Risk ManagementTalking Shop

Talking Shop: Benchmarking Helps Move Insurance Off IA’s Plate

By March 20, 2024No Comments

Editor’s note: NeuGroup’s online communities provide members a forum to pose questions and give answers. Talking Shop shares valuable insights from these exchanges, anonymously. Send us your responses: [email protected].

Context: Buying insurance coverage is an important and challenging task for most corporations, a form of risk management known as risk transference. Companies purchase policies to cover losses including those from property damage, cyberattacks, claims against directors and officers, and product liability.

Insurance off IA’s plate. The member of the internal audit (IA) group who posed the questions below is now chief audit executive at a company where IA had shared responsibility for insurance—uncommon among NeuGroup members.

  • The benchmarking the member did with Mr. Howard’s assistance helped him move all insurance oversight to an individual on the chief accounting officer’s team. That’s also relatively rare, but at this company the CAO “owns” treasury, the member said.
  • Regardless, it’s a welcome development for him: “I’m out of the insurance business!”

Member questions:

  1. “Which function (e.g., treasury, legal, finance, audit) in your company oversees insurance?
  2. “Is there a dedicated individual or team responsible for defining insurance strategy, or is it outsourced to a broker or outside specialist?
  3. “Do you have any formal self-insurance programs or a captive insurance company?
  4. “Our brokers are telling us the median coverage limit for cyber insurance is $20 million to $30 million. Are others in this kind of range or is anyone radically different?”

Mr. Howard helped solicit answers to the member’s four questions and then compiled and analyzed 25 responses. Here are takeaways from his analysis of the results.

  1. Treasury dominates. The treasury function is most commonly responsible for overseeing insurance across companies, emphasizing its integration within finance-related operations. The concentration in treasury underpins a company’s strategic financial oversight and aligns with broader corporate risk management.
  2. Internal teams with broker support. Companies often have dedicated internal teams or individuals (ranging from a single manager to more complex teams) responsible for insurance strategy. These teams work closely with external brokers (e.g., Gallagher, WTW, Simkiss & Block) who assist in negotiating terms and advocating claims, thereby blending internal expertise with external insights.
    • Strategic outsourcing. Some companies outsource strategic elements to brokers while retaining internal oversight, particularly for specialized areas like cyber insurance; this approach leverages external expertise without ceding control.
  3. Mixed approaches to risk management. Responses indicate a variety of approaches to managing risk, including self-insurance through retentions and the establishment of captives. The choice between these approaches often depends on company size, risk exposure, and financial strategies.
    • Selective use of captives. While not all companies utilize captives, those that do often cite their utility in providing a “rainy day fund” for losses, indicating a long-term strategic approach to risk management.
  4. Cyber coverage based on risk and size. There is significant variation in cyber insurance coverage limits, reflecting differing company sizes, risk exposures and industry-specific threats. While some companies align with the median range of $20 million to $30 million, others have limits well above this range, and in some cases, into the hundreds of millions.
    • Strategic decision-making. Decisions on cyber insurance coverage are strategic, considering factors like company size, industry, risk tolerance, and cyber security programs. Companies use bespoke modeling, peer benchmarking, and industry trends to inform their coverage levels. Some companies have opted out of cyber insurance due to high costs relative to perceived benefits, highlighting the importance of cost-benefit analysis in these decisions.

More on cyber. Here are some of the comments from respondents about cyber insurance:

  • “We don’t procure it anymore because it got expensive such that it wasn’t worth it. That’s in addition to too many exclusions in place related to our specific risks.”
  • “It was prohibitively expensive for the coverage we were offered, so not worth the premium.”
  • “Our broker provides peer benchmarking data and computer-simulated cyber loss analyses that help our thinking on cyber insurance limits.”
Justin Jones

Author Justin Jones

More posts by Justin Jones