We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:



Cyber Terrorism Risks: How a Captive Can Help


A growing concern in today’s hyper-connected world is the threat of cyber terrorism. In the last 10 years we have seen countless data breaches, denial of service attacks (DoS), and ransomware attacks, costing organizations billions of dollars each year. Perhaps the most concerning aspect of cyber terrorism is the threat to critical infrastructure, utilities, health and emergency systems, and even defense and safety.

For example, in June of 2016, a hacker from Kosovo released the personal information of over 1,000 US service members and federal employees to a terrorist group, marking the first time a hacker has been prosecuted on terrorism charges in the US. Just this year a ransomware attack spread to major corporations across the world, paralyzing government departments in Ukraine, as well as the metro network and airport in Kiev. The same attack affected the UK National Health Service and several other countries’ government agencies and infrastructure as well. These events stand out because they are not typical cyber events such as a data breach or identity theft. These attacks were committed by individuals with the intent to cause physical damage or bodily harm and disrupt national economies – characteristics that may classify them as cyber terrorism.

It’s not difficult to see the potential for catastrophic loss that cyber terrorism events can pose to any business and they are only increasing. Since 2010, the US Department of Homeland Security has seen a steady rise in reported attacks against industrial control systems across the country. Furthermore, the estimated annual cost of cybercrime to the global economy is US$445 billion.

Utilizing a Captive for Cyber Terrorism

Insuring cyber terrorism risks through a captive reduces an organization’s reliance on third parties and allows it to capture costs and profits that would otherwise go to commercial insurers. In addition, there may be a corporate tax benefit in earning profit for a captive insurance vehicle located in a lower tax jurisdiction.  With direct access to international reinsurers and specialty insurers, a captive insurance vehicle can introduce higher capacity cyber liability coverage for its insureds by effectively buying down deductibles through reinsurance. This can provide higher limits and better pricing for unique cyber risks that may be costly to insure, or are not typically covered by the market such as physical damage or business interruption resulting from a cyber event.

Additionally, a captive, as a licensed insurance company in the US, gains access to The Terrorism Risk Insurance Program Reauthorization Act of 2015 (TRIPRA). TRIPRA provides a free government backstop against terrorism-related losses, including cyber terrorism, for insurers licensed by a US state or territory. Captive insurance companies have been using this government backstop to reinsure their terrorism risks since its original enactment under the Terrorism Risk Insurance Act (TRIA) in 2002. It allows insurers to make terrorism insurance affordable. By using a captive to access TRIPRA coverage, organizations can often reduce their net retained risk related to terrorist attacks.

It was initially unclear whether or not TRIPRA would respond to losses under a cyber liability policy. However, in December 2016, the US Department of the Treasury issued a “Notice of Guidance” stating that standalone cyber policies reported under the Cyber Liability NAIC code (17.0028) are included within the definition of “property and casualty insurance” and do in fact fall under TRIPRA guidelines.

It is important to note that TRIPRA is activated only for “certified acts of terrorism” as defined by the US Department of the Treasury and Homeland Security. The following five conditions must be met in order for an event to qualify as an act of terrorism:

Additionally, total insured losses (across all insurers) related to any one event must total at least $140 million in 2017, increasing by $20 million each year up to $200 million in 2020 before the federal government sharing applies. In the event that all of these conditions are met, insurers need only pay a deductible equal to 20% of their prior-year direct earned premium, and, for losses occurring in 2017, only 17% of the remaining terrorism losses while the federal government picks up the other 83%. The quota share for the insurer increases from 17% in 2017, by 1% each year until it reaches 20% in 2020.

Cyber terrorism is a continually evolving risk that organizations must monitor on an ongoing basis. Utilizing a captive gives an organization the tools to address those risks in more cost-effective ways while allowing for a customized and flexible risk program.