on the captive of insuring cyber risk?

While the setting of cyber insurance premiums is often informed by commercial insurance rates, given recent volatility a better approach might be to take a long-term view. Using actuarial models to forecast losses results in a technical price that is appropriate to pay claims and build up capital and can be defended externally. Furthermore, this approach provides a captive’s parent with the stability and certainty of premium and is not subject to market swings.

Understanding the risk to the captive in adverse scenarios (rather than at the average level) is also critical to ensuring the captive is appropriately capitalized. A key benefit of a multi-line captive insurer is the diversification of risk and putting cyber risk through a captive is an example of this. The diversification benefit is best captured with stochastic models of each risk both individually and in aggregate.

The output of our models help our clients manage the level of capital needed to ensure the captive remains solvent to a specified probability. In these uncertain and changing times, robust analytics are an essential tool for captive managers to help strategize for the future. Captives have historically served an important role in ensuring both the affordability and ongoing availability of vital insurance coverages. Using actuarial models to forecast cyber losses can help develop a technical price that is appropriate and defensible. However, given the low frequency, high severity nature of the risk, it is important for captive managers to understand the increased level of risk and capital implications when contemplating bringing cyber exposures into the captive. Understanding the potential losses in adverse scenarios, not just at the average annual cost, is critical to maintaining the ongoing viability of the captive.

For companies considering insuring cyber risk through their captive, having robust analytics is critical to implementing this strategic decision and ensuring the long-term viability of the captive organization.