Guanjun Jiang, Milliman

The attraction of captives for cyber risk

Guanjun Jiang, Milliman

December 5 2018

Cyber incidents affect financial performance, and the economic costs of cyber incidents are increasing quickly. These costs have serious implications on continuity of leadership, like in the case of Yahoo, and even the sustainability of business models. The number of cyber incidents reported by firms outside of the US and Europe, including at Taiwan Semiconductor, China Ocean Shipping Company (COSCO), and the Huazhu Hotels Group, has grown considerably over the past two years.

Companies are becoming more interested in seeking the most efficient ways to protect themselves from cyber risks, particularly considering the new data protection regulations, such as the European Union General Data Protection Regulation (GDPR), which places stringent requirements on personal data.

On the supply side, insurance coverage for cyber risks is not available for all industries, and there are material gaps in coverage where available, despite the fast growth of premiums and the high reported profitability of cyber risk insurance carriers.

We believe captives are an attractive alternative for companies, supplementing and substituting for commercial insurance and/or reinsurance.

 Covering cyber risks

Premiums for cyber insurance are expected to continue to grow strongly. However, the market for cyber insurance is quite concentrated, with a few leading underwriters such as AIG, Axa XL and Chubb. Many other insurers are lukewarm or hesitant to provide coverage, including in developing markets like China. Insurance offerings provided by commercial insurers appear to be lagging behind the ever-evolving needs for cyber coverage.

According to a 2016 survey of corporate insurance buyers, two major reasons for not purchasing cyber coverage are inadequate coverage options and scarcity of relevant insurance solutions.[1]

Cyber insurance was designed to cover non-physical perils and damage to intangible assets. Contingent business interruption, which covers loss of revenue when network-dependent operations stop due to cyberattacks, and physical damage, are usually not covered. Similarly, reputational risk is rarely covered by cyber insurance. Insurers also tend to offer minimal coverage for intellectual property (IP) theft and damage from industrial espionage.

When insurance coverage is available, the coverage may be off-the-shelf rather than customised to meet the insurance needs of a particular industry. There is not adequate historical data to quantify industry-specific risks, even though these risks vary materially. For example, the risks of the financial industry will be materially different from those of the energy industry, where data breach is a big concern of the former and contingent business interruption is a real threat to the latter. Even when historical data has been accumulated, it is not necessarily reflective of the risks faced by insurance firms, as cyber risks are constantly evolving with the advancement of technologies and attack methods. The potential for ‘unknown-unknown’ cyber threats adds extreme uncertainties in understanding the driving forces.

In addition to the quantification of individual insurance risks, insurers and reinsurers also need to consider the aggregation of risks, which is more challenging, if it is even doable. Insurance companies usually rely on diversification across a large number of independent risks, making the aggregate loss more predictable. However, the accumulation of cyber risks is quite different due to their interdependent nature. One cyberattack could affect multiple clients in different parts of the world simultaneously.

According to the Aon/Ponemon 2017 Global Cyber Risk Transfer Comparison Report, only around 15% of information assets are covered by insurance, compared with 59% of property, plant and equipment. Captive insurance traditionally thrives where the commercial markets do not fully and efficiently address the risks faced by consumers.[2]

For example, captives are frequently created by doctors when the rates for professional liability rises or the coverage is not readily available. Similarly, we believe captive insurance could be an attractive alternative to supplement or substitute for cyber risk insurance coverage.

This position is supported by Gary Langsdale, risk manager at Pennsylvania State University, who has said, “Over the years, it has become increasingly difficult for us to find a home for cyber insurance, largely because as a university we have a very open IT infrastructure as often we need to share information with publications and other external collaborators.”[3]

Why can captives do better?

Rather than transferring cyber risks to the traditional insurance market, a company could consider a captive as a platform to better manage risks, potentially resulting in ancillary risk management benefits across the insurance operations. This idea is premised on debates regarding the fundamental insurability of cyber risks,[4] with some arguing that, rather than trying to quantify the risks, a more effective way would be to increase cyber defenses.

Captives will face the same challenge as traditional insurers in developing well-defined insurance coverage and sound premium rates, due to the ever-changing nature of cyber risks. However ,both coverage and premium rating become less serious considerations for captives, given that they retain cash flows within their own ecosystem.

Captives have much longer terms of insurance contracts with holding companies unless they are shutdown. Captives can adapt to changing underwriting conditions: if the captive has significant underwriting losses, it can recoup the losses with increased premium rates or enhanced underwriting efforts; if the captive has higher than expected underwriting profits, captives may invest part or all of these profits back on procedures or technologies to increase the cyber defense and sustain profitability. Captives can also directly address related problems such as incidents resulting in both property damage and reputational damage.

