BURLINGTON, Vermont – Cyber liability risks can be effectively covered through captive insurers, but organizations should scrutinize their potential exposures and the consequences of taking on such high-severity, low-frequency risks before placing them in a captive, a panel of experts said.
In addition, if organizations opt to self-insure, they should ensure they don’t lose access to ancillary services that insurers provide to cyber policyholders, they said.
Companies considering covering cyber risks via a captive should thoroughly examine their information technology infrastructure, said John O’Neil, Springfield, Massachusetts-based assistant vice president, corporate insurance risk manager, at Massachusetts Mutual Life Insurance Co.
“Sit across the desk from whoever is responsible for IT security in your company and ask them the hard questions,” he said during a session Tuesday at the Vermont Captive Insurance Association’s annual conference.
In addition, risk managers should inform their senior executives before they put cyber risks into the captive, Mr. O’Neil said.
“Make sure they know that you’re thinking about putting cyber in your captive. Don’t let them come and ask you the question, ‘Why is cyber in our captive?’ when you file the first claim,” he said.
One of the advantages of placing cyber risk in a captive is that companies can tailor their coverage, but if they are using excess insurers, the insurers need to be comfortable with the wording. If they are not, the captive owner must be aware of the exposures covered by the captive that the insurers will not follow, Mr. O’Neil said.
In addition, if the captive is used to cover a large cyber deductible, the coverage should be structured so that claims paid by the captive are counted against the retained risk to ensure excess coverage kicks in at the expected level, he said.
Captive owners should also ensure that they continue to have access to cybersecurity support, ransomware negotiators and other services that are often packaged with cyber coverage, said Kim Guerriero, Boston-based principal and consulting actuary at Milliman Inc.
“If you structure the policy in such a way, you don’t have to lose access. So, one of the ways to do that is through a large deductible policy,” she said.
Captive owners should also be prepared for potentially significant losses if they cover cyber risks, said Mike O’Malley, Dunstable, Massachusetts-based managing director at Strategic Risk Solutions Inc.
Cyber claims are unlikely to occur frequently, but when they do occur they can be large, he said.
When SRS advises captive owners on cyber risk, it runs a five-year stress test and shows them the actuarial results, he said.
“We walk through the concept of, ‘Are you ready to recapitalize the captive if you have a big event?’” he said.
