Cyber Market Dramatically Increases
Cyber risk has become one of the top priorities for company boards, regulators and governments following the sharp rise in data breaches, according to Moody’s, the ratings agency.
“Given the rising frequency and severity of cyber attacks, boards have become particularly focused on making sure corporations have adequate systems and controls in place to safeguard their own data and that of their customers,” said the in-depth report on cyber insurance released in mid-November.
Cyber attacks have increased by 30 percent year-over-year between the start of 2013 and 2015 — a trend that has continued, with 577 breaches reported in the first six months of this year, the report found.
However, the scale of the problem is much worse, as many attacks go unpublicized.
Over the last 15 years, the cyber insurance market has grown from about 10 insurers to about 50 carriers providing stand-alone cyber insurance, generating $2.75 billion in gross written premiums (GWP) in the U.S. this year. — Moody’s
Worse still, the average cost of cyber crime in the U.S. climbed by 22 percent, to $15 million this year, according to a new report by independent research firm the Ponemon Institute.
It’s understandable then, according to Moody’s, that the lack of credible data on losses and the potential risk accumulations have made insurers cautious, resulting in some offering relatively small limits.
“Given the uncertainties of this evolving market, with limited historical loss data and large potential risk correlations, we view expansion into the cyber risk insurance market as similar to that of other high risk/return product segments, such as catastrophe risk, fidelity/crime and terrorism,” the report said.
“One of the most significant challenges to insurers in this market is a lack of actuarially analyzable data about cyber attacks. Over time, we expect this to shift as companies gain experience from continued cyber assaults as well as through increasing disclosure requirements for publicly traded corporations.”
Fast Growing Market
It’s no surprise given the high-profile attacks on Target, Sony, JP Morgan, U.S. Office of Personnel Management and others that cyber insurance is one of the fastest growing markets for property and casualty insurers.
Over the last 15 years, the market has grown from about 10 insurers to about 50 carriers providing stand-alone cyber insurance, generating $2.75 billion in gross written premiums (GWP) in the U.S. this year, said Moody’s, which noted GWP was about $2 billion a year earlier.
Other carriers provide cyber-related endorsements to commercial general liability or multi-peril policies, according to the ratings agency.
The report noted that PricewaterhouseCoopers has forecast the cyber insurance market to grow to as much as $7.5 billion by 2020.
However, despite the recent growth, the ratings agency said that some insurers have reduced capacity, and increased rates and deductibles in response to large claims, particularly in retail and health care.
The biggest demand for stand-alone cyber insurance, according to Marsh, is from the hospitality, gaming, education, and power and utilities sectors, with a 32 percent increase in the overall number of U.S. clients buying cover in the first half of 2015.
Robert Parisi, managing director of Marsh FINRPO, said that estimates of the cyber insurance market continue to grow dramatically, with GWP up anywhere between 50 percent and 100 percent between 2014 and 2015.
“We’re seeing several industry classes start to buy a lot more of it,” he said. “One of those is general manufacturing or industrial clients who are incredibly, if not wholly, dependent on technology throughout the lifecycle of their process from supply chain to distribution and sales.
“As a result, we have seen a real growth in the property-related cyber risks.”
Moody’s reported that new carriers have entered the cyber insurance market, adding to the competition.
Kevin Kalinich, global practice leader for cyber risk at Aon Risk Solutions, said increased competition has surfaced among insurers targeting middle market companies for comprehensive coverage and aggressive pricing strategies.
However for large companies in retail, health care, finance and hospitality, it’s become increasingly difficult to get cover because insurers find it hard to price those risks, he said.
“In the future, companies are going to have to make a choice between maximizing coverage and capacity, in which case they are going to have to pay a higher premium, or pay the least amount they can, which is going to limit their capacity on a program or else pay an inverted pricing,” he said.
“Cyber insurance is also going to become much more of a macro-level issue for insurance. It’s going to affect property, general liability and crime insurance.”
He said that companies can improve their risk management by using a third party provider, while also benefiting from insurers offering more value-added services.
Peter Foster, executive vice president, FINEX North America, Willis, said that underwriters have become discerning about the policies they write for large retailers and health care companies, and are reviewing premiums across all industries as a result of the substantial losses incurred due to recent breaches.
“The insurance industry is responding to the threat of cyber attacks,” he said. “It’s still a robust marketplace even though these losses are occurring.”
Moody’s noted that insurers themselves are also at risk and if attacked, could face a severe and prolonged disruption to their business, resulting in a negative impact to their ratings or outlook.
A Fast Food Nightmare
Millie Ramos was using twin deep-fryer baskets at Express Burgers & More when she sustained severe burns to her eye and both hands. The locks wouldn’t release when she attempted to remove the flyer baskets.