In the absence of adequate information to differentiate specific industry or certain individual insured entities, broadly flat premium rates and similar underwriting conditions tend to apply. Captives have more incentives to implement procedures to improve the cyber risk management environment, both pre-loss and post-loss.

Cyber risk management via a captive could more easily be advanced to the board level rather than being a pure IT function, so that more effective procedures would be adopted and more proactive monitoring implemented. Captive owners are also more likely to make strategic investments to improve the cyber security for the long term.

This is important considering over half of cyber incidents are due to human errors, and a significant proportion of cyberattacks happen when patches are not installed in time for known threats. For example, the Equifax data incident of 2017, with around 143 million customer records exposed, reportedly occurred due to employees failing to follow security warnings and code reviews in implementing the software fixes that would have prevented the incident.

More efficient insurance operations

Capturing adequate data is critically important for cyber risk modelling. However, firms hesitate to disclose cyber incidents to government bureaus or insurance companies unless they want to file claims, concerned that reporting cyber incidents may put their reputations at risk. There is less concern about sharing data within a captive ecosystem.

This enables captives to capture and quantify the cyber loss components on a more granular level, by coverage as an example, rather than only provide an aggregated gross loss estimate. More information will also help captives better understand the driving forces behind cyber incidents.

How captives handle claims will also differ materially from how traditional insurers handle them. Captives would likely be notified about incidents in a more responsive way, enabling management to assess the damage faster and develop a recovery plan of action more quickly. This difference in claim handling will affect the reserve estimation exercise, and, more importantly, the responsiveness to cyber incidents will greatly affect their costs.[5]

While local direct insurers could be lukewarm about offering cyber risk coverage, or are only willing to offer coverages at high premium rates, international reinsurers may have an appetite and more capacity for cyber risks. Captives could more easily access the international reinsurance markets for an excess layer of protection.

Including cyber risk within the portfolio of coverages for a captive could increase capital efficiency. Captives traditionally focus on property and liability coverage. Adding cyber risk could have diversification benefits for a captive, which would help their solvency position, especially under European Solvency II or similar solvency regulation schemes. Thus, by including cyber risks, the return on capital could be optimised.

 Concerted efforts through pooling

In addition to endeavors by individual captives, concerted industry efforts can be more easily organised by captive owners within the same industry. There are ancillary benefits from pooling:

• The IT infrastructure could be mostly purchased from the same vendor. It makes more economic sense to pool the efforts to increase cyber defense. For example, professional ‘white hat’ hackers could be hired to test the vulnerability of IT infrastructure of the whole industry on a regular basis.

• Data collected by individual companies could be pooled within the same industry for further analysis of the risk profile, which could be used to justify favorable premium rates or underwriting conditions from reinsurers. Pools could be built to share the risk across companies within the same industry before individual captives seek excess layers of protection from international reinsurance markets.

• In case of incidents, knowledge about attacks and damages could be shared within the pool promptly and remedial actions could be taken by all captives simultaneously to quickly increase the defense of the industry. Also, incident response experts could be hired by the pool to handle and more effectively control the cost of incidents. [6]

• Some industry cyber security standards and guidelines could be implemented to deal with industry-specific risks in addition to any regulations or data protection standards issued by governments, such as the GDPR.

Companies who form captives will encourage more proactive management of cyber risks and likely reduce their total cost of risk while still using their capital effectively. With support from experts such as captive managers and actuaries, more customised coverage for each industry, and better information sharing and concerted market efforts, cyber risk management could be improved in a more holistic manner.

The author is Guanjun Jiang who is a principal and consulting actuary at Milliman. He is based at Milliman’s Shanghai office.



1 Airmic (7 June 2016). The top priority risks are also among the most difficult to insure. Retrieved on 18 September 2018 from

 2 Captive International (2 January 2018). Why captives can shine through on cyber. Retrieved on 18 September 2018 from

 3 Wright, A. (4 April 2016). The cyber captive option. Risk & Insurance. Retrieved on 18 September 2018 from

 4 Warren Buffett said during the company’s annual meeting in May 2018, ‘I don’t think we or anybody else really knows what they’re doing when writing cyber [insurance].’

 5 Per the 2018 Cost of a Data Breach Study by Ponemon and IBM Security, companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days.

6 2018 Cost of a Data Breach Study by Ponemon and IBM Security, an incident response (IR) team reduced the cost by as much as $14 per compromised record, around 10% of the per capita cost.

MORE FROM: Comment