Mitigating cyber risk via captives
The reality today is that virtually every individual and organisation is vulnerable to a cyber attack, and the nature of the threat is continually evolving.
The mayor of Atlanta, for example, has been quoted as saying: “We are dealing with a hostage situation.”
She was referring to the computer systems supporting many of the city’s departments. In March this year a shadowy group of hackers gained access to the city’s networks and encrypted massive amounts of data; they demanded $50,000 in Bitcoin to release it. While Atlanta authorities will not comment on whether they paid the ransom, the city’s employees and citizens are still grappling with the many headaches and inconveniences caused by this attack.
Your organisation may have robust protection measures in place to guard against a ransomware attack such as this, that is usually launched via a worm embedded in an email attachment. But what about all those internet-connected devices such as surveillance cameras, printers or “smart” building controls that are now common in all types of settings?
Another example: a casino installed an internet-connected thermostat in the fish tank in its lobby. Being able to regulate the water temperature remotely seemed like a good idea; until hackers used the thermostat as a back door into the casino’s networks. Once inside the system, the hackers found personal data on the casino’s high roller clients, which they pulled up to the cloud, again using the thermostat as a conduit.
“Managing cyber within a captive allows the corporate risk manager to monitor this risk and capture valuable data and insight on the parent company’s vulnerabilities.”
There are innumerable other examples of hackers exploiting flaws in a connected object for malicious purposes. Considering the number and variety of internet of things (IoT) devices in use in different settings, preventing hackers from exploiting security gaps in connected objects can be a daunting proposition.
In practical terms, that can mean making sure someone in the organisation is continually monitoring all the various IoT devices in use in all its locations for known vulnerabilities and available patches. And when a fix is needed, that could entail, for instance, a worker climbing a ladder with a thumb drive to update the firmware in a surveillance camera.
Moreover, cyber attackers today also have other increasingly sophisticated tools and methods—including phishing, malware, denial-of-service, SQL injection, man-in-the-middle, and so on—for taking advantage of vulnerabilities in devices and systems.
For many organisations, understanding, managing and mitigating their specific exposures to cyber attack is now one of the most—if not the most—important components in their overall risk management programmes.
Responding to this threat also means looking at different options for funding the direct and indirect costs of a cyber attack. According to news reports, for instance, the city of Atlanta has already spent more than $2.6 million to respond to the ransomware attack there.
These costs are escalating. The 2017 Cost of Cyber Crime Study conducted by the Ponemon Institute and Accenture found that the cost of cyber attacks increased by 23 percent in just one year. The companies included in the survey—254 firms in seven countries with at least 1,000 employees—averaged 130 security breaches per year, and spent on average $11.7 million annually to detect, recover, investigate and manage cyber attacks.
Captives have historically been used to finance stable, predictable risks, and there is no question that they are well suited for that. Cyber, however, generally manifests as a volatility risk that is not so predictable.
In recent years, however, more captive owners are starting to recognise the value a captive can deliver as an efficient and effective mechanism for financing and managing less predictable categories of risk, such as cyber.
In my view, there are two important benefits to writing cyber within a captive. The first is that a captive enables the parent company to cost-effectively fund this risk. Since cyber attacks are a matter of “when, not if” for many companies, it makes sense to set aside funds in advance to cover at least some of the costs of an attack.
As noted, however, cyber is a volatile and evolving risk, and trying to anticipate where and how a company could be attacked, as well as the potential economic impacts, can be challenging. These attributes, however, also bolster what I see as the second benefit of covering cyber within the captive: managing cyber within a captive allows the corporate risk manager to monitor this risk and capture valuable data and insight on the parent company’s vulnerabilities and the direct and indirect costs of different types of attacks.
In other words, a captive can help the organisation develop a more informed understanding of this specific risk and the particular threat it poses to the parent company.
Better data about and deeper insight into a company’s cyber exposures can only strengthen the organisation’s efforts to manage this elusive and evolving risk effectively.
That includes creating greater alignment over time with the parent company’s risk profile and appetite, especially by structuring the policy(ies) to better reflect its specific circumstances and needs. Moreover, capturing lessons learned from different attacks can help the organisation identify where and how it needs to strengthen its defenses.
The learnings developed over time can also highlight the particular capabilities and expertise that should be embedded within the risk management programme to minimise the potential for an attack and to promote a fast and effective response when one occurs.
As noted, cyber attacks continue to manifest in new and unexpected ways. Few captives have the breadth and depth of resources needed to effectively prepare for and respond to an incident.
That’s why captives that opt to cover cyber should seek out fronting partners with dedicated cyber teams that can offer an array of pre- and post-event services and capabilities delivered by internal resources and via partnerships with outside experts.
Having ready access to these capabilities is particularly important in the event of a major attack. When an organisation’s systems are breached, for example, being able quickly to call in specialists who are already familiar with the company’s systems and operations can be enormously helpful in limiting the impact of the event and enabling a quicker recovery. These typically include technical specialists who work to remediate the loss and perhaps identify the source of the attack, as well as attorneys and PR/crisis management experts who focus on lessening the collateral damages.
A final thought: using the captive to cover both stable, traditional risks along with less predictable, emerging risks can increase volatility within the captive if there are unusually high losses in a particular year. One way to address that is with a multiline, multiyear programme supported by structured reinsurance. This type of setup enables the captive to mitigate the impact of unexpectedly large losses as premiums for future years are pre-agreed, and the multiyear policy has remaining capacity.
Steven Bauman is XL Catlin’s head of global programs and captive practice for North America. He can be contacted at: firstname.lastname@example.org