Cybercrime is one of the fastest evolving risks for businesses, with a report from Cybersecurity Ventures predicting that by 2019 ransomware alone will breach a businesses’ cyber security every 14 seconds.
The 2017 Crime Report by Cybersecurity Ventures also identified the “cybercrime epidemic” as the greatest threat to every company in the world, suggesting it could cost the world $6 trillion annually by 2021.
The Equifax data breach and the WannaCry ransomware attack in 2017 exemplified the magnitude of the impact that cyber attacks can have, in terms of both finance and business interruption.
Not only is the attack surface widening as the number of interconnected devices worldwide increases, with the internet of things predicted by Cisco to reach 50 billion by 2020, but the volume and variety of threats posed by cyber risk is also growing.
Jeff Sharer, senior manager in the insurance and actuarial services practice of Ernst & Young, explains: “Cyber risk is not exposure to one specific risk; instead, it is exposure to a group of risks, which differ in technology, attack vectors, means.”
He says: “As the cyber threat landscape evolves exponentially as firms become digital, the cyber risks that were once considered unlikely are now becoming regular occurrences. Meanwhile, the cyber risks that were once unimaginable must now be viewed as a potential occurrence.”
Companies are beginning to take cyber risk increasingly seriously, but there appears to be a gap between awareness and action.
Aon’s Global Risk Management Survey 2017 found that while cyber risk was perceived by the participating companies as the the fifth top risk (number two for participants with annual turnover of over $1 billion) just 33 percent had purchased cyber insurance.
Anup Seth, managing director of Aon’s Global Risk Consulting practice, says that this is due to a lack of coverage available.
Historically, cyber risk coverage has focused on data loss, however, with the cyber threat landscape changing, the type of coverage required by companies is broadening making it difficult for the commercial market to keep up.
Seth explains: “It’s because the product that was available until the middle of last year wasn’t really covering the exposures that they had. If you look at who was buying cyber it was what we would call the data holders.”
“The product that was available, let’s call it cyber 1.0, was really covering the loss of data. Other companies have other exposures relating to cyber and they felt that that particular product wasn’t addressing their exposures and their needs.”
This is where the alternative solutions offered by captive insurance companies can be advantageous.
A captive’s flexibility allows companies to have broader policies that recognise cyber as a standalone peril and address all of the exposures and needs.
Where historically coverage is focused on data loss, one of the key benefits of using a captive is that it allows an organisation to include coverages specific to their exposures that would not usually be addressed, such as business interruption or physical damage resulting from a cyber event, and write those policies through their captives.
In addition to broader and more flexible coverage, using a captive also offers a pricing advantage.
Seth suggests: “With the captive taking the equal retention, the excess layers will obviously be an increase layered factor type approach or you may choose to buy a large quota share excess of the captive retention. Either way, you will make a saving when you look at your total cost of risk.”
Captives can also be beneficial for an organisation’s post-breach response. They can allow organisations to have a predefined process in place in the case of a cyber breach to reduce business interruption, one of the most concerning consequences of cyber attacks for businesses.
According to Seth, putting cyber insurance through your captive, and having a pre-defined claims management and response process, will help to reduce business interruption in the scenario of a cyber attack.
“That’s another big advantage. Having that claim and cyber response team all mapped out prior to actually binding your policy,” Seth adds.
“This will not only influence the insured loss, but also the economic loss from a parent company, and limit their reputational damage and brand impact.”
The advantages a captive can offer work best in a combined structure alongside commercial insurance. Either using the captive to supplement commercial insurance and fill the gaps left in the policy or using the captive to write the coverage’s primary layer while using an excess-of-loss programme and reinsurance to purchase additional limits.
Salil Bhalla, AIG’s UK head of complex multinational accounts, says a combined approach is ideal “as very few captives can provide sufficient capacity for cyber risks without the support of the commercial market. Very few captives will have the underwriting appetite, balance sheet strength or technical expertise to provide the full limits required.”
Bhalla explains: “The size of the captive retention will depend on its risk appetite, with most captives taking a very cautious approach towards cyber risk. Ideally the captive needs a partner with both cyber underwriting and captive fronting capabilities to provide a seamless cyber insurance solution.”
Review first approach
Vital to structuring captives correctly for cyber coverage is the identification and understanding of the danger posed to a company by cyber, and the impact that an attack may have.
A review first approach, which involves cyber risk assessments and exposure analyses prior to the production of a cyber policy, is therefore critical to ensuring the appropriate coverage is purchased.
Seth suggests: “Getting that exposure analysis done is really critical. That will drive your premiums, it will drive the underwriting process and also the sort of coverage that you can get.”
“It’s almost akin to an engineering report. When insuring a property most underwriters will insist on an engineering report so we are trying to follow the same logic. If you’re a cyber underwriter and we’re now treating this as a separate standalone peril, you want to see the cyber resilience review,” he adds.
An additional consideration in cyber coverage is the upcoming implication of the General Data Protection Regulation (GDPR) on 25 May 2018. GDPR aims to provide enhanced and uniform regulations for data protection in regards to personal information for all individuals across the EU and will impose a number of requirements ensuring data is properly acquired, held and protected by companies.
AIG’s head of cyber, Europe, the Middle East Africa, Mark Camillo says: “The area that is receiving the most attention from companies is the potential fines and penalties that can be levied—up to 4 percent of global turnover.”
“Due to the potential increase in costs and exposure, more companies will want to make sure that their insurance addresses data security and privacy concerns, whether through a captive or through commercial insurance.”
While commercial insurance is evolving in cyber, and advancements in coverage are predicted this year as cyber begins to be recognised as a standalone threat, the benefits that captive insurance offers for cyber risk coverage means that it will likely remain an extremely viable alternative solution in a market that is expected to see huge growth over the next few years.
From its 2017 cyber report, Aon expects global premiums for cyber to be between $5 billion and $7 billion in three to five years time, up from around $2 billion in 2017.
Seth suggests that captive insurers will play a part in this growth.
He explains: “All the signs are there for this area to grow significantly and encouragingly we are seeing that the market has also evolved and is providing broader coverage and certainly the captives have an important role to play in facilitating this risk transfer process.”