Aon’s Aidan Kelly discusses the cyber risks that companies are facing and how a captive can help provide specific coverage
What role can a captive play in assisting with cyber risks?
The risks faced by organisations from cyber risks continue to expand. Deployment of digital technologies across all facets of operations in an organisation brings greater risks and the commercial market coverages and capacity do not always meet client demand.
To bridge the gap between traditional risk transfer solutions and risk retention, a captive can act as a financing or funding mechanism. Engaging a captive as a fundamental cornerstone of how organisations tackle cyber risks can be considered and it can help maintain strategic control at an enterprise level rather than the response just being managed at an operational level, for example, forensics and disaster response teams.
What types of coverage around cyber risk are you seeing people use captives for?
In general, the use of captives to help protect against cyber-related losses are grouped around three categories: theft of money; loss of data; and disruption of operations.
The ability of a captive to potentially provide broader coverage and more specific loss triggers than the commercial market creates an opportunity generally to better manage the financial impact of a cyber event, a faster return to normalised operations through the prompt availability of funds from the captive and the ability to better interface with the information security functions in an organisation to develop an enterprise-wide response to a cyber event.
What has the COVID-19 pandemic highlighted to companies around cyber protection?
The pandemic quickly showed us that many businesses were simply underprepared to transition to a majority remote workforce in such a short space of time.
The need to continue to operate effectively needed to be balanced with implementing robust, secure technology to support data privacy and other business needs. As with all systems, it is only as strong as the users. Many employees lacked basic cyber training so were more vulnerable to cyber attacks and scams particularly as they were not operating in their usual office environment.
In addition to providing insurance coverage for these increased risks, a captive may encourage risk managers to consider how a captive can participate in a wider risk financing programme to provide funding for employee cyber awareness training as an example or support for the IS teams to help deploy better defence strategies against cyber-attacks and scams.
In a report in 2019, the number of captives retaining cyber risk was 3 percent. Do you see more firms writing in a cyber risk into their captives now?
Cyber risks continue to be a hot topic within the captive industry and are discussed across all industries.
While the number of captives writing cyber risk is rising albeit from a low base, there continues to be challenges around the quantification of risk for cyber exposures.
Challenges include identifying and mapping the cyber risk to the business and technology profile of the entire organisation; modelling the financial impact of a cyber event; and designing risk financing strategy to evaluate the viability of captive utilisation and determining whether the risk financing strategy reflects the complexity and materiality of the cyber exposure through appropriate limits and policy coverage.
These steps should be aligned across all functions within the organisation: executive leadership IT, legal and risk management. Such an aligned process embraces an enterprise wide, governance led approach that provides an opportunity for non-traditional stakeholders to create value in understanding and managing these risks using a captive.
There are two other dynamics or vectors for change here. The first is the continued rise in ransomware attacks, forcing many ‘non-traditional’ buyers to move from non-affirmative (silent) coverage to affirmative cyber coverage such as manufacturers, food, agriculture and beverages, heavy industry, extractive industry etc.
The second is the continued hardening of the market increasing the value of leveraging alternative risk transfer vehicles and captives.
How do you see cyber risk changing over the next 12 months?
In the period post-COVID-19, the increased deployment of remote access and cloud infrastructure will create more dependencies on IT service providers to keep businesses running. This will require risk managers to better understand vendor onboarding, vendor control environment, contract risk management philosophy and process, and insurance implications and solutions (i.e. dependant systems coverage and limits).
An increase in ransomware events will force many companies to think beyond ‘data breach’ to cyber triggered business interruption as a material enterprise risk.
This will drive investigation and innovation in business continuity management and cyber business interruption coverage.
The hardening marketplace, both with respect to the ability to access broad coverage, sufficient capacity, and the need for more technical underwriting by lead markets will force companies to consider more alternative risk transfer/ captive utilisation.
