
Understand the true cyber threat before committing to a captive
The risks of cyber-attacks need to be properly considered and understood by companies before they consider covering them via a captive, attendees at the Vermont Captive Insurance Association’s 2024 conference have heard.
In a panel discussion entitled ‘Is Cyber Coverage Right for Your Captive?’, conference attendees were told that the number of cyber-attacks is increasing, and that careful attention must be paid to this area.
In addition, a wide range of cyber coverage is now required to cover the impact of cyber-attacks, which include data breach costs, cyber extortion, BI losses, fraud response, data recovery & services, etc.
The panel was moderated by Dan Teclaw, director at AM Best, and comprised: Kim Guerriero, Principal and Consulting Actuary, Milliman, Mike O'Malley, Managing Director, Strategic Risk Solutions, Vermont, and John O'Neil, Company, Assistant Secretary, MassMutual MCAM Insurance.
Cyber risk has a stable outlook now, according to AM Best, as Teclaw noted. He said that this outlook was down to greater demand and increasing take up rates, continual improvements in cyber hygiene, expected profitability over the immediate term, improvements in underwriting practices and policy language and supportive reinsurance & ILS markets.
However, he said that there are also countervailing factors that include increased competition & modest premium growth in US, growing sophistication of attacks using AI, aggregation risks, model risk & divergence among models & a heavy reliance on reinsurance.
O’Neil stressed that before a company should consider a cyber captive, executives should talk to the IT department, face to face, if possible, to find out what the real risks are from cyber threats. Only then should hey consider if a captive was right for the company. He said that it is important to talk to senior staff about cyber & captives – and find out how much the company is spending on IT issues.
Some of the examples of recent cyber-attacks that were mentioned included the WannaCry, Robinhood, Ryuk and REvil ransomware incidents that hit many major US businesses.
It was pointed out that with better cyber hygiene, some ransomware attacks are being mitigated and that ransomware demands are being increasingly ignored, as disruptions are being addressed better.
However, it was also stressed that companies should not be complacent in any way, as the sophistication of cyber-attacks is constantly increasing.
Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.