Technology has advanced so much over such a short period of time – it’s in every aspect of our lives; from how we communicate with peers to how we operate our cars.
In 20 years, we have gone from a computer that had to use dial-up internet, to today, where everything is at the touch of a button. But with all these advances, a door has opened for a new way for intelligent criminals to operate.
Businesses are all about using the latest technology but many lack the security programmes that protect them from criminal hacking, for example, JPMorgan Chase, Marriott International and social media platforms such as Facebook, were all victims of this criminal activity, which led to the exposure of over one billion data records.
Traditional insurance faces difficulty when dealing with cyber risks as it is a difficult area for these companies to define. Cyber risks are constantly unfolding and full of complexities. They involve intangible data, which presents a challenge for many of these companies. Only a scattering of owners/managers of small organisations knows precisely what they need.
When organisations increase in size and expand into different territories, the complexity increases considerably. All companies deal with cyber exposures in different ways, while some deal with major cyber disruptions others deal with the worry of interruptions.
With the risks and losses that companies are facing being unpredictable, companies are turning to captive insurance as a more flexible and tailored approach in order to protect themselves.
Phishing for solutions
Aon’s Captive Cyber Survey 2019 found that the volume of captive premium growth for cyber risk has expanded by 263 percent in the past year. This growth has outpaced growth in the commercial cyber insurance market – which saw a 50 percent increase in its annual growth – however, the number of captives retaining cyber risk is low at only 3 percent.
Aidan Kelly, director, risk finance and captive consulting at Aon, suggests that developments are needed in understanding the rationale for captive utilisation, how coverages can be enhanced using a captive and that greater analysis of pricing, funding limits and retentions within overall risk tolerance and appetite is still needed.
Kelly expresses that Aon has noted that the cyber insurance market continues to harden for US and European markets. This is leading to a further reduction in capacity offerings, coverages and competitive pricing.
He adds: “These constraints in the market push clients towards greater self-retention of risks and through that impact, there is a greater need for sophisticated risk retention and risk improvement or funding strategies. This is where the use of a captive can be a primary tool for many clients.”
Aon’s Cyber Captive Survey also predicted that, in five years time, 34 percent of all captives will be underwriting cyber, which can be achieved through the integration of cyber risk into a wider framework of risk management, increased capacity allocated to coverage components, and an industry shift in asset value from tangible to intangible.
Kelly explains that a captive, as a central tool for risk financing in an organisation, can act as a protection vehicle or as a funding mechanism.
He says: “Risk or security leaders within organisations can position a captive as a funding vehicle for cyber risk improvements. Captives have long been used as enablers of property or casualty loss prevention or risk mitigation initiatives.”
“This important role can be expanded to the data protection and IT spaces to better protect entities from cyber events and using existing funds within captives as a source of enhancing IT budgets, and ensuring that CISO and CSO’s see the captive as an integral part of the overall risk financing of the organisation,’’ says Kelly.
He outlines that engaging a captive as a fundamental cornerstone of how organisations tackle cyber risks should be considered and it can help maintain strategic control at an enterprise-level rather than the response just being managed at an operational level.
Covering the risks
The diverse cyber risks that exist within companies posing a real threat include, data breach; social engineering; malicious software; denial of services; insider threat and cyber espionage; web technology attacks; and supply chain attacks, according to Fernando Sevillano, head of cyber risk consulting Iberia, Willis Towers Watson (WTW).
Sevillano says: “Additionally, regulatory and financial risks caused by cyber threats also apply to the captive industry.”
Cyber risk financing strategies have evolved in response to developments in digital technologies, such as artificial intelligence, distributed ledger technology and cloud computing.
Such advancements are designed to stimulate the economic motivators of automation and connectivity; however, this also poses risks involving disruption, confidentiality and suppliers.
Kelly articulates that risks faced by organisations from cyber risks continue to escalate and develop. The advancements in digital technologies being deployed to drive automation and connectivity in business are creating emerging threats.
He believes that these threats are not just confined to businesses but have evolved into political actions led by state-backed entities launching cyber-attacks for a variety of outcomes. These campaigns and actions are resulting in losses for both public and private enterprises. The main areas of risk are from disruption risk, confidentiality and privacy risk and risk from global networks of suppliers and customers.
On the benefits of having cyber risk coverage, Sevillano states that captive insurance has a specific method of mitigating risks and it must be balanced against other insurance and risk mitigation strategies.
According to Sevillano, for some organisations, a captive insurance programme allows retention of capital and flexibility but he believes the administrative costs, and the cost effectiveness of using traditional insurance markets, can reduce the benefits of a captive insurance approach.
Sevillano adds: “Understanding each organisation’s risk management goals and financial objectives is critical to making an informed decision, especially in regard to cyber risk which can change very quickly and is a fast-evolving market.”
A captive can be used for various coverage for cyber risk including, expanding the ‘contingent’ business interruption coverage from ‘dependant systems’ to include key vendors; reputational risk, more data, benchmarking and methodologies are being developed leading to greater capacity in the market; increased costs of working; regulatory fines and penalties; and intellectual property claims.
On coverages, Sevillano disclosed that in the last year, a lot of companies have made digital confirmation programmes, which incorporates technology (in terms of information and operations) within interconnected systems.
He comments: “While this improves ease and efficiency, the more technology and automation you have, the higher your cyber risk is compared to separate systems. Cyber risks are a very specific type of risk because they are evolving so fast.”
Risk assessment
Cybersecurity expert and risk thought leader Peter Hacker believes that cyber is a known unknown emerging exposure with billions of business connectivity and interdependence triggering many unparalleled challenges for the private, public and (re)insurance sector.
He outlines three trends he’s seeing in cyber risk and cyber risk coverage as; non-kinetic warfare; extortion; and silent (non-affirmative) cyber risks.
Hacker states that non-kinetic warfare is nothing unusual in today’s world, but is becoming exponentially more prominent.
He says: “It’s global, highly volatile and potentially disastrous for economies and individual sectors/companies.”
“Despite such risk development facts, affirmative cyber policies have become broader in some cases being potentially extended into non-kinetic war.”
He also explains that while state-sponsored attacks are extremely difficult to prove, it is questionable, whether such attacks could and should be covered sustainably through the (re)insurance market and at what price and level of contract certainty.
At the same token, it may well be the case that state-sponsored cyber-attacks cannot be easily excluded as proper legal proof will be extremely difficult. Thus such exclusion will fuel again contract uncertainty.
He adds: “Notwithstanding such conclusions, there are sectors (for example, critical infrastructure) in which such attacks trigger the main interest for affirmative cyber coverage and equally massive underwriting headache.”
The question we should ask ourselves is whether governments should offer a state-sponsored pool that would cover the consequences of a wider state-sponsored attack, and if so, at what price, the scope of cover and backed by which additional parties.
Hacker sees trends in cyber extortion coverage as another major concern, “independent of the claim and debate whether paying a ransom is justified or not, I feel cyber extortion should be handled entirely separately in a similar fashion as kidnap and ransom with stand-alone affirmative policy”.
He explains that in certain jurisdictions, disclosure requirements of cybersecurity, insurance and risk management readiness may trigger a deep pocket focus by intruders.
He adds: “Therefore, keeping extortion cover rather of the combined affirmative cyber cover radar may well tackle a significant ongoing incident and subsequent claims challenge that has gone through the roof in certain sectors and jurisdictions in 2019.”
On silent cyber risks, Hacker believes the biggest headache right now is not just the cyber peril development or threat actors, but the internal (re)insurance market homework.
Hacker notes that too many existing policies in property, casualty and other lines of business do not properly exclude cyber (malicious and non-malicious) and are therefore exposed to respond to a cyber event irrespective whether such coverage was ever intended, or any premium was charged (silent exposure).
He stresses: “This ambiguity needs to be urgently removed. It is like an iceberg. The visible part (affirmative) is already dangerous but the invisible part (silent) underneath the water surface will cause for disaster sooner rather than later.”
Security perimeter
There are regulations already in place around the world including the protection and security of data, such as EU General Data Protection Regulation (GDPR), US Health Insurance Portability and Accountability Act (HIPAA) regulations and more recently, the State of New York introduced specific cybersecurity regulations for the financial services industry which included requirements for data encryption, multi-factor authentication, incident reporting and third-party risk management.
The GDPR is a regulation in EU law on data protection and privacy for all individual citizens of the EU and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.
HIPAA was enacted by the 104th US Congress and signed by then-president Bill Clinton in 1996.
It was created primarily to modernise the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage.
The State of New York introduced the NYDFS Cybersecurity Regulation, which was a new set of regulations from the NY Department of Financial Services that places cybersecurity requirements on all covered financial institutions.
In addition, South Korea welcomed its Network Act and Credit Information Act, which requires mandatory liability insurance for cyber events for certain information communication service providers and financial institutions.
Kelly says that while other US states and jurisdictions have not yet followed New York and Korea’s lead, “it is inevitable that while cyber events continue to occur, legislators will attempt to mitigate exposures and ensure consumers are protected from these events, where possible”.
Meanwhile, Hacker believes that cyber risk is “fundamentally different” than any other current insurable peril.
He explains that it’s a truly global exposure, highly volatile peril, less diversified and fully man-made driven by criminal energy with a material probability to cause huge economic losses and material insurance losses.
He comments: “Due to this nature diversification is much less achievable across businesses, corporations and economies than in other lines of business.”
“These ingredients carry huge potential for large aggregate losses as a single event might trigger many independent policies and jurisdictions.”
Hacker makes clear that depending on the scenarios chosen and the number of threat vector applied, they have predicted economic losses globally close to $240 billion and insurance damages up to $40 billion in a 250-year return period.
He outlines that a maximum of 17 percent of such a major cyber attack would be covered by (re)insurance today. However, pending court cases around not-kinetic war (cyber warfare) and definition of data in insurance terms may well have a significant impact on the insurance loss number(s) predicted. He states that incident numbers across industries and continents vary hugely and so does the level of insurance protection.
“Cyber is a contagious risk which needs to be addressed top down and must become a fundamental minister and board executive priority globally,’’ says Hacker.
Hacker considers it too complex to be handled in isolation. Regardless of the capital size (re)insurance parties can offer, he stresses that it is a challenge that needs to be addressed on the front foot and top-down by regulatory bodies, the (re)insurance industry, capital markets, cybersecurity vendors and corporations (including captives) together.
Hacker adds: “To my mind, regulators may well play a crucial role including potentially broader solutions (pools or ILS structures) backed by governments, (re)insurers and capital markets in the mid to long term.”
