The hard market for cyber insurance, which is expected to continue for “some time,” and a lack of capacity has made captive insurers an “attractive risk management option for corporations,” said AM Best in a recent market report.

As part of its look at the U.S. cyber market, AM Best said captives can customize policies to allow parent organizations to assess damage and react quicker, but “sufficient and reliable cyber data for captive insurers does not exist.” They do not file with the National Association of Insurance Commissioners, with the exception of most risk retention groups (RRGs).

“However, many captive domiciles have shown interest in having captives provide this level of detail, which will improve future transparency,” AM Best said, adding, “Both pure and group captives must understand and appreciate the great complexity that cyber poses and conduct detailed underwriting and risk management on the policies that they would offer. In other words, simply a hard commercial market should not be the main reason to transfer the cyber exposure to the captives.”

The rating agency said some pure captives are writing policies with multi-million dollar limits and premiums, using third-party technology and forensic cyber consultants. Based on NAIC data, RRGs wrote about $19 million in cyber premiums in 2021, with limited coverage.

The growth of the cyber market — which overall saw direct premiums written, driven in large part by rate hikes, increase 75% in 2021 — includes the creation of captives or specialty insurers by managing general agents or underwriters (MGAs/MGUs).

“MGAs and MGUs benefit from working closely with their policyholder and insurance brokers. As a result, they are able to recommend measures for policyholders to improve their cyber profiles and practices, while they work with brokers to create customized coverage. At-Bay, Coalition, Corvus, Cowbell, and Resilience are prominent entities in this area,” AM Best noted in the report, U.S. Cyber: The Hardest of the Property/Casualty Markets.

Growth in cyber insurance is far outpacing the rest of the property/casualty industry but claims are also up, AM Best observed. Claims on standalone cyber policies are the majority, as first-party ransomware claims increase. Claims on standalone first-party policies grew an average 38% over the past five years, though the agency said definitions of standalone and packaged policies “appear to be open to interpretation.”

Despite the ongoing growth in cyber claims in 2021, cyber insurers’ underwriting performance still improved, as evidenced by an estimated combined ratio of 91.8 in 2021, although the estimated combined ratio on standalone policies was worse at 98.8, according to AM Best. With cyber attacks becoming more complex, AM Best expects the cyber market to remain hard for some time.

AM Best predicted Berkshire Hathaway’s acquisition of Alleghany will move it into the top 10 cyber underwriters, currently led by Chubb, Fairfax, XL Re, Tokio Marine and AIG. The aggregate combined ratio of the top five insurers is more than 100, led by AIG’s combined ratio of 154.2 — most among the top 20 cyber insurers. The total combined ratio for the top 20 was 92.6 in 2021.

“Even more concerning, actual underwriting expenses may be even higher than the overall line,” AM Best said. “Services provided during the underwriting process — evaluating cyber defenses in place, assisting in upgrading cyber defenses, and warning clients when threats are detected — all drive up underwriting expenses.”

Organized by policies-in-force, Hartford by far writes the most cyber insurance policies, eclipsing the next three insurers on the list combined.