Best's Review

AM BEST'S MONTHLY INSURANCE MAGAZINE



Captives
Panel: Captive Insurers Cautiously Venture Into Cyber Coverage

The use of captives to manage cyberrisk may be a perfect solution for Main Street businesses. See the Best's Rankings list of the Largest Published, Rated Single-Parent Captive Insurers — 2022 Edition.
  • Lori Chordas
  • October 2022

A panel of insurance and cyber experts said some single-parent and group captives have expanded their offerings to include cyber liability coverage, but have been conservative with the amount of risk assumed.

Panel members speaking with AM Best TV at the Vermont Captive Insurance Association conference in Burlington, Vermont, were Jack Kudale, founder and chief executive officer of Cowbell; Dennis Silvia, the executive vice president of Davies Captive Management; and Fred Eslami, an associate director at AM Best.

Following is an edited transcript of the interview.

How are captives covering cyber for their parents and members?

Eslami: We have seen that single-parent captives and group captives are relatively the most dominant captives who include cyber within themselves. Group captives usually do that because they want to have a menu that their members can pick from so they don't have to go outside the captive and shop around for cyber, for example. At the same time, these groups provide limited limits, so to speak.

Related: Cyber Coverage Hits Landmark, but Challenges Remain

Fred Eslami AM Best

“We have seen that single-parent captives and group captives are relatively the most dominant captives who include cyber within themselves.”

Fred Eslami
AM Best

It's not aggressive. The type of coverage is well defined so that the members can pick from that option. For the single-parent captives—and let me emphasize on the maturity of the single-parent captives—then it's a longer process. They're the most intimate with the ERM (enterprise risk management) of the parent company.

They understand the relationship between the employees, the HR, the treasuries, and they understand what they experienced in terms of cyber losses. They're able to devise along with their captive managers and other partners to include cyber at a minimum retention or depending on what they end up providing to the parent company.

How is that coverage being designed for captives? Are the limits being offered large, or are they limited?

Silvia: You think about cyber in the sense of a marketplace that has limited capacity, generally. It's a classic captive application. The problem is that the limit of insurances being offered from the traditional market is low because cyber is confusing and difficult to underwrite coverage. We've often recommended that our clients, rather than getting full force in with large limits that are offered autonomously by the captive, should seek out the assistance of a front company who understands from the perspective of underwriting coverage limitations, policy forms, etc.

Then, get involved in some sharing with them either on taking a lower level loss so that they're involved in things like notification to people who have had their information compromised, for instance, or some quota share arrangement. I just think that to step into those waters that are very deep and you don't see the bottom, for a captive that's not experienced in those things, is dangerous.

We've taken a more conservative approach with our clients in recommending how they get involved in captives. To answer your question, lower limits typically, or some quota share with a partner that really understands the business.

Cowbell announced a cyber insurance captive, Cowbell Re, earlier this year. Can you tell us about the impetus behind that?

Kudale: As you know, Cowbell specialized in cyber insurance. We're really known for our approach to underwriting, which is really based off of continuous underwriting and the proprietary ratings factor, the Cowbell factors that we base our underwriting precision on.

It was really the underwriting results and the precision of our underwriting that really led us to get more confidence and participate in the quota share on our programs. We set up Cowbell Re at the beginning of January earlier this year. We now take just up to 10% of the quota share on pure pro programs.

What is the most appealing aspect of creating a captive that's dedicated to cyber?

Kudale: As alluded to my panelists here, cyber is a hard market and it will likely remain that for the near future. In a supply-constrained environment, when you have a risk-sharing partner, it has really allowed us to get a reinsurance panel, about 15 A-rated reinsurance on our panel. That wasn't the case prior to us participating in the risk, prior to Cowbell Re. It has been one of the most appealing parts, where we now have more participation on our programs than it was prior to Cowbell Re.

Any thoughts to share about the appealing aspect of creating captives dedicated to cyber?

Silvia: It certainly spreads the risk across this larger pool of reinsurance. It makes it a less risky proposition for the captive, who is probably the least funded of all the different entities that might be involved. It does allow them access to coverage, which, if that wasn't the case from a supply-and-demand perspective, then essentially they'd be on that risk all their own. Again, a classic captive application.

