Single-parent captives take growing role in owners’ cyber risk management
There has been a significant increase in cases of individuals, businesses and even governments falling victim to cybersecurity risks of all sorts in recent years. Notable headlines have included significant breaches in the cybersecurity of Adobe, Sony, Target, Alteryx, Equifax, Marriott and Yahoo.
It is estimated that more than 80 percent of assets that organisations and companies hold are digital. With the continued advance of technology that allows individuals to conduct a good portion of their daily business (shopping, banking, etc) via the internet, and with key personal information also available in different social media platforms, individuals and businesses are exposed to cyber risk and data breaches that could cost hundreds of millions, if not billions, of dollars.
In the past, companies delegated protection of vital corporate information and customers’ personal records to their IT departments, mainly because those departments were overly protective of what they saw as their domain of responsibility.
But with the growing severity of the risk and exposure, as well as the potential reputational damage to companies, this responsibility has shifted to collaboration between risk managers and their counterparts in IT departments, with active oversight by management and boards of directors.
As a result, risk managers are supported, encouraged and urged to be more assertive by exploring private and government-led initiatives to stay on top of this growing threat.
Some of this risk may be unavoidable, given the fast pace of technological advancement in communications and the exceedingly rapid proliferation of hackers all over the world.
Be prepared
AM Best recognises that companies need to invest significantly, in terms of knowledge and resources, to combat this risk, as it is no longer acceptable to be unprepared for more sophisticated data attacks.
AM Best rates a number of single-parent and group captive insurers in the financial services, oil and support businesses, retail, energy, pharmaceutical and manufacturing industries.
Captive owners realise what is at stake: legal ramifications, reputational damage, loss of business and business interruptions can all cause tremendous damage to a company’s bottom line.
Given the significant potential costs of these risks, AM Best routinely discusses cybersecurity risk exposure and risk mitigation measures with our rated insurers.
For the majority of these entities, this issue is regularly a topic of their enterprise risk management committee meetings. Some companies have gone further, dedicating a designated cyber risk security department solely for this purpose, which is being upgraded and enhanced. A key function of cyber risk security departments is to test the systems routinely, improve their performance and look for potential vulnerabilities.
AM Best has found that in a majority of cases, its rated captives either write this coverage directly or the parent organisation has some level of coverage addressing cyber risk. This is done either through self-insurance (outside the captive) or in the commercial market.
Additionally, within the universe of AM Best-rated captives, a number have been seriously considering writing cyber risk. The hesitancy by other captives—rated and unrated—to underwrite cyber risk derives mainly from the difficulty in quantifying the risks and rewards (ie, a lack of actuarial data and consequence-oriented analytics).
These captives recognise that the implementation of robust risk management to combat cyber attacks requires (i) engaged executive leadership; (ii) targeted cyber risk education and awareness; (iii) cost-effective investments in technology; and (iv) sharing of relevant information.
Rated single-parent captives are reluctant to underwrite coverages they are not familiar with, or where they do not have enough expertise. Consequently, they are putting considerable thought and diligence into framing the policy structure, while at the same time gaining substantial understanding of the many aspects of such risk, before making a final decision.
For those US captives filing NAIC statutory filings, cyber insurance writings have increased between 2015 and 2017 as shown in Table 1. AM Best expects these writings to increase in the coming years.
Table 1: US captive insurance composite (CIC)—cybersecurity coverage
2015 | 2016 | 2017 | % Growth 2015/16 | % Growth 2016/17 | |
Direct premiums written ($000s) | 4,613 | 7,840 | 14,827 | 70 | 89.1 |
Paid losses ($000s) | 185 | 556 | 778 | 200.5 | 39.9 |
Policies in force | 47,603 | 56,966 | 58,305 | 19.7 | 2.4 |
Source: AM Best | |||||
Getting clarity
This deliberate approach is consistent whenever considering any sort of new exposure in a captive. There is a long-standing misconception that captives are places where the owners “dump” difficult risks. From AM Best’s experience in rating a number of single-parent captives in a variety of industries with public and private owners, it is readily apparent that this is not the case.
Corporate controls, internal risk managers, local captive regulations and rating agency concerns all are considered when deciding whether the captive should bear any new type of risk.
A captive that understands its parent’s business is well positioned to understand where the risks are, and while it cannot provide all the answers to mitigate cyber risk for the parent, it is a central point to get understanding and clarity about this risk.
Insurance markets in general can learn a great deal by joining with these captives to offer policies that provide adequate cyber protection. This will lead to a sophisticated evolution of the cybersecurity insurance market, which could offer necessary coverage to more insureds at prices that align with the risks at hand.
This also can result in a better understanding of the degree of loss from cyber incidents, culminating in the development of common cybersecurity standards and best practices.
