With nearly $7.0¹ billion of cyber written premium in 2022, a more stable commercial market brings into question whether captive solutions make sense for cyber risks.

Growing evidence suggests that the commercial market for cyber insurance has begun to stabilize after a tumultuous stretch of several years. Rate increases for cyber policies have slowed and loss ratios have declined from the peak seen in 2019 and 2020. In addition, the commercial market is reporting more capacity available to write cyber insurance. So where does this leave the captive market? Should insurers continue to pursue writing cyber in their captives? Or are they better off buying cyber insurance in the commercial market? Before diving into those questions, let’s explore what’s happening in the commercial market.

Cyber rate changes

As shown in Figure 1, rate changes for cyber before 2020 were flat if not negative. Beginning in the middle of 2020, rate changes increased to over 5.0%. By the end of 2020, rate changes were in the double digits and the market has only recently begun to slow down. Simultaneously, cyber insurers reduced capacity, forcing insureds to take on much higher deductibles at renewal with reduced excess limits. These higher rate changes and reductions in capacity were driven by losses suffered by commercial insurers from large cyber losses, particularly in the form of the frequency and the severity of ransomware attacks.²

Comparing this trend to the property and casualty (P&C) industry, rate changes for cyber have outpaced the rate changes for the P&C industry as a whole (including cyber) beginning in 2021. However, in the latest three quarters, rate increases for cyber insurance have fallen more in line with overall rate changes in the P&C insurance market. Cyber rate changes for the second quarter of 2023 increased by only 3.6%, which is lower than the average commercial rate change for the quarter of 8.9%.⁴

Based on a survey of publicly available cyber rate filings, despite these favorable industry trends there are still companies filing for significant rate increases. As shown in Figure 2, Beazley Insurance Company, Sentry Insurance Company, and Hiscox Insurance Company have filed for average increases in 2023 of 47.9%, 55.6%, and 59.8%, respectively. However, other companies are keeping rates flat or even filing for decreases, with the Travelers Companies filing for an average rate change of -6.9%. Using 2023 written premium as weights, we calculated a weighted average rate impact of 9.1% for the companies shown in Figure 2, as marked in red.

Additionally, across the industry, there are reports of increased capacity and lower deductibles at renewal compared to prior years. Milliman has witnessed this firsthand, with clients reporting more favorable terms at renewal than in prior years. This even includes clients in the education industry and public entities, which tend to experience a higher frequency of cyber incidents than other industries and thus higher insurance costs.

Cyber loss ratios

As shown in Figure 3, the calendar-year incurred loss and the defense and cost containment expense (DCCE) ratios were quite low for the cyber insurance industry up until 2020. In 2020 and 2021, these ratios increased significantly, more than doubling from 2018 to 2020. These huge increases are what led to the large rate increases shown previously. Due to the large rate increases, the loss ratio for calendar-year 2022 has decreased back down to the pre-2020 levels. As these are calendar-year loss ratios, case reserves and incurred but not reported (IBNR) reserves tend to be understated, implying future years will shoulder the reserve increases. In other words, calendar-year loss ratios tend to lag loss ratios shown on an accident year basis or an underwriting year basis. While the loss ratios shown in Figure 3 do not tell the full picture, they help to shed some light onto trends within the cyber market and whether the cyber coverage is profitable for insurers.

In order to account for the understatement of case and IBNR reserves, we also reviewed underwriting-year ultimate loss and allocated loss adjustment expense (ALAE) ratios estimated by Milliman based on data from Lloyd’s of London as of December 31, 2022, as seen in Figure 4. In a similar pattern to the graph in Figure 3, the ultimate loss and ALAE ratios prior to underwriting-year 2019 are quite low, and spike upward in 2019 and 2020 before falling back down in 2021 and 2022 from the 10-year-high level. The lag in the loss ratios we mentioned previously can be seen when comparing Figures 3 and 4 with the spike in 2020 in Figure 3 as opposed to a year earlier in Figure 4.

These underwriting-year loss ratios are slightly inflated as the premium used is net of ceding commissions and acquisition costs. In addition, the data underlying these ultimate loss ratios are based on worldwide data, as opposed to U.S. only as shown in Figure 3 above.

Where does this leave captive insurers?

