Optimising cyber risk management: key captive considerations
Enterprise risk management (ERM) is the process of viewing all the risks of a company holistically and developing ongoing and adaptive strategies for the entire risk portfolio. In many ways, common ERM strategies related to risk identification, risk qualification, risk quantification, and ongoing risk mitigation (risk transfer and non-risk transfer) are relevant to the cyber risk management process.
To highlight the complexity of cyber risk management, consider the recent increase in attacks on school systems. The cyber risks resulting from such attacks often correlate to other, more traditional risks such as professional and general liability. These situations require numerous considerations by the school systems, including those outlined below.
· How to detect a data leak
· How to recover the operations of IT systems
· How to communicate the attack or data leak to an insurer, the parties whose information has been compromised, and regulators
Similar to other industries, as technology used by entities and hackers emerges, the threat landscape evolves alongside it, shifting both the types of breaches and the lines of defence. Furthermore, potential event severity is continuously evolving, which affects the way risk transfer options might be optimised.
Captive utilisation as a cyber risk transfer option is only one part of the much broader and more complex cyber risk management process. This broader focus should never be lost. Cyber risk has unique experts, processes, and non-transfer strategies that should always be considered. The management of cyber risk includes considerations relevant to general risk management as well as risk quantification principles. The following items are suggested considerations within the captive insurance context from risk management and risk quantification perspectives.
Cyber risk management considerations
· Expand the list of experts normally involved in placing new risks in a captive to include a specialisation in cyber risk. This expanded list should consider the chief financial officer, the chief information security officer (CISO), and key IT personnel. The CISO and key IT personnel in particular can play a crucial role in a company’s risk mitigation and incident response strategies related to cyber risks.
Their technical expertise might aid risk mitigation by identifying specific vulnerabilities, recommending security controls, and assessing the effectiveness of risk mitigation efforts. They can also provide insights into incident response planning, including technical aspects such as containment, forensics, and recovery.
· Consider risk qualification as an important preliminary step in addition to risk quantification. As stated earlier, many steps in the development of overall cyber risk strategies mirror an ERM approach. Qualification of key cyber exposures can help all parties have a better understanding of the risk before the more detailed quantification stage begins. This may also add renewed value to prior risk evaluations, as a similar process might have already been completed by the IT department.
· Continue to participate in the traditional underwriting process. Cyber underwriting submissions are detailed and may give clear insights into strengths and deficiencies. Understanding the current commercial marketplace and what ancillary coverages are available is key to understanding if the captive might serve as a viable component to an overall cyber risk strategy.
· Gain an understanding of the current non-risk transfer strategies in place. These strategies put additional emphasis on the risk mitigation efforts that a company should already be involved in, regardless of any risk transfer strategies. Additional steps that should be taken when utilising a non-risk transfer strategy are outlined below:
o Regular security awareness training
o Access control and authentication mechanisms
o Data encryption, penetration testing, and red teaming exercises
o Vendor risk management
o Maintaining regular backups of critical data and systems
· Ensure that an active incident response plan is in place. Cyber incident response planning involves the development of a structure and coordinated approach to detect, respond to, mitigate, and recover from cyber incidents. An incident response team should be established with clearly defined instructions on how to proceed in the event of an incident.
The response plan should regularly be reviewed and revised as the risk of the company and the risk of the market continue to evolve.
Cyber risk quantification considerations
· Confirm that the analytical experts, including the actuary, have expertise specific to cyber risk. While current actuarial exam syllabi do not contain significant specific material related to cyber risks, there are several key areas of ongoing education that actuaries should be engaging with related to cyber risk.
These include cybersecurity knowledge (including a strong foundation in cybersecurity principles, technologies, and best practices), data analysis and statistical modelling techniques, policy wording and coverage analysis common among cyber insurance policies, and regulatory knowledge related to privacy laws and data breach notification requirements.
· Discuss the internal management of cyber events, including the definition of a cyber incident and how cyber incident data is classified. Our prior experience in this area has involved several situations where companies had zero claims reported to the carrier but several incidents. Developing a consistent process for maintaining internal data supports the risk quantification phase.
· Discuss appropriate industry benchmark considerations related to industry rates, industry claim severity, and industry rate filings. This information can supplement a company’s unique cyber incident data. Additionally, market quotes or current premium for any existing cyber insurance should be considered.
· Define programme structures clearly. Any risk quantification should be based on a clear programme structure in terms of retention and policy coverage. Cyber captive structures can vary widely from a straightforward low-level deductible buy back coverage to complex programme structures with higher retentions and detailed policy language.
Cyber insurance coverage is often offered by commercial insurers as core coverages and supplementary coverages (each with varying policy language). Cyber losses that do not fall under one of a policy’s standard categories or supplementary pieces will often not be covered under a traditional insurance policy. The use of a captive as a cyber risk transfer option may allow additional flexibility for coverage of cyber losses for which coverage is not available or affordable through a commercial insurer.
The parameters of cyber risk change constantly as hackers adapt and expand their avenues of threat. It is therefore important to understand that cyber risk should always be strategy-focused and not simply funding or transfer-focused. Cyber risk has key mitigation and incident response components which need as much care as the funding or transfer mechanisms being implemented.
These risk mitigation and incident response components must regularly be reviewed and adjusted as the cyber risk landscape changes. A captive strategy should always integrate important considerations from these components, which requires a multidisciplined collaborative effort with ongoing strategy adaptation and active incident response plans.
Michelle Bradley is a consulting actuary at SIGMA Actuarial Consulting Group. She can be contacted at: mb@sigmaactuary.com
Jason Luckett is an actuarial consultant at SIGMA Actuarial Consulting Group. He can be contacted at: jason@sigmaactuary.com
