Can captives help scale the cyber firewall?
Forget worrying about whether you have been outed as an adulterer on the hacked Ashley Madison dating site—the whole world will soon be caught with its pants around its ankles if Hewlett-Packard is to be believed.
The software giant predicts that by 2020 the US, and by extension the rest of the world, will be hit by a massive coordinated cyber attack that will slam the brakes on the banking system, shut down stock exchanges and cripple communications.
Little wonder then that cybersphere horror stories from around the world continue to haunt risk managers. One third of respondents to ACE’s 2015 Emerging Risks Barometer say hacking and denial-of-service attacks are their main worry.
More than four out of five risk managers in the same study regarded insurance as essential to managing technology risk, yet almost half (45 percent), said technology risk is the area where the insurance industry most needs to develop its capabilities.
That mirrored the findings of July’s UK-based research group Long Finance’s research project which seeks to explore how cyber-catastrophe reinsurance might help mitigate cyber risk and establish evidence of the appetite for such reinsurance.
“The chief concern is the security of the ever-growing volumes of data that insurers hold in cloud-based storage systems. For many, major breaches are inevitable; the question is how much damage they will cause?” the report concludes.
It is the reluctance of many organisations that have been subjected to cyber attack to provide information that is stymieing the market.
Nigel Pearson, global head of fidelity at Allianz Global Corporate and Speciality, says:
“Recent breaches have been eye-watering but there is perhaps a bigger issue at stake, namely frequency. It is very difficult to determine how many companies are suffering cyber security breaches.”
Tom Bolt, director of performance management at Lloyd’s, agrees. “The problem is that the risk is evolving and there is an under-reporting of cyber events,” he says.
The potential scale of the problem is massive.
A Lloyd’s report released earlier this year claims that insurance costs could come to anywhere between $21.4 and $71.1 billion, should hackers succeed in shutting down parts of the US power grid.
Business Blackout: The Insurance Implications of an attack on the US National Grid imagines a scenario of an electricity blackout that plunges 15 US states including New York City and Washington DC into darkness and leaves 93 million people without power.
It’s a scenario that should be read as “improbable but not impossible” but with material losses now in the billions, you could be forgiven for thinking that market demand should have dictated that an innovative and responsive insurance industry would have produced an array of products to meet that demand.
Alas, you would be wrong. As PwC insurance leader Arthur Wightman says with a studied air of understatement in the foreword to the latest PwC Insurance Banana Skins report, “cyber is also an underwriting risk which has yet to be fully scoped”.
And there’s the rub. Although customers are crying out to insurers for cover, few seem to understand the risk enough to underwrite it.
The cyber insurance market is so small that just over 50 insurance carriers offer cyber-related policies, either standalone or as part of special packages, says the Association of British Insurers (ABI), with the US market home to about 70 percent of carriers globally.
In Aon’s Global Risk Management Survey 2013, 7 percent of respondents (captive owners) indicated interest in underwriting cyber risk in a captive over the subsequent five years. Most cited the lack of appropriate cover in the commercial marketplace as the reason.
However, in Aon’s 2014 Captive Benchmarking Tool, which captured data from more than 1,000 Aon-managed captive clients, the number of captives writing cyber currently, is reported at 1 percent, a number which has remained static since 2012.
Understanding the data
A lack of actuarial data about cyber attacks means insurers are finding it difficult to assign the proper value to data or systems, or to determine appropriate policies.
Bolt is calling for a huge anonymised database to be created in order to “understand and price the risk more accurately”.
“Governments also have a role to play. We need them to help share data, so we are able to accurately assess risk and protect businesses,” he says.
The ability for the insurance industry to cope with and confront the challenges coming from cyber attack is becoming more urgent as the EU moves to adopt new EU protection laws where hacked companies will be forced to divulge cases where their security has been breached. The General Data Protection Regulation (GDPR) is scheduled for adoption early next year.
The US now includes 47 states which have data protection laws containing some form of mandatory notification provision. This has led the stateside market to search out solutions to the cyber problem, and captives have provided the answer in some cases.
Gareth Tungatt, the chief underwriting officer at Lloyd’s managing general agent Ascent, explains: “If you look at the US, they more fully understand the kind of impact a cyber event can have on operations and balance sheets, and are already using vehicles such as captives to structure their exposures.
“Firms in the EU are mostly interested in first party liability where they believe there is more of a quantifiable loss rather than third party liability. That’s not the case in the US where huge fines can be imposed and the threat of class action and other legal liability is a constant threat for data breaches, which is increased substantially in certain industry sectors such as healthcare and retail,” he says.
ABI Research, the analytical arm of the ABI, forecasts the market to hit $10 billion by 2020 driven by greater information-sharing and that the understanding of event impact and the associated long-term costs will help underwriting. It concludes that with more than 900 million reported records exposed in 2014 “more companies are seriously starting to consider transferring risks to insurance providers”.
Captives can step up
In December 2013 Google was fined €900,000 ($1 million) for breaking Spain’s data protection rules, but under the new rules this could be as much as €750 million ($860 million).
It is this combination of legal sanction and increased frequency of cyber attack that will grow the market and see captives increasingly develop a role.
