28 November 2016Law & regulation

EXCLUSIVE: Cyber risks increasingly on radar for captives

The nature and degree of risk captives may face depends on cyber risk exposures that the captives’ underlying owner or sponsor has and what coverage is written by the captive, according to James Auden, managing director of property/casualty insurance at Fitch Ratings.

A report by Fitch Ratings from November 15 states that cyber risk awareness is increasing among US financial institutions and regulators. According to Auden, this is no different for US captives.

The recent release of an advanced notice of proposed rulemaking concerning enhanced standards for financial entities’ cyber risk management stressed the rising concern regulators have over systemic and institutional vulnerabilities.

“Cyberattacks are one of the most significant and growing risk areas for financial institutions and an increasingly relevant factor for their risk control frameworks,” Fitch said.

“The potential for cyber risks to negatively affect operations, reputation and financial performance suggests that it will continue to be an increasing focus for financial institutions and regulators.”

Auden claims that captives can face the same cyber risks that other primary writers face. He said: “Cyber risk for a captive may be embedded in existing commercial property, liability or package policy limits or may be explicitly covered in cyber specific coverage.”

Auden reassures that captives can manage cyber risk similar to other risk exposures by managing aggregate exposures or applying sub limits or exclusions specific to cyber in policy terms.

“This may not be helpful to the sponsor’s cyber risk management programme. There is also some access to reinsurance coverage related to cyber,” Auden added.

“To the extent the captive and its management is actively involved in the risk management programmes of the sponsor, activity in mitigating cyber risk by protecting key systems and networks, training employees in cyber risk prevention and creating post-breach response protocols, or may involve management of the captive organisation,” Auden concluded.