COVID-19 and the Importance of the cyber captive

Remote work, extended quarantines, and an increased reliance on interconnected devices and the Internet of Things (IoT): COVID-19 has brought about many changes to how organisations look to operate. Business continuity plans are being dusted off and implemented, and with each uncertain day, are being revised to adapt to new circumstances and needs.

However, as employees focus on protecting themselves and their families, cyber-criminals are taking advantage of the pandemic to target underprepared organisations. While recent days may bring about a larger number and variety of threats, the risks with which they are associated remain the same.

A source of frustration for many companies is an inability to truly quantify the potential damages related to cyber threats and their associated risks. As we have seen in recent years, the costs of a data breach or hacking event can be astronomical, but the “costs” are far more than financial. Operationally, reputationally, legally, and financially, organisations face a multi-faceted network of risks, both in the short and long-term.

Furthermore, with heavy reliance on IoT, critical business systems, networks, and data are put at even greater risk with each device serving as a possible entry point for cyber attackers. These factors contribute to the difficulty of underwriting cyber insurance policies, as well as the unpredictability of claims; as our cyber landscape is constantly evolving and adapting, so too should our policies.

Captives may be the missing link in filling in coverage gaps and encouraging organisations to take on proactive approaches to their security postures, risk assessment practices, and interdepartmental cyber education initiatives. The flexibility allowed by captive policies complements the adaptability required of a strong proactive security programme and prevents the oversimplification of risks and costs that may occur with a blanket approach to cyber insurance.

The AON 2019 Global Risk Management Survey points out the cause for a reduced perceived cyber risk ranking. “In this year’s survey, cyber risk has slid down one place…the decrease could also be attributable to ‘cyber fatigue’ that is creeping into senior leadership teams,” it said. This is particularly troubling since, “the number of companies that are claiming cyber-related losses has doubled since 2015.” Unfortunately, an increasing emphasis on cyber threats in the media and elsewhere may have led to senior leadership becoming numb to the complex web of risks it brings into an organisation. The all-too-powerful human element of security, the very space in which a single employee falling prey to a phishing scam can be catastrophically damaging, is often overlooked. However, the survey goes on to say:

“As the market becomes mature, and more companies recognise the value of risk assessments and modelling, this will likely lead to a material premium level growth in captives. The captive will evolve as a strategic tool for organisations that are dealing with cyber risk in an enterprise-wide approach. With the increasing risk complexity and market dynamics, a captive can be used as a facility with which to harness expanded coverage and leveraging tailored response capabilities in the future.”

Where next?

The events of 2020 will most likely have a powerful impact on the next survey, as “cyber fatigue” is hardly an option given the current circumstances. With a likely increase in cyber events given the intensified reliance on remote work and threats brought about by COVID-19, insurance premiums will likewise increase and make captives a very appealing option for many organisations.

As proactive security and holistic cyber approaches become the norm, so too will captive cyber insurance policies. In many ways, the strengthening of security procedures and policies is fueled by the need to obtain cyber insurance especially in relation to enterprise risk management platforms, comprised of overarching risk mitigation and identification strategies that apply to each department.

The recent COVID-19 pandemic will most likely yield unprecedented levels of cyber threats. Many of these threats are not new, but will substantially target organisations who failed to conduct holistic enterprise level security preparation consisting of more than just a “lock” or “password” on endpoints or front door.  Use of VPNs, email security practices, anti-virus solutions, social engineering attack training and education, as well as established communication channels for reporting incidents that occur in remote environments, are all components of a strong security programme. As we continue to manage our new normal with remote work being a reality for many organisations, cyber security is truly paramount as we rely on our interconnected digital spaces to stay operational.

The high price points of commercial insurance policies paired with a lack of tailored coverage is best substituted with the personalisation of a captive. While the issue of unpredictably large claims remains a risk to reserves given the nature of the cyber landscape, this problem is mitigated by the increased attention to cyber threats that having a policy requires. It also encourages an emphasis on proactive strategies.

As society begins to rebound from the shock of COVID-19, it is essential that organisations acknowledge the need for business continuity planning, strong cybersecurity procedures, and preparedness. Any security culture attempting to replace “cyber fatigue” with “cyber enthusiasm” may look to captives as a viable option. Turning to captives will invigorate leadership support for cybersecurity and provide much needed coverage that may be difficult to obtain through commercial insurance.

Mark Lanterman is chief technology officer at ComputerForensic Services. He can be contacted at: mlanterman@compforensics.com