The Cyber Conundrum

cyberattack_1805164b Last month, the Federal Insurance Office (FIO) issued its third annual report on the insurance industry, and I found two things of note. First, the report criticized state insurance regulators for not doing enough to address ongoing concerns about captive reinsurance. Now, of course that caught my attention, and we know this is an ongoing issue between the NAIC and the FIO, but it was the report’s discussion of cyber risk that really caught my eye.

The report estimated that the U.S. cyber insurance market has about $2 billion in capacity, and the FIO indicated that underwriters should improve cyber risk processes to encourage the pooling of insurance data and improvements in cyber risk expertise. “Recently, concerns have been raised regarding the capacity and scope limitations of the cyber risk insurance market, with some market participants describing market capacity for cyber risks as ‘very small’ and observing that billion dollar coverage limits are needed to adequately address the losses posed by cyber risks,” said the report. There has been a lot of discussion of writing cyber risk in captives, and we have a good example in the case of Penn State’s captive, Nittany Insurance, writing cyber for all their students, researchers and faculty.  As Nittany’s Gary Langsdale outlined in the cyber webinar VCIA held in May of last year, on the average day at Penn State, 170,000 email accounts on over 100 separate systems receive 3.2 million emails; in addition, last year their email system filters blocked over 95 million spam emails!

As with terrorism risk, the question becomes are we now at a place where the impact of a cyber-attack could be so great and cover a large swath of territory, businesses and systems in the U.S., that cyber risk insurance programs will be overwhelmed?  To me it raises the question whether a program similar to TRIA, with the US government as a backstop, needs to be devised.  TRIA and its subsequent extensions serve as reinsurance for commercial Property and Casualty policies covering losses due to acts of terrorism in the U.S. In exchange for federal support, insurers are required to offer terrorism coverage.

As with terrorism coverage, a captive providing cyber risk with a federal backstop could offer several advantages over a commercial insurance carrier in addition to the typical advantages of a captive program. Because the typical aggregate-earned premium for a captive insurer is minimal compared to that of commercial insurers, the deductible amount is often quite low. The government, using similar TRIA guidelines, could respond to certified losses typically excluded in commercial cyber policies. Captives are not required to pay funds to their policyholders in advance of receiving reimbursement from the federal government, alleviating cash flow issues.  On the whole, corporations accessing TRIA directly through their captives generally have broader coverage, and, in the event of no loss, may recoup premiums.

My fear is that without a federal backstop similar to TRIA, capacity could dry up with one or two big cyber-attacks.  Something to think about.

Thanks and keep in touch!

Rich Smith
VCIA President

End of the Year (not the World)

2014 clockOne thing about living in Vermont is that you know when it gets toward the end of the year – it’s dark, cold and often snowy. Just keeps us in a rhythm with nature, I guess. But it also signals the start of lighter days ahead. With that introspective hackneyed opening, it’s time to ponder the end and look ahead.

It was another good, albeit challenging year in the captive industry. We continue to see growth industry-wide as more organizations (big and small) take control of aspects of their own risk which in the past they would have pushed off to the commercial insurance market.  There are now over 5,000 captive insurance companies worldwide, and growing interest from smaller to middle sized entities seeking ways to mitigate new and emerging risks.  Emerging risks, such as cyber risk and supply chain risk, present opportunities to the captive insurance world, which can respond more quickly and precisely than traditional insurance. We see the risk starkly with the very recent cyber-attack on Sony by shadowy assailants who are causing major disruptions to Sony’s operations. Owning the risk early on may have helped Sony protect itself from these types of attacks.

Even as captive insurance has emerged solidly as a mainstream risk financing tool, there is still work to be done.  We continue to see  challenges to the industry, including  threats of excessive regulation; the weakening of sound regulatory structures based on a desire to attract business; and efforts to impose new or increased taxes.  As Congress left Washington this week without passing a TRIA reauthorization, we are reminded that we have our work cut out for us next year.

All in all, however, I wouldn’t want to be anywhere else. We have so many opportunities for growth, and will work hard to see captives continue to prosper!

Have a safe and happy holiday season and terrific New Year! Thank you all very much, and I look forward to hearing from you soon!

~Rich