When they remained stationery, the force caused her hands to go into the hot oil. Her screams brought the place to a standstill.
“She was half slumped over the frying area with her hands still in the basket and in shock,” her supervisor told me.
He and some co-workers moved her over to a chair and wrapped cool towels around her hands. Her upper face and left eye had been splattered by the hot oil.
Our settlement offer was based on a body as a whole impairment. This was accepted, bringing to an end a very painful case.
Millie, a 21-year-old single mother hired just nine days prior, was hospitalized in a burn care unit.
When I spoke with manager Ed Stanton about the basket locks, he noted that the locks “normally are quick to release with just a bit of pressure. I can’t fathom why this one didn’t.”
The branch had been using that particular unit for three years, with no previous issues reported.
Ed said that Millie “had our usual on-the-job training … shadowing an existing employee to get the hang of things,” but there was no fryer-specific training.
“Had Millie been required to wear a hairnet or protective gear?” I asked.
“Yeah,” he replied, “a hairnet of course and we do provide plastic glasses, but I don’t know if she was wearing them.”
I asked how often the fryer was cleaned and inspected, to which Ed said, “When it needed to be. But it’s always in use.”
My next question surprised him. I asked whether Millie drank alcohol. He retorted, “Well, it’s not for me to know or say, is it?”
The case manager and I spoke later. Millie had third-degree burns on both hands requiring extensive cleansing of the dead skin, a lot of intravenous fluid drips, antibiotic creams and pain medications.
Subsequently, there’d be numerous skin grafts. Her eye was washed and medicated drops used. No loss of the eye itself was expected.
Our case manager hesitated a few seconds after I asked if there was any blood alcohol testing.
“The claimant was in acute distress, actually shock,” she said. “They needed to stabilize her, so nothing of that sort was done.”
Millie’s prognosis remained guarded.
She was unable to work, unable to care for her family, unable to drive, and she experienced recurring nightmares.
After discharge there would be physical therapy and eventually work hardening. Return to work was estimated between 4 and 6 months. A homemaker would be required to care for Millie’s young daughter.
I spoke with the corporate risk manager, Frank Duclos, about the mechanics of the injury.
Polite, but circumspect, he only disclosed that “we’ve taken a look at it and nothing untoward was found.”
I concluded nothing else would come of the issue.
Case management reports reflected limited progress over the next few months. The claimant continued to have nightmares and crying bouts.
Six months passed with no return to work. When Millie was discharged to regular duty, we scheduled an independent medical exam.
Our settlement offer was based on a body as a whole impairment. This was accepted, bringing to an end a very painful case.
7 Questions to Answer before Choosing a Captive Insurance Domicile
Risk managers: Do your due diligence!
It seems as if every state in America, as well as many offshore locations, believes that they can pass captive legislation and declare, “We are open for business!”
In fact, nearly 40 states and dozens of offshore locations have enabling captive insurance legislation to do just that.
With so many choices how do you decide who is experienced enough to support the myriad of fiscal and regulatory requirements needed to ensure the long term success of your captive insurance company?
“There are certainly a lot of choices,” said Mike Meehan, a consultant with Milliman, an actuarial firm based out of Boston, Massachusetts, “but not all domiciles are created equal.”
Among the crowd, there are several long-standing domiciles that offer the legislative, regulatory and infrastructure support that makes captive ownership not only a successful risk management tool but also an efficient entity to manage and operate.
Selecting a domicile depends on many factors, but answering these seven questions will help focus your selection process on the domiciles that best fit your needs.
1. Is the domicile stable, proven and committed to the industry for the long term?
The more economic impact that the captive industry has on the domicile, the more likely it is that captives will receive ongoing regulatory and legislative support. The insurance industry moves very quickly and a domicile needs to be constantly adapting to stay up to date. How long has the domicile been operating and have they been consistent in their activity over the long term?
The number of active captive licenses, amount of gross premium written in a domicile and the tax revenue and fees collected can indicate how important the industry is to the jurisdiction’s bottom line. The strength of the infrastructure and the number of jobs created by the captive industry are also very relevant to a domicile’s commitment.
“It needs to be a win – win situation between the captives and the jurisdiction because if not, the domicile is often not committed for the long term,” said Dan Kusalia, Partner with Crowe Hortwath LLP focused on insurance company tax.
Vermont, for example, has been licensing captives since 1981 and had 589 active captives at the end of 2015, making it the largest domestic domicile and third largest in the world. Its captive insurance companies wrote over $25 billion in gross written premiums. The Vermont State Legislature actively supports an industry that creates significant tax revenue, jobs and tourist activity.