These indications of a softening cyber market bring us to the main question of this article: is cyber insurance still a relevant coverage for the captive market? We believe that it is.

While cyber rate increases are slowing and even decreasing in some circumstances, rates are still significantly higher than they were prior to 2020. As shown in Figure 1 above, double-digit average rate increases in 2021 and 2022 reached a peak of nearly 35% at their high in the fourth quarter of 2021. Many insureds have experienced cumulative rate increases upwards of 200% since the beginning of 2021, according to a report published in late May 2023.⁸

These higher rates are likely here to stay. The hardening market was a response to a realization in the actual loss exposure of cyber insurance. Based on claim data published by Coalition Inc., both the frequency and severity of claims through the first half of 2023 remain at their 2021 and 2022 levels in the United States.⁹

In addition, as part of the hardening market, cyber capacity reduced significantly in 2021 and 2022, leading many cyber writers to require higher deductibles and offer less in excess coverage. According to Risk Placement Services, insurers that were willing to write $5 million cyber liability policies, in 2020, scaled back to limits of $1 million or $3 million in 2021.¹⁰ Companies forced to take higher deductibles or to have gaps in their excess towers could either choose to self-insure that layer or turn to their captive.

There are significant advantages to adding cyber insurance to a captive

One benefit of adding cyber to a captive is having insurance coverage where coverage may not exist in the commercial market or may be too expensive. Whether being forced to take a higher deductible or not having coverage in an excess layer, captives provide their parents with an option to consider when looking for alternatives to the commercial market. In addition, whereas some cyber policies may have exclusions, like ransomware losses, a captive can help fill the gap in coverage through a difference in conditions policy.

Writing cyber in the captive may also help to diversify the captive. Cyber losses tend to pay out faster than more traditional lines of insurance, such as workers’ compensation and general liability losses, so adding cyber coverage can diversify the duration of the captive’s liabilities. In addition, the types of cyber losses a captive may insure tend to be relatively uncorrelated with other losses, so adding cyber coverage into the captive will help to diversify the insurance portfolio. With a more diversified portfolio, in any particular year, a poorly performing coverage with a high loss ratio may be offset by another coverage with a low loss ratio.

However, the captive market does have some potential disadvantages

One potential disadvantage with writing cyber into a captive is losing access to resources and vendors provided by commercial insurers to help with loss control and to respond to cyber incidents. However, depending on how cyber is written in the captive, the parent may still have access to the panel of vendors assembled for a breach response as provided by the commercial market. Large deductible policies and policies with reinsurance, either excess of loss or quota share, have a partnership with the commercial market and therefore retain access to that panel of vendors.

Writing cyber into the captive is that the risk management and IT departments may not be aligned, which can make implementing best practices for risk control challenging. By comparison, commercial cyber writers are requiring robust questionnaires and vulnerability scans during the underwriting process that span the entire business, so more and more frequently these departments are being required to work together to implement changes and adopt best-practices.

Cyber losses tend to be quite large. For example, for small and medium-sized companies with less than $2 billion in annual revenue, the average cost of a ransomware incident over the period from 2017 to 2021 is approximately $270,000. For larger companies, these incidents cost $16.6 million on average.¹¹ For captives, a cyber loss could represent a full limit claim. In addition, most types of cyber losses tend to pay out quickly as compared to other traditional insurance coverages. One large loss in the first few years of a newly formed captive has the potential to cause significant liquidity or solvency issues. When thinking about adding cyber to a captive, it’s important to consider how much capital the captive needs to continue operating in the event of a catastrophic loss and whether one full limits claim will impair the captive or, worse, render the captive insolvent. As such, adding cyber into captives may be more appropriate for captives that are well-established and have a robust surplus. Alternatively, a captive can consider a low policy limit or a quota share agreement to limit the amount of cyber exposure of the captive. With each renewal, as with any coverage, the terms of the cyber policy should be reassessed based on the captive’s financial strength and the parent’s needs.

The lack of publicly available cyber data makes it difficult to price and reserve for cyber insurance. Efforts to streamline mandated disclosure of cyber incidents are underway, which could increase the amount of industry information available and improve pricing and reserving methods in the coming years. Effective December 2023, the U.S. Securities and Exchange Commission (SEC) approved a new rule requiring public companies and foreign private issuers to report cybersecurity incidents along with requiring companies to provide annual information about how they mitigate their cyber risk. However, even if data collection begins this year, it may take some time for this database to become robust enough that it can be used as a credible resource to help analyze or price cyber risks.

