What are some of the top cyber threats a company faces on a daily basis?
There are a lot of different cyber threats around the protection of data, the privacy of that data and the security of that data. Cyber is such a broad term and people get confused because of how many areas there are. Cyber is just a generic term but security and privacy of data is the main focus of the product.
Are cyber risks coming from within or outside of the company? What are seen as the bigger threat?
Threat vectors stem from all directions. While current employees cause the largest portion of breaches, according to PwC’s Global State of Information Security Survey, opinions on whether internal or external actors pose a larger risk varies depending on the responder. External threats, which tend to be malicious and intentional in nature, leverage an army of resources to penetrate company perimeters, navigate the network, and mine for crown jewels.
Conversely, internal threats already reside and know the environment but are harder to detect without strong behavioural analytic tools, because human error may play a role.
How will these cyber threats evolve over the next five years?
I don’t think anybody knows. I think what’s unbelievable is that cyber is a risk no one in the captive field had on their radar until recently. If you think of where we as an industry are now, and the fact that in the news you hear of cyber breaches nearly every day, I can’t imagine where it’s going to be in five years.
I know if we don’t do anything about it no one is going to be in a good position. I think by recognising that cyber is an emerging exposure and risk, we can keep it under control and begin to do something. Buying insurance is a good way to start the process but I think captive utilisation is the next step and it also makes a lot of sense for many companies.
According to research in 2015, only 1 percent of captive owners were funding cyber risk through their captives. How has this number changed?
Only 1 percent of captive owners in 2015 is a very small number. I guess it’s because it wasn’t on anyone’s radar then or several years ago. I think we’re going to see exponential growth in captive utilisation for cyber.
Zurich recently launched its new cyber solution for captives. How does the programme work and how will clients benefit from this?
The new solution marries captive utilisation and the products that insurance companies like ours have in the marketplace. It takes our underwriting expertise, the policy forms and the policy infrastructure that we have and marries that to a captive.
The solutions gives the captive the benefit of having the expertise of the policy form and the ability to tap into the services that Zurich puts out in front of captives. Anytime you mitigate losses going to the captive, that’s money saved in the captive and that’s underwriting profit that’s retained. Captive utilisation accrues to the benefit of the parent owner of the captive.
As you said, cyber was off the radar for companies five years ago. What other emerging risks should companies be looking out for?
There continues to be the emerging risks of compliance, or rather non-compliance, or even lack of compliance. If you think about insurance that is regulated in every country around the world and every state in the US, the possibility or risk of being non-compliant is increasing. Captives really need to pay attention to the environment that they’re doing business in, and they need to make sure that the programmes that they are involved in are compliant. The risk of being non-compliant is increasing and that continues to be an emerging risk for captives and their owners as well.
What will be interesting is to see is how the worldwide regulatory bodies look at the cyber threat and how they will craft legislation, controls or requirements on companies and therefore captives to see how that develops. I think it is going to be really interesting.
As more compliance and regulatory bodies look at captives and more of them look at cyber, it will be really interesting to see how that develops. There are some regulatory bodies that are already looking at this issue now. I know the Federal Insurance Office and the National Association of Insurance Companies are both looking at it in the US, as is the International Association of Insurance Supervisors.