The Expert Podcast

When it comes to hard markets like cyber insurance and other unusual risk, many larger firms are looking at captive insurance as a possible solution. What is captive insurance, and how does it work—and how can it help your business? Let's take a look. Specifically, we'll look at the example of cyber liability insurance, or cyber insurance, as a guinea pig of putting together a captive insurance coverage policy. Captive insurance refers to where a large corporation kind of forms its own insurer that's licensed, that's regulated by the state.

To cover specific risks for its unique business or hard-to-place business, the insurance company is a separate entity—technically, it's arm's length from the insured—but it's created to cover specific losses. Sometimes it's put in place to effectively be like a stop-loss. So above a certain amount of self-insured loss, the captive will cover the difference. And with cyber, the reason this is happening is policy rates are increasing. Many standard insurers are struggling to make cyber policies profitable.

So you may have insurance companies that offer you coverage, and then after some period of time, they'll non-renew because they can't make a profit off cyber insurance. The terms for cyber policies are also getting worse. The risk managers and underwriters in the companies are really putting the clamps down on what is covered on a cyber policy because it's too open-ended. Sometimes the insurer will put specific terms on the insured like: you have to have ransomware procedures, you have to have two-factor authentication. Look, if you're going to do all those steps in your company to eliminate the risk, why not self-insure for a certain amount and then place a captive to do a stop-loss over and above what you can absorb as a company?

Remember, we're not attorneys—we're not giving you legal advice. This doesn't apply to every company, but make sure you get good advice from your corporate counsel or maybe your insurance broker. Because here's the thing: the vulnerability and losses that are potential from cyber attacks really have no upside.

Meaning that there's not a ceiling on how much you could lose. If your building burns down, you know how much it cost to build your building. The losses that could occur from a cyber policy are unlimited—they could exceed the value of your company. If you have costs involved to cover losses to customers, to consumers, fines, penalties, criminal fines—this could be something where a typical insurance policy with a limit may not be sufficient. So a lot of times what a company will do is they'll self-insure for a certain amount.

They'll use the best practices from their captive to put in place loss prevention within their company that they would have to do anyways if they bought a regular policy from a standard company, and then use that captive to maybe get coverage from excess and surplus lines, Lloyd’s coverage, or some other types of coverages to cover their catastrophic potential losses from a cyber event. Some CFOs are seeing their cyber policies go up 20–30% a year, which means it's gonna double in three or four years. So why not put together a package either for your own company or maybe create a little co-op with some colleagues or similar industries that can custom tailor coverage with some excess and surplus lines—or like I said, Lloyd’s coverages—that will take care of what happens over and above and beyond what you can self-insure for. Or place some tertiary or mezzanine coverages in the middle of your self-insurance and your stop-loss, because that's going to be a big deal.

Obviously, to do a captive formation, you have to follow the same regulations in your state, make sure you have proper financial disclosures, you have an arm’s length from the parent company, so to speak, and have the right types of due diligence so that neither entity has risk that's off the balance sheet. Right? So if the parent company has risk for the captive, that has to be on their balance sheet. If the captive is relying on the parent company, that can create a conflict of interest. So get good legal advice for that. But whether it’s a captive or even a co-op with a couple other similar companies with similar risks, it’s a way to avoid the wild west of cyber insurance that’s happening right now in the marketplace.

For some companies, this cyber chaos is the reason for creating a captive. In the past, there was enough standard lines for traditional business or commercial insurance, and the markets existed for these commercial lines that you didn't need to form a captive unless you had some very unusual risk—a very unusual business. This is the motivating factor for a lot of companies that never even considered doing captive in the past. And this is what's kind of triggering that to happen.

And it's not just because it's a hard market. It's because the coverage might be harder in the future. Even if you can squeak out a policy today or next year or two, three years from now, it might go away—or the coverages might not be sufficient. You may want to start putting together a longer-term plan today so you're not going to be non-renewed and lose coverage in a couple years.

Don't use a captive though to try to evade some of the requirements that you'd have for cyber liability. Use the hard requirements that a traditional commercial market would put on your company as guidelines if you're going to create a captive—because those are the best practices anyways. You probably want to exceed the best practices if you're gonna form a captive. Because if you don't, you're going to be at more risk—and with a captive, you have more to lose as well.

So if you're a company that's in the many hundreds of millions or billions, this may be worthwhile. If not, you may go with a standard commercial market for cyber liability. If you have questions, you can reach us at our website. Let us know what you think in the comments: Is this something that applies to you? You've thought about it? Or if you have an existing captive for other coverages, are you looking to add cyber to it because you already have it in place?