Skip to Content

Insuring Cyber Exposure Through A Captive Insurer

Cyber risks have been confounding insurers and policyholders alike as those risks have evolved and expanded in recent years. Indeed, the risks have effectively outgrown the confines of standard commercial insurance coverage, and numerous insurers have developed new products, creating a market for cyber-specific coverages and policies. While predictions about growth in this market have generally been bullish, there are some signs it may be flattening. One recent survey notes only a slight uptick in take-up rate, rising from 24 percent in a prior survey to 25 percent in its most recent survey, of companies purchasing cyber-specific coverages.

Reluctance to enter this market may be driven in some part by the fact that premiums for these cyber-specific policies are relatively expensive and rising due to the numerous high profile data breach cases in the spotlight in recent years. And even in the more manuscripted arena of cyber coverage, one size does not necessarily fit all. Some companies’ risks may be too unique for a commercial insurer to appropriately underwrite and price. As one recent survey found, “[f]or almost half of the companies that have cyber and data privacy insurance, the biggest challenges they faced when purchasing the coverage was finding a policy to adequately fit their company’s needs (47 percent) or the cost (42 percent).” And for many companies, self-insuring may also be cost-prohibitive.

The Benefits of Insuring With Captives

One option that can address some of these issues is insuring through a captive insurer. Captive insurers are insurance companies created as subsidiaries to act as the insurer for the corporate parent (or group of affiliates) exclusively. In many ways captives operate like an ordinary commercial insurer, writing policies, charging premiums, adjusting claims, etc. But there are important differences that can make them more attractive to companies with unique insurance needs, such as those with unique cyber risks. As one industry commentator noted:

Given some of the confusion in the insurance market and the complexity of the risks, the benefits of retaining those risks via a captive and thereby gaining a better understanding of the losses and expenses, having greater risk oversight and potentially reducing the overall cost of risk may be very appealing. A captive can be a useful tool to retain risk within the burn layer and also assume broader cover not available in the traditional risk transfer market. Nuno Antunes, et al “Addressing Cyber Risks with a Captive Solution.

While many associate captives with large corporations that can afford to fund the necessary insurance operations and reserves, smaller companies have increasingly formed so-called “micro-captives” (captives that collect less than $1.2 million annually in premiums, as designated by current applicable IRS regulations, although that threshold is slated to nearly double in 2017, to $2.2 million).

There are a number of benefits to insuring with captives generally, such as greater control over coverage terms, better understanding of the insured’s risks and greater flexibility. Captives are customizable in other ways as well, that may favorably impact pricing. Captives also provide a means of direct access to the reinsurance market. And there may also be tax benefits to using captives, including deductions of premiums paid by the insured and of unearned premiums received by the captive. Despite these benefits, companies do not yet appear to be tapping the captive market for their cyber insurance needs.

Where are the Cyber Captives?

Just a few years ago, as the cyber insurance market was still in its more formative stages, captives were seen as a possible, though largely untested option, to covering cyber liability. A reportedly small number of companies chose to insure cyber liability through captives at that time. But that small number does not appear to have increased substantially, if at all, as recent reporting indicates that only about 8 percent of companies are underwriting cyber through a captive. Id. at 107. And if that figure reflects any growth, it may be due simply to the modest growth in the use of captives generally over the last few years. However, and notably, that same survey indicates that the percentage of survey respondents that expect to insure cyber through a captive in the next five years is 23 percent, a substantial 15 percent jump. Id. Thus, while the use of captives for cyber remains relatively low at present, it may very well become a substantial contributor to the growth of premiums in the captive market.

Why Insuring Cyber Exposure Through a Captive May Make Sense

For many of the same reasons that insuring through captives generally makes sense, it may be a particularly helpful strategy for insuring cyber exposure, at least for some companies.


Despite the fact that well-publicized data breaches are driving demand, the expected tsunami of data breach class actions has not yet materialized. As revealed, for example, in

Access to the Reinsurance Market

Another important benefit to insuring through a captive generally is direct access to the reinsurance market, which is a wholesale, international market through which insurers can hedge their own risks for potentially catastrophic losses that would challenge reserves. Direct access to reinsurance may therefore be especially apt for cyber exposure given the uncertainties that still surround underwriting, and in particular predictive valuation of the still undeveloped claims experience and the possibility of a catastrophic liability. There may be cost-savings, insofar as reinsurance can be obtained at a lower cost for a captive as it cuts out intermediary commissions and fees.

Cost Savings

Another highly motivating factor for forming a captive is cost-savings. And that is an especially motivating factor when it comes to cyber coverage, which, as discussed above, is growing increasingly expensive in terms of premium costs.

As discussed above, there may be tax benefits to using a captive. However, any company considering entering the micro-captive captive should carefully consider the nature of the risk-shifting and risk-distribution, as the IRS has increasingly been scrutinizing micro-captives to ensure they are acting as true insurers, and not tax-avoidance vehicles. However, assuming an appropriate risk-shifting/distribution model, qualified micro-captives have the added benefit of no taxation on premium income, even earned premium. They are taxed only on investment income.

But there may also be hidden costs beyond simply premium dollars that could potentially be avoided through use of a captive. One example is the cost to a company to simply gain access to the commercial cyber coverage market. Underwriters in the commercial cyber market are increasingly employing standards that must be met in order to access coverage. But these standards may be more or less applicable to any particular insured, and by using a captive, an insured may have greater flexibility regarding underwriting standards, and the concomitant costs.

The combined potential tax savings, premium savings and underwriting savings may or may not outweigh the burdens of forming and operating a captive, including third party management costs, which are typical for micro-captives without the necessary expertise to operate an insurer. But there are enough possible cost-saving variables that companies frustrated with the commercial cyber insurance market may find worthwhile to investigate.

Republished with permission by Law360 (subscription required). Originally published by PropertyCasualtyFocus.

Authored By
Related Practices
Cybersecurity and Privacy
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.