Ascent is already in active discussions with a number of entities in the US about using their captives more to absorb the cyber risk and providing reinsurance solutions to sit in excess of these captives.
The market elsewhere is slower to react. “We have yet to see a significant amount of interest from EU-domiciled organisations, although a growing number of larger firms are starting to look for insurance solutions to cater for their cyber exposures,” says Tungatt.
“However, the new EU data protection law will help concentrate minds and help drive the market. When fines and other legal liability start becoming publicised and entities can see a direct exposure then we will see things moving and captives will likely play a part in absorbing some of the risk,” he predicts.
Global broker Aon, while confirming that only 1 percent of captives currently underwrite cyber risk, can see how captives could play a crucial part in mitigating against the cyber scourge by creating bespoke solutions.
The Aon Risk Solutions report: Cyber Risk and the Captive Market: a Match Made in the Cloud? makes this observation:
“Where an external market is unresponsive to any particular cyber risk needs, the opportunity exists to develop specific cyber policies using a captive. This flexibility could facilitate cover that would encompass highly correlated risks, for example cyber and reputation, which may not be packaged in the commercial market.
“Additionally, in the first year given the greater risk maturity of reputational risk, it would also be possible to access the reinsurance market and facilitate a more efficient transfer of risk. We also see the use of a captive giving flexibility in designing an optimal cyber risk transfer structure.”
The risks associated with the cyber threat will drive a $10 billion cyber insurance market by 2020, Wightman says.
“Cyber risk is now ranked number three in Bermuda and it is the top concern in the US and UK.
“As an industry that handles large amounts of other people’s money and personal data, insurers are prime targets. As a result cyber attacks and data breaches are seen as especially urgent by the industry both from the standpoint of a threat but also as an opportunity.”
While some believe that cyber risk has great potential for coverage by captives, others remain to be convinced.
Dennis P Harwick, the president of the Captive Insurance Companies Association (CICA), says: “The story on cyber risk seems to be that everyone is talking about it, but very little is happening in the captive arena.”
Miller’s cyber broking specialist, Simon Weaver, who has been in the business of broking cyber since 1997, says: “It is my view that captives should not be underwriting cyber risks. They are unlikely to truly understand the extent of the risks involved, let alone know which firms would be best suited to assisting them with handling and responding to a major cyber loss.
“If a captive was to undertake the risks we would highly recommend that the captive seek significant reinsurance.”
Vlad Polyakov, broker at Capsicum Re, makes the point that just like any organisation that collects large amounts of data from their customers, captives could be a target for a cyber attack, which could result in liability to customers whose data is breached or destroyed.
“This is especially true in the case of captives that write employee benefits or other lines of business that mean collecting data about individuals. In practice, a cyber breach would most likely occur at a captive management company and those liabilities would impact the managers’ E&O policy.
“Generally the use of captives for cyber risks is very rare, but it could prove a good tool to drive product development and competition in the market.”
Bolt adds: “I can see a way to involve captives but it’s just a question of whether the captive can get reinsurance rather than the company.”
Such reinsurance might be very much needed if Angus Rhodes, head of product marketing and business development at technology company Ventiv is to be believed.
“Captives may be considering cyber cover but do they understand the cyber and data privacy issues within? They might well be holding sensitive data in their own right and therefore are a possible target for a cyber attack themselves,” Rhodes says.
He also makes the point that for larger parent organisations, conducting a regular IT/cyber audit would be a good way of “understanding the risk, plus where to focus risk management spend”.
It is in the area of understanding the risk that the captive structure could come into its own. As with any cover, the cyber market is able only to set premium levels based on valid claims experience.
Because it is an evolving risk and cyber risk exposures are hard to define, difficult to assess and constantly evolving, there is confusion over what exposures are actually secured.
One respondent to the biennial PwC Insurance Banana Skins survey warned about “unknown coverage” and where coverage might fall in the event of a cyber attack.
“Companies might look to claim on existing policies in the event that cyber is not mentioned or excluded anywhere,” he said.
The result is ambiguity over what exposures are actually insured, whether the protection is adequate and whether it has been secured at the right price. Underwriters need accurate date to enable accurate pricing. It is here the captive entity might make a real difference.
“Lack of data is a massive issue in the cyber market. An individual company-owned captive probably won’t be able to gather meaningful data, but there is an opportunity for captives covering multiple companies in the same sector (eg, healthcare) to pool data on losses and aggregation, which will allow those companies to make better risk management decisions and tailor insurance cover to their needs,” Polyakov says.
“The systemic, intangible, dynamic nature of cyber risk means that all parties involved in managing the risk have an interest in sharing anonymised data on the frequency and severity of attacks,” Lloyd’s Business Blackout notes.
As with other ‘non-traditional’ risks, the captive can act as a ‘risk incubator’ for cyber risk, recording the data/information about the risk currently unknown both within the organisation and in the insurance market.
A combination of state help and the ability of captives to act as a reservoir of pooled information will act as an aid to insurers’ expertise in pricing risks and lead to the development of a new generation of cyber insurance solutions for the digital age.