Nobody could have predicted the events that have unfolded so far this year. The COVID-19 lockdown, ordered by governments worldwide, meant a lot of people were required to work from home, with not a lot of preparation involved.
With employees of large and small corporations set up from home, the pandemic provided “the perform storm” for cyber criminals to operate.
At the start of the lockdown, Zoom Video Communications, an American communications technology, saw a surge of new subscribers as a new tool for business meetings and keeping in touch with colleagues.
However, issues regarding security soon became apparent especially for companies that were dealing with classified or sensitive information. Zoom was heavily criticised for its lack of end-to-end encryption on the platform. Zoom then addressed the issue with the acquisition of identity management firm, Keybase.
Similarly, Barclays released a report in July revealing an increase in impersonation scams for June involving hackers acting as police or existing bank staff.
In the US, the Internal Revenue Service (IRS) focused its annual ‘Dirty Dozen’ list of tax scams on aggressive and evolving schemes related to coronavirus tax relief, including economic impact payments.
Paul Phillips, partner at Ernst & Young (EY), highlights that the COVID-19 pandemic has taught companies that times of vulnerability are key points when cyber protections are required.
Phillips says: “The shifting of operational matters and online capabilities are items that are needed to be tested for cyber, and it has also taught companies that they can function remotely without issue, thus work at home is here to stay.”
Although commercial insurance coverage is available to protect companies against cybercrime, a captive can provide a tailored alternative solution to meet individual company exposures.
John Ferrara, senior manager, EY’s business consulting practice, explains that a captive can help by covering vulnerabilities and key areas where traditional insurance coverage is not available. He adds: “It can also help operations through risk mitigation via controls.”
Randy Sadler, principal of CIC Services, suggests that having a captive can play “a significant role” in assisting with cyber risks.
One of the biggest problems with commercial cyber policies, according to Sadler, is that they are not written broadly enough and contain too many exclusions, effectively rendering the business uninsured when the unexpected happens.
He explains: “Cyber is an insidious and rapidly evolving risk, and captives can write broad policies to address both known and even unknown threats. And, captive cyber policies can be drafted with fewer exclusions, so they can provide far more robust coverage.”
Giving an example, Sadler suggests “many commercial cyber policies exclude losses due to human error on the part of a company’s employees, but many losses are caused by human error, even if companies have solid training programmes”.
However, an Aon whitepaper, titled ‘Cyber risk and the captive market - a match made in the cloud?’, suggests that a captive does not provide all of the answers “but does offer a focal point to gain clarity of this risk, with the strengthened claims and exposure data and market knowledge enabling the implementation of an optimum cyber risk transfer structure”.
Cyber challenges
Like any other type of policy, cyber risk policies also have challenges that a captive owner needs to be aware of.
Adam Forstot, vice president, business development, North America at Artex Risk Solutions, revealed the three challenges commonly seen.
The first challenge is determining an organisation’s true exposure to cyber events. Forstot used the example of when he worked for a large energy firm which was advised it had significant exposure to operational disruption from a cyberattack.
He states: “Upon completing a formal risk assessment, it was determined their critical system only had outgoing communication. While the system could be sabotaged physically, it was not actually susceptible to a cyber attack.”
“They were able to restructure their cyber programme to accurately reflect exposures and avoid potential conflicts with their core property and casualty programme as well as reduce the cyber premium significantly,” he adds.
The second challenge is evaluating which risks to retain and which to transfer.
Forstot says that he worked with a large organisation that had significant cyber exposures, including a very large customer base. He explains: “They were running the cyber programme through the captive with a large, blanket retention backed by reinsurance. We worked with the client to breakdown the different aspects of the programme and quantify the risks.”
“The assessment concluded that credit monitoring for customers affected by a data breach should be retained in the captive. The client was able to work with their reinsurers to remove the credit monitoring expense from the policy. This allowed the insured to allocate the premium savings and additional capacity to the more volatile risks within the programme,” Forstot adds.
The final challenge is determining the true value proposition of retaining cyber risk. Forstot notes that for many companies the risk of a cyber event is low. If they already own a captive, they may be inclined to drop the commercial coverage and fund it through the captive.
However, Forstot says the cost of coverage for those companies may also be low. “Many cyber policies also include loss control and post-event resources which add significant value beyond the coverage itself. If the captive owner is relying on market rates as a basis for determining the captive premium, then it may not be justified.”
Forstot says: ”If they end up having a cyber event, the cost of the loss plus securing those additional resources directly may offset any upside with retaining the risk. Even if analysis supports a higher than market-based premium, they run the risk of having the coverage challenged unless they can establish material differences from the commercial rates (i.e. higher limits or broader coverage).”
Phishing towards 2021
Predicting the future is never easy, but it’s very evident that technology is not going anywhere but instead, it’s only getting stronger and more powerful. As this happens, hackers will also try to be one step ahead.
Forstot notes that as the rapid expansion of the use of online platforms for shopping, communicating, dining, financial transactions and assorted other services seems likely to continue after the COVID-19 crisis has passed. He also points out that it appears likely that many organisations will embrace a remote working environment.
He explains: “These changes could materially alter the cyber liability exposures for many organisations and the way underwriters perceive certain risks. If these developments also lead to increased claims activity then I could see pricing begin to firm and terms and conditions possibly become more restrictive. With the overall insurance market moving into a hard cycle, its possible cyber rates simply get pulled along with that trend, regardless of other factors.”
Commenting on what cyber risk changes he sees happening over the next 12 months, Sadler suggests that cyber risk will be worse, and cyber criminals will pivot to take greater advantage of the global COVID-19 pandemic and remote workforces.
He continues: “It will likely continue to be worse for years to come.”
“There are smart people all over the world who are working tirelessly to create cyber havoc for businesses either for profit, for political reasons, for revenge or maybe even just for fun.”
“I can imagine many ways that cyber risks may evolve in the next 12 months and beyond, but if you publish them in this article, you risk giving great ideas to cyber criminals,” Sadler adds.
