No captive is too small to worry about cyber risk

No company is too small to worry about cyber risk. That was the message from Timothy Padovese, CEO of the Ophthalmic Mutual Insurance Company (OMIC), an RRG formed in 1987, speaking at the VCIA conference.

Padovese said even a small captive like OMIC had sensitive data including claims details, social security numbers, credit card information and credit card information that made it a target for cyber criminals.

“Even small players have a big exposure,” said Padovese.

Christine Brown director of captive insurance at the State of Vermont department of financial regulation, said state governments wanted to act on cyber regulation themselves before the Federal government did.

Some states have already implemented a National Association of Insurance Commissioners (NAIC) model law, and Vermont is currently looking at it, confirmed Brown. But the model law is not an accreditation standard and Vermont did not want to rush into implementing anything that may be onerous for its captive community, she said. “We want to ensure our response is proportional,” she added.

Brown noted that Vermont captives may already be covered by exemptions that would protect them from any onerous requirements of the model law: there is an exemption for subsidiaries with a parent company that has a compliant cyber framework in place. But those that did not secure exemption through that route may be caught out. While there is an exemption for companies with less than 10 employees, service providers are included in the headcount, meaning most captives would not qualify as small enough.