2. Are the domicile’s captives made up of your peer group?
The demographics of a domicile’s captive companies also indicate how well-suited the location may be for a business in a particular industry sector. Making sure that the jurisdiction has experience in the type and form of captive you are looking to establish is critical.
“Be among your peer group. Look around and ask, ‘Who else is like me?’” said Meehan. “Does the jurisdiction have experience licensing and regulating the lines of coverage for other businesses in your industry sector?”
3. Are the regulators experienced and consistent?
It takes captive-specific expertise and broad experience to be an effective regulator.
A domicile with a stable and long-term, top-tier regulator is able to create a regulatory environment that is consistent and predictable. Simply put, quality regulation and longevity matter a lot.
“If domicile regulators are inexperienced, turnaround time will be slower with more hurdles. More experience means it is much easier operating your business, especially as your captive grows over time,” said Kusalia.
For example, over the past 35 years, only three leaders have helmed Vermont’s captive regulatory team. Current Deputy Commissioner David Provost is one of the longest tenured chief regulators and is a 25-year veteran in the captive insurance industry. That experienced and consistent leadership enables the domicile to not only attract quality companies, but also to provide expert guidance on the formation process and keep the daily operations running smoothly.
4. Are there world-class support services available to help manage your captive?
The quality of advisors and managers available to assist you will have a large impact on the success of your captive as well as the ease of managing the ongoing operations.
“Most companies don’t have the expertise to operate an insurance company when you form a captive, so you need to help build them a team,” Jeffrey Kenneson, a Senior Vice President with R&Q Quest Management Services Limited.
Vermont boasts arguably the most stable and experienced captive infrastructure in the world. Many of the leading captive management companies have their headquarters for their Global, North America and U.S. operations based in Vermont. Experienced options for captive managers, accountants, auditors, actuaries, bankers, lawyers, and investment professionals are abundant in Vermont.
5. Can the domicile both efficiently license and provide on-going support to your captive as it grows to cover new lines of coverage and risks?
Licensing a new captive is just the beginning. Find out how long it takes for the application to get approved and how long it takes for an approval of a plan change of your captive’s operations.
A company’s risks will inevitably change over time. The captive will need to make plan changes which can include adding new lines of business. The speed with which your domicile’s regulatory branch reviews and approves these plan changes can make a critical difference in your captive’s growth and success.
The size of a captive division’s staff plays a big role in its speed and efficiency. Complex feasibility studies and actuarial analyses required for an application can take a lot of expertise and resources. A larger regulatory team will handle those examinations more efficiently. A 35-person staff like Vermont’s, for example, typically licenses a completed application within 30 days and reviews plan changes in a matter of days.
6. What are the real costs to establishing and managing your captive?
It is important to factor in travel costs, the local costs of service providers, operating fees, and examination fees. Some states that do not impose a premium tax make up for it in high exam fees, which captives must be prepared for. Though Vermont does charge a premium tax, its examination fees are considered some of the least expensive options in the marketplace.
It is also important to consider the ease and professionalism of doing business with a domicile in the ongoing operations of your captive insurance company.
“The cost of doing business in a domicile goes far beyond simply the fixed cost required. If you can’t efficiently operate due to slow turn-around time or added obstacles, chances are you have made the wrong choice,” said Kenneson.
7. What is the domicile’s reputation?
Make sure to ask around and see what industry experts with experience in multiple domiciles have to say about the jurisdiction. Make sure the domicile isn’t known for only licensing certain types of captives that don’t fit your profile. Will it matter to your board of directors if your local newspaper decides to print a story announcing your new insurance subsidiary licensed in some far away location?
Are companies leaving the jurisdiction in high numbers and if so, why? Is the domicile actively licensing redomestications — when an existing captive moves from one domicile to another? This type of movement can often be a positive indicator to trends in a domicile. If companies of a particular size or sector are consistently moving to one state, it may indicate that the domicile has expertise particularly suited to that sector.
Redomestications made up 11 of the 33 new captives in Vermont in 2015. This trend is a positive one as it speaks to the strength of Vermont. It reinforces why Vermont is known throughout the world as the ‘Gold Standard’ of domiciles.
Asking the right questions and choosing a domicile that meets your needs both today and for the long term is vital to your overall success. As a risk manager you do not want surprises or headaches because you did not ask the right questions. Do the due diligence today so that you can ensure your peace of mind by choosing the right domicile to meet your needs.
For more information about the State of Vermont’s Captive Insurance, visit their website: VermontCaptive.com.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with the State of Vermont. The editorial staff of Risk & Insurance had no role in its preparation.