Eslami: The continuous underwriting mentioned is very important for cyber because you have to be there all the time, every time that policyholders are doing business. That's the benefit that MGAs or captives like Cowbell Re provide to the market.

Do captives remain underutilized in addressing cyberrisk, and do you see that changing anytime soon?

Silvia: They are, and mostly because people are afraid of the risk. You can build into risk management programs for things like auto liability or for workers' compensation. There are very clearly defined risk management tools that you can use. There is a feeling, though, that from a cyber perspective, you really are at the mercy of people who are not predictable, pirates, hackers, etc., so it makes it a little bit difficult.

What we're seeing is that those activities are actually not just reserved for the biggest corporations in the world. Now they're coming into Main Street businesses. These things are crippling. I've read statistics that say that a smaller business that undergoes some cyberattack often doesn't survive as a business and that they are literally destroyed as a result of it.

Related: Cyberattacks: Insurers Defend Against Ransomware

You've got this very powerful dynamic that says you need this coverage. Then, on the other side of it, you've got the other part that balances that says, but it may not be available or not available at a price you can afford. Captives, again, a natural place to go with it. Just need someone to take their hand and bring them into that world in a way that makes sense.

Any thoughts to share?

Kudale: There are four out of five small to medium-sized businesses that do not have cyber insurance coverage. Most of the small businesses with an average ransomware cost just under $200,000 for a very small business. It's very hard for them to reopen the business on Monday if there is a ransom attack on Friday night. This is where the entire closed-loop risk management is. It's not just about continuous underwriting, it's about also participating in risk-taking and helping those businesses improve their risks along the way, whether they're policyholders or not, is very important going forward.

Eslami: I agree with Jack and Dennis that captives are young, this whole risk is young, and it takes time and maturity for the industry to accept the risk within the captives.

 

Best's Rankings

Largest Published, Rated Single-Parent Captive Insurers — 2022 Edition

Captives were ranked by 2020 gross premiums written.

(US$ Thousands)

Rank Company AMB# Country of
Domicile
Gross
Premiums
Written
Ultimate Parent Name
1 Solen Versicherungen AG 056958 Switzerland $1,219,929 Royal Dutch Shell plc
2 Jupiter Ins Ltd 057796 Guernsey 583,000 BP p.l.c.
3 Noble Assur Co 072672 United States 465,062 Royal Dutch Shell plc
4 Amer Road Ins Co 000152 United States 366,049 Ford Motor Company
5 Kot Ins Co AG 090728 Switzerland 364,863 Petroleos Mexicanos
6 Vine Court Assur Incorporated 056604 United States 350,381 Kroger Co
7 Dorinco Reins Co 003771 United States 304,772 Dow Inc.
8 Eni Ins Designated Activity Co 090115 Ireland 260,697 Eni S.p.A.
9 Castle Harbour Ins Ltd 073621 Bermuda 250,606 Schlumberger Limited
10 Greenval Ins Co DAC 090329 Ireland 247,867 BNP Paribas SA
11 Agrinational Ins Co 056005 United States 226,238 Archer Daniels Midland Company
12 Stellar Ins, Ltd. 076969 Bermuda 180,329 Saudi Arabian Oil Company
13 Spirit Ins Co 014365 United States 180,082 Phillips 66
14 Queen City Assur, Inc. 075149 United States 170,516 Kroger Co
15 Builders Reins S.A. 094157 Luxembourg 155,979 ACS, Actividades de Construcción y Serv
16 AES Global Ins Co 075701 United States 153,598 The AES Corporation
17 Toyota Motor Ins Co 011099 United States 149,991 Toyota Motor Corporation
18 Enel Ins N.V. 094069 Netherlands 145,229 Enel S.p.A.
19 GreenStars BNP Paribas S.A. 094271 Luxembourg 127,213 BNP Paribas SA
20 Harrington Sound Ins Ltd 073622 Bermuda 121,396 Schlumberger Limited

Source: BestLink logo and AM Best research data as of Sept. 2, 2022.

 


Lori Chordas is a senior associate editor. She can be reached at lori.chordas@ambest.com.



There’s So Much to Cover—Don’t Miss the Latest

Get more news stories like this delivered to your inbox by signing up for our article spotlights.

Subscribe

Back to Home