Cyber risk is one of the biggest challenges organisations are facing, and cyber attackers are using new methods to target businesses of all sizes across all industry sectors. As risk managers grapple with this evolving cyber risk landscape, cyber insurance is a valuable component of cyber security efforts. Retaining some cyber risk in a captive, or exploring structured risk solutions, can play an important part in an overall cyber risk management strategy, as Vanessa Leemans, Head of Cyber UK & Lloyd’s, and Owen Williams, Global Programmes & Captives Regional Director UK, Nordics & Ireland, explain.
The global cost of cybercrime is predicted to reach $10 trillion by 2025, according to Cybersecurity Ventures. Cybersecurity has risen to the top of the corporate agenda in recent years. Some well-publicised breaches and the rapidly changing nature of the threat, means that our clients consider cyber risk as one of the biggest strategic threats they face. A cyber attack can lead to devastating financial consequences, from immediate crisis expenses, legal costs and business interruption losses to longer terms consequences such as reputational impacts and potential share-price drops, among others.
Against this backdrop, cyber insurance is one important tool in helping clients to assess, manage and mitigate their risks. And using a captive to retain some of that risk is becoming an increasingly useful way for companies to strategically manage their cyber risks, while the use of structured insurance solutions to transfer cyber risk is also garnering interest as clients seek cost-effective, responsive ways to manage this changing threat.
An evolving risk picture
Not only is cyber potentially one of the biggest threats that a business faces, the cyber risk landscape is fast evolving as cyber criminals adapt their methods to try to stay one step ahead. The techniques employed by attackers are becoming ever more sophisticated; such as the increased use of triple extortion.
This involves a hacker encrypting and extracting sensitive data and then demanding two separate ransoms – one to unblock the affected IT systems and the second to not disclose the sensitive data; this is double extortion. Thirdly, hackers then leverage that stolen data to demand an additional ransom from individuals to not disclose their personal data.
The adoption of these increasingly sophisticated techniques by cyber criminals means that risk managers and their cyber insurance partners are continually examining the threat landscape, testing protocols and defences and refining coverage. Cyber insurance not only provides a risk transfer mechanism, it also incentivises risk mitigation. For example, when underwriting a cyber policy, underwriters will look for key cyber hygiene controls like multifactor authentication, back-ups for critical systems stored off the network, regular testing, patching processes, and so on.
Captive fronting solutions
Cyber risk transfer solutions have been adapting to meet the changing threats faced by clients across business sectors. And, increasingly, clients are looking to use a captive insurer to complement and optimise that coverage.
Although some buyers may look to use their captive in reaction to conditions in the traditional insurance and reinsurance marketplace, the most successful captives are those that are long-term, strategic tools that form part of the parent company’s enterprise risk management programme. When a client can demonstrate that it is willing to take meaningful cyber risk in a captive, this sends a strong message to underwriters that it has confidence in its cyber security measures. This willingness to have some ‘skin in the game’ makes those clients a more attractive risk for insurers and reinsurers and can give those captives greater access to capacity.
Another benefit of using a captive as part of a cyber risk management programme is the ability it gives risk managers and their fronting insurers to understand the cyber risk and loss data of the particular client. In an evolving area, where there are not yet decades of historical data, this can be invaluable in understanding and modelling future risk. Working with a fronting insurer that has experience and expertise in claims, for example, can give risk managers a greater understanding of their exposures as they change.
While many clients have already begun to examine putting excess cyber layers into a captive, there are benefits too in using a captive for primary coverage. Currently, while rates for excess cyber coverage have reduced, rates for primary coverage typically remain firm – so we expect to see more clients explore the use of their captive to take on some of their primary cyber risk.
Working with a fronting insurer can give buyers access to the ancillary services associated with a primary cyber policy – like incident management and communications support – that can prove so vital to building resilience before an attack, and in recovering more quickly after an attack.
For clients with existing captives, adding cyber coverage into the captive can provide diversification benefits too. From both a capital allocation and an enterprise risk management standpoint, this enables clients to maximise the advantages of a captive insurer to their overall strategy.
Structured solutions
Another innovative way that clients have been exploring as they look to manage cyber risk is the use of structured (re)insurance programmes.
A structured (re)insurance programme can offer multi-year coverage and protection against risk volatility. These solutions can involve an element of profit and risk-sharing over time with a reinsurer, insulating clients from annual risk spikes caused by large individual events, or aggregated losses. Structured solutions can enable captives to redeploy capital where needed and also to protect them from fluctuations in the traditional insurance market pricing cycle.
Structured (re)insurance is well-suited to helping captive clients to manage cyber risk not only because it gives clients a degree of certainty about the maximum premium payable in any one year while limiting the level of retention on the balance sheet; it also can reward a buyer for good claims management by essentially building up an ‘experience balance’ over a period of time, that can be paid back to them at the end of the term of the contract.
Readying for the future
The cyber risk landscape will continue to evolve as businesses across all sectors increasingly come to rely on digital technology and cyber criminals continue to find ever more sophisticated ways to exploit gaps in security.
As the cyber threat evolves, so too does the need for clients to have the ability to assess, manage and transfer it. Captives are a well-established part of the risk management landscape and can give sophisticated clients additional tools to assess, mitigate, retain and transfer both traditional risks and evolving, critically important risks like cyber.
Captives, and solutions like structured (re) insurance, will, we believe, play an increasingly important role in this process and in helping businesses to gain not only greater cyber security resilience but greater confidence in their ability to recover from cyber attacks.
