The prominence and ubiquity of cyber risk suggests that captive use can only continue to gain traction. Aon’s 2021 Global Risk Management Survey, which surveyed over 2,300 risk managers from around the world, found they believed cyber would maintain its position as their biggest risk for the next three years.

For a captive strategy to have optimal impact, it should be anchored in supporting the alignment of the risk and network security communities. This can help drive maturity around insurance purchasing behaviours, while emphasizing risk governance and claims control.

Analysis of the data from our captive utilization for cyber survey suggests that organizations, to date, have not embraced the role that a coordinated retention financing approach for cyber can play for an organization. This position will likely change as the market continues to impose discipline and look to clients for more data points and a more cohesive strategy around risk.

The other observation of cyber insurance buying behaviors suggests replicating the approach that worked for other liability class risks would also work for cyber. However, the nature of cyber is quite different. Most financial lines have a low frequency/high severity profile. While cyber maintains the high severity characteristic, the rising reliance on technology and the current cyber threat environment typically increase the likelihood of an event. Therefore, a more nuanced approach is required.

A captive is a valuable tool at the disposal of the information security or technology function in an organization. Utilizing risk bursaries for risk remediation and quantification projects as a way for organizations to prioritize budgetary spend most effectively across mitigation, retention and transfer will enhance the ability of a captive to play a meaningful role in the cyber risk conversation. This will likely influence insurance purchasing behaviors and direct market capacity to where organizations need it.

Cyber, although no longer emerging, can still be considered in the “incubation” phase for captives, mainly because the traditional risk management approach and the network security communities are not yet fully aligned. However, reframing the captive from a tactical, transactional play to something linked to the broader maturity development of risk will help accelerate this alignment.