Imagine owning an insurance company that you can control, that reduces the cost of your insurance by eliminating underwriting expenses, and that tailors the cost to your own identified risks and risk appetite. And that’s all while reducing your tax burden by allowing the write-off of premiums before payments are made and using reserves to cover the cost of beneficial programs.
Historically, captive insurance companies have most often been used to underwrite property damage, workers’ compensation, medical malpractice, and third-party liability risks. But there’s a 15% projected increase in captive coverage of cyber/network liability over the next five years, according to Aon’s 2015 Global Risk Management Survey. A.M. Best, a U.S.-based rating agency focused on the insurance industry, recently projected that a realistic probable maximum loss from cybersecurity risk globally totals over $30 billion, according to Business Insurance magazine.
There is one hurdle: establishing reserves so the captive can fund future losses. The difficulty with that may be the lack of statistical data and analytics to project the frequency and severity of a cyber-attack or other cyber event for underwriting purposes.
According to the Aon survey, cybersecurity risk is new to its Top 10 list and ranked 9th globally and 5th in the United States. Until now, for the most part, carriers have designