With data breaches, cyber security issues and privacy debates hitting the headlines, loss of personal and corporate data has far-reaching ramifications that could potentially change the way business is carried out all over the world...
With data breaches, cyber security issues and privacy debates hitting the headlines, loss of personal and corporate data has far-reaching ramifications that could potentially change the way business is carried out all over the world.
Most high profile stories in the media today address the type of data loss that affects people on a personal level: credit card numbers, medical records, birth dates, ID/passport numbers, and other private personal information.
We should also be mindful of the impact from the loss of corporate data, intellectual property and proprietary information, which in the hands of a competitor, or even an extortionist, can severely disadvantage business.
In today’s digital world, reliance on technology continues to grow at an incredible pace. Regardless of their size, most companies consider technologies such as email, cloud file-storage and social networking to be everyday tools—but not all might be aware of new and changing cyber-related threats, which can be just as devastating as standard physical threats such as fire, flood, wind, and so on.
Network security breaches are occurring with increased frequency, severity and sophistication. PwC’s Global State of Information Security Survey 2015 noted that during 2014, the total number of security incidents detected by respondents climbed to 42.8 million, an increase of 48 percent over 2013.
Moreover, this survey suggests that insiders, namely current and former employees, represent the most cited culprits of cyber crime. Their motives are not necessarily malicious, but they may unwittingly compromise data through loss of mobile devices or targeted phishing schemes.
With Cisco forecasting that, within five years, there will be 50 billion interconnected devices—up from 12.5 billion in 2010—we are likely to see an ever increasing frequency of events. Experts agree that no company is safe, and the environment will continue to deteriorate with the increase in reliance on digitised data and the use of social media.
Companies, often with strong balance sheets and technical defences, are concerned about catastrophic incidents, heightened regulatory scrutiny and reputational risk, and are seeking to manage the likely risk of a material cyber security incident.
Given the evolving nature of cyber risks, a captive programme can be an attractive and comprehensive risk management solution for addressing cyber and data protection issues.
Identifying cyber exposures
Cyber security is perhaps the single most important risk to the boards of directors of companies around the world. This is not a surprise considering the global economy has become highly networked and depends on continuous, secure and uninterrupted data flow. The highly networked environment presents tremendous opportunities for enterprising firms, but this opportunity brings risks.
The first, and most important step in assessing a company’s exposure, is to proactively carry out standard systems hygiene. The Center for Internet Security suggested in April 2014 that following these five simple steps can prevent up to 80 percent of cyber attacks:
While standard hygiene is a start, it simply cannot prevent all attacks. Accordingly, many companies are moving beyond prevention and focusing on resilience. A ‘cyber resilience plan’ is best developed by a cross-functional working group of senior managers from sales/marketing, operations, technology, finance, legal, risk and human resources, as well as any other relevant functional areas. The group should meet regularly to discuss cyber security, monitor evolving internal/external threats, and model as well as analyse hypothetical attacks.
Resilience plans should detail roles and responsible parties that will assist and facilitate remediation, communication and crisis management plans as well as operating strategies for various types of events. Using a pre-agreed action plan has been shown to dramatically reduce the cost, recovery time, and reputational damage following a breach.
Cyber insurance
While investing in prevention is paramount, not all attacks can be fully mitigated. For these events, cyber insurance is critically important as it has a key role to play in improving the overall resilience of companies to cyber risk. Insurance is clearly a very useful tool in helping businesses to respond to these threats through risk transfer and providing specific capabilities to address the evolving cyber risks. Cyber insurance provides contingent capital and expert assistance in the event of a cyber attack or data breach. The insurance industry has tailored a suite of products that helps companies to quickly restore their operations and pay financial obligations. Some cyber policies also include risk management and loss prevention services, which can aid companies in assessing and mitigating their exposure to events before they occur.
In the rapidly changing landscape of cyber risk, AIG provides clients with CyberEdge, an end-to-end risk management solution to help them stay ahead of the curve. CyberEdge provides clients access to innovative protection to help safeguard against sensitive data breaches, computer hacking, dumpster diving, computer viruses, employee sabotage or error, pilferage of information, and identity theft.
CyberEdge responds to both the liability, as well as the first-party direct costs associated with a cyber event. Some examples of first-party costs include forensic expenses, notification costs, credit or identity monitoring, and loss of income from a network interruption. From a liability perspective, it may also respond to regulatory and administrative actions, including fines and penalties arising out of the event. The insurance policy can be customised, and coverage offerings can be added or removed based on the company’s risk profile.
Increasingly, companies are reviewing their property, casualty and business interruption coverage to ensure that they understand where there may be coverage or a potential gap. Many conventional insurance products exclude or restrict damage caused by a cyber security failure. Companies should consider a standalone cyber policy or supplemental coverage.
AIG has taken proactive steps to bridge this issue with CyberEdge PC. As a first-of-its kind umbrella product, CyberEdge PC fills these gaps with excess and drop-down cover for multiple lines of business (property, casualty, aerospace, marine, environmental, healthcare, errors and omissions, directors and officers, cyber, or fidelity insurance policies). This additional layer of protection helps companies to manage the risk of physical damage posed by cyber attacks.
The demand for cyber insurance has grown, and growth is expected to continue during 2015 and beyond. The number of clients buying cyber insurance rose by 32 percent in 2014, as compared to 2013, according to Marsh’s Benchmarking Trends: As Cyber Concerns Broaden, Insurance Purchases Rise report. The cyber insurance limits purchased in 2014 by companies with revenues exceeding $1 billion were on average 22 percent higher than the previous year. Financial institutions purchased the highest average limits, closely followed by the energy, communication, media and technology industries.
At AIG, we are now seeing small- and medium-sized companies express a growing interest in the product. Reasons given for purchasing cyber coverage vary, from board mandates protecting reputations to mitigating potential revenue loss from cyber-induced interruptions of operations.
Insuring cyber using a captive
Cyber coverage represents a great opportunity for a captive to diversify its risk portfolio and/or for a client to transfer to a captive an exposure that is either currently uninsured or not covered by a traditional insurer. When commercial insurance coverage for cyber risk is unavailable or prohibitively expensive, a captive can be used to build a statistical base, which can make securing excess coverage at acceptable terms and pricing easier.
The captive can also be used to provide coverage that might not be readily available in the market, such as future lost revenue or first-party loss of inventory due to technology failure. It is also possible for the captive to cover highly correlated risks, such as cyber and reputation, which may not be packaged in the commercial market.
The use of a captive as part of a cyber programme provides flexibility in design, retention, coverage and the cyber risk transfer structure. Where the insurance market can provide adequate cyber first-party loss, third-party liability and crisis expenses cover, the captive can provide the ability to retain specific covers not so readily available in the market, such as:
There is no doubt that cyber risks will continue to increase as the capabilities of hackers outpace available technologies that would otherwise provide security to companies against an attack. Those that have identified, assessed and planned for an attack are advanced in their goals to ensure protection against their risks.
Those companies with a wholly owned captive might consider expanding the available coverage within their retention, to address individual risks not available from traditional insurance carriers. Small- and medium-sized enterprises interested in such an approach, but without access to wholly owned captive, might consider a ‘rent-a-captive’ solution such as participating in AIG’s own captive cell facilities in Vermont and Bermuda. A rent-a-captive provides many of the benefits of a captive, including features that allow the insured to retain a certain proportion of the risks and better manage the associated costs, without the full operating costs of a standalone captive. A blended approach, including risk retention via a captive and excess risk transfer using AIG CyberEdge, provides clients with broad cyber protection. Many of our clients are choosing this structure for their cyber insurance programmes.
As a closing thought, former FBI director Robert Mueller has said that there are only two types of companies: those that have been hacked, and those that will be. This remains as true today. How prepared is your company?