First steps in adding cyber to your captive

If you’re interested in adding cyber to your captive, the first thing to do is talk to your service providers. Talk to your captive manager to better understand what regulations and surplus requirements there are in your captive’s domicile. Talk to your broker to better understand the cyber market, and what available coverage options best fit the needs of your company and the captive. And talk to your actuary. Actuaries are well-equipped to handle situations where there is little to no data and are able to maintain flexibility and adjust their methods to incorporate additional data as more industry or stakeholder-specific information becomes available. In addition, your actuary can leverage publicly available information from the commercial carrier to help price a cyber policy for your captive. Also, your actuary can assist with stress testing the captive’s capital under various scenarios of adding cyber into the captive. Last, as actuaries work for many companies, they are aware of general market trends.

What does the future of cyber hold?

A year ago, this article would have had a very different commercial market outlook. With the continuing of double-digit rate increases and high loss ratios, cyber insurance was in a hard market and companies were having a difficult time getting coverage. But less than a year later, rate increases have dropped back down to general P&C levels and cyber insurers are increasing capacity. In 2024, will the market revert again? While it is difficult to say, these authors do not think so because of the robust IT security measures companies have implemented in the last couple of years. Cyber, however, is different from most coverages in that losses are driven by criminal behavior, and the significant financial and geopolitical incentives to illicitly hack into systems and access private and sensitive data result in a constantly evolving risk. Many cyber news outlets are reporting that ransomware attacks are on the rise, and there’s speculation that 2023 may be a record-breaking year for ransomware.¹² As with all coverages, the market should be watched closely and captive owners should discuss their options with their service providers. Regardless of the state of the commercial cyber market, captive insurance companies can be an effective risk management tool to fill gaps in commercial coverage and provide reassurance to their parent companies.

¹ Cybersecurity and Identity Theft Insurance Coverage Supplement – Annual Statement for the Year December 31, 2022 of the P&C Industry, from S&P Global Market Intelligence.

² Smith, R. (October 11, 2021). Cyber insurers increasing premiums, lowering coverage limits. Insurance Business Magazine.

³ Data from The Council of Insurance Agents & Brokers.

⁴ The Council of Insurance Agents and Brokers. Commercial Property/Casualty Market Index Q2/2023.

⁵ Based on countrywide public rate filings with New Business Requested Effective dates between June 1, 2023, and January 1, 2024, filtered for companies with more than $250,000 of written premium per year. Data was collected using S&P Capital IQ’s P&C Insurance Product Filings – Filing Monitor template. Company averages were calculated as the weighted average of overall requested percentage rate impact using rate filing written premium as weights. The area of each blue circle corresponds to the total rate filing written premium included in filings for that company.

⁶ Stand-Alone Policies, Cybersecurity and Identity Theft Insurance Coverage Supplement – Annual Statement for the Year December 31, 2015-2022 of the P&C Industry, from S&P Global Market Intelligence.

⁷ Based on underwriting-year data as of December 31, 2022, from Lloyd’s of London (via Xchanging). Ultimate loss and ALAE ratios were estimated using the incurred development and incurred Bornhuetter-Ferguson development methods. Development factors and a priori loss ratios were selected based on an analysis of loss and premium data valued annually through December 31, 2022 from Lloyd’s of London (via Xchanging).

⁸ Guy Carpenter. Through the Looking Glass: Interrogating the Key Numbers Behind Today’s Cyber Market. Retrieved October 4, 2023, from https://www.guycarp.com/content/dam/guycarp-rebrand/pdf/Insights/2023/Guy_Carpenter_Cyber_(Re)insurance_Market_Report_Publish_rev%20.pdf.

⁹ Coalition Inc. 2023 Cyber Claims Report Mid-year Update.

¹⁰ Risk Placement Services. U.S. Cyber Market Outlook 2021.

¹¹ NetDiligence. Cyber Claims Study 2022 Report.

¹² Threat Intelligence Team (August 10, 2023). Ransomware review. Malwarebytes, Inc.