Last month, the Federal Insurance Office (FIO) issued its third annual report on the insurance industry, and I found two things of note. First, the report criticized state insurance regulators for not doing enough to address ongoing concerns about captive reinsurance. Now, of course that caught my attention, and we know this is an ongoing issue between the NAIC and the FIO, but it was the report’s discussion of cyber risk that really caught my eye.
The report estimated that the U.S. cyber insurance market has about $2 billion in capacity, and the FIO indicated that underwriters should improve cyber risk processes to encourage the pooling of insurance data and improvements in cyber risk expertise. “Recently, concerns have been raised regarding the capacity and scope limitations of the cyber risk insurance market, with some market participants describing market capacity for cyber risks as ‘very small’ and observing that billion dollar coverage limits are needed to adequately address the losses posed by cyber risks,” said the report. There has been a lot of discussion of writing cyber risk in captives, and we have a good example in the case of Penn State’s captive, Nittany Insurance, writing cyber for all their students, researchers and faculty. As Nittany’s Gary Langsdale outlined in the cyber webinar VCIA held in May of last year, on the average day at Penn State, 170,000 email accounts on over 100 separate systems receive 3.2 million emails; in addition, last year their email system filters blocked over 95 million spam emails!
As with terrorism risk, the question becomes are we now at a place where the impact of a cyber-attack could be so great and cover a large swath of territory, businesses and systems in the U.S., that cyber risk insurance programs will be overwhelmed? To me it raises the question whether a program similar to TRIA, with the US government as a backstop, needs to be devised. TRIA and its subsequent extensions serve as reinsurance for commercial Property and Casualty policies covering losses due to acts of terrorism in the U.S. In exchange for federal support, insurers are required to offer terrorism coverage.
As with terrorism coverage, a captive providing cyber risk with a federal backstop could offer several advantages over a commercial insurance carrier in addition to the typical advantages of a captive program. Because the typical aggregate-earned premium for a captive insurer is minimal compared to that of commercial insurers, the deductible amount is often quite low. The government, using similar TRIA guidelines, could respond to certified losses typically excluded in commercial cyber policies. Captives are not required to pay funds to their policyholders in advance of receiving reimbursement from the federal government, alleviating cash flow issues. On the whole, corporations accessing TRIA directly through their captives generally have broader coverage, and, in the event of no loss, may recoup premiums.
My fear is that without a federal backstop similar to TRIA, capacity could dry up with one or two big cyber-attacks. Something to think about.
Thanks and keep in touch!