Interesting times for cyber and captives
Alex Clark and Claire Richardson from Hylant look at some of the challenges posed by the evolving cyber market.
Many business people are familiar with the ancient Chinese curse, “may you live in interesting times.” Interesting is indeed an apt description for the current cybersecurity environment. And with the astonishing rate of development fueled by artificial intelligence (AI), that environment is evolving faster than ever.
That is true for the technology – and every bit as true for the strategies and products companies use to indemnify their business risks related to cybersecurity.
Transitioning insurance market
Until recently, commercial insurance coverage for cybersecurity was what the industry calls a very hard market. Carriers were not only increasing premiums for the coverage they wrote, but were also instituting large increases in expected risk retention. Companies that lacked best-in-class cybersecurity controls discovered they might not be able to obtain the scope of coverage they desired or would be expected to pay elevated premiums. As last year ended, the market began to show signs of softening.
Companies that adopted wide-ranging cybersecurity controls, such as administrative and privilege controls, created strong backup protocols, had incident response operations in place and deployed preventive tools such as network endpoint detection and multi-factor authentication, were generally able to buy cyber coverage for less than the market average. Organisations that continuously worked closely with their carriers to inform and shape their cybersecurity efforts were generally rewarded at renewal time with minimal increases.
Still, those costs have remained high enough and coverages sufficiently restricted that a growing number of companies are exploring alternative ways to manage the potential cost of cyber risks. Prime among these strategies is the use of captive insurance companies. In this article, we’ll explore areas of cybersecurity currently generating the greatest concerns, then explain the advantages of using the captive insurance concept to address those and other cyber risks.
Top three cyber challenges
Ransomware and data damage. Ransomware continues to be one of the top three cyber-related challenges facing companies. Organisations that have opted to pay bad actors to restore access to their data frequently discover a single payment rarely delivers access to everything that’s been encrypted. Most of the time, only part of the data is available, and requests for the remainder lead to additional payment demands. In addition, companies often find the encryption process has broken their data into bits and pieces, so they face additional costs in engaging data scientists to locate and reconstruct everything. It can be a laborious process that involves going file by file and device by device, so companies need to be sure their coverage is adequate to fund those extra resources.
Supply chain interference. Bad actors seeking to create as much disruption and chaos as possible increasingly target digital elements of a company’s supply chain. Instead of directly targeting a vehicle manufacturer’s production, for example, they might focus on second or third-tier suppliers such as rubber manufacturers. Without access to a reliable supply of tyres – so important with today’s just-in-time sourcing – automotive production screeches to a halt. Cloud providers are another frequent target, and the chaos created by last year’s CrowdStrike outage (caused by a software flaw, rather than an attack) was a wake-up call for both the vulnerability of systems and their impact on the industries relying upon those providers.
Sophisticated social engineering. Despite stepped-up training efforts and the like, we continue to see that about 80% of cybersecurity claims result from some kind of human misstep. Phishing and spearphishing attacks have become increasingly sophisticated, with bad actors leveraging AI to improve the quality and personalisation of the emails and text messages they send. The days when misspellings and odd language made it easy to spot malicious messages have passed.
The AI threat
As legitimate organisations discover and deploy the powerful potential of AI and other technologies, they cannot afford to lose sight of the fact that bad actors are doing the same. Cybersecurity professionals wage a continuing battle to identify new criminal strategies being used and respond with proactive defences. The increasing pace of change underscores the importance for risk management programmes to account for emerging exposures and ensure their own strategies and coverages account for them.
Those bad actors
As cybercriminals recognise just how disruptive (and lucrative) attacks on the supply chain can be, they are becoming more aggressive. Given the shadowy world in which they operate, it can be difficult to pinpoint the source of attacks, but it’s reasonable to conclude a large share continues to be waged by state actors. Many recent high-profile attacks have been instigated by a hacker collective populated by teens and young adults located in the US. and UK. that refers to itself as Scattered Spider. Several members of the group have been identified and arrested, but the attacks continue. While ransom money is a key objective, there’s also some sense that another goal is simply to sow chaos.
Captives and cyber
The captive insurance strategy is often ideal for managing risks associated with cyberattacks because of its inherent flexibility. Every business, network and programme is unique – as are the cyber-related risks they might face. Captive consultants can creatively structure the captive by using tactics such as considering differences in conditions, manuscripting definitions and other policy language, and determining which types of risks are best retained through the captive and which will be taken to the commercial marketplace. The ultimate goal is to ensure that – regardless of the nature of an attack – the company has access to the resources it needs to recover as quickly as possible.
While many captives created during the hard market were designed to address high-deductible policies by taking the lower loss layers, the softening of the market has led to a greater focus on using commercial policies to tackle the primary layers of coverage and using the captive to cover excess layers.
Policy limits
Another trend resulting from the softening of the market involves differences in conditions and limits. Under the hard market environment, many specific risks were excluded from policies or affected by sub-limits. That led captive consultants to manuscript policies to cover issues such as data breaches and response times for ransomware attacks. It became particularly important when companies realised it would take substantial time for traditional carriers to react and issue payments for the claims. The captive can be structured to pay out the claims immediately, so the company can fund its rapid response efforts.
When is it cyber?
A key concern when structuring coverage for cyberattacks is how carriers (including a company’s own captive) classify claims. The company may consider the impact of an attack as a property claim, but if it was triggered by a cyber event, an insurer may refuse to cover it. We’ve seen situations in which companies simultaneously faced cyber exclusions on their property policies and property exclusions on their cyber policies.
That underscores the importance of drawing on outside expertise in both lines when crafting the company’s overall cyber strategy. For example, a captive might be able to fill any gaps created by the combined use of commercial property and cyber coverage. Experienced captive consultants have dealt with this type of situation and understand the most effective approaches to covering the risks.
Industries embracing captives
The inherent flexibility of captives makes them an excellent choice for supporting cyber issues in nearly every industry, but we’ve seen particular interest in sectors that face vast exposures. There has also been increased interest from organisations whose success depends heavily upon multifaceted supply chains. Key examples include healthcare, financial services, manufacturing and construction.
Captives are not the only valid strategy for expanding cyber coverage. For example, few group captives are structured to handle cyber-related claims. In most cases, the companies using those group captives are more likely to address cyber risks through participation in some type of group purchasing programme.
Not a DiY effort
Skilled risk managers might be tempted to pursue a captive strategy to address their cyber risks, but the do-it-yourself approach is rarely a wise move. The complexity and ever-changing nature of cyber risks call for specialised expertise that might not be available internally, and the wide variety of structures, domicile options and the other aspects of initiating a captive make engaging experienced and knowledgeable consultants mandatory. Drawing upon that outside expertise dramatically increases the likelihood that a captive programme not only stands up to current cyber challenges, but that it’s poised and able to adapt to new and unforeseen types of risks.
The above information does not constitute advice. Always contact your insurance broker or trusted adviser for insurance-related questions.
Alex Clark is cyber practice leader at Hylant. He can be contacted at: alex.clark@hylant.com
Claire Richardson is senior captive consultant at Hylant. She can be contacted at: claire.richardson@hylant.com
Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.
.jpg/r%5Bwidth%5D=1280&r%5Bheight%5D=720/3b994650-8d56-11f0-a745-b158739a4a44-Report_Shutterstock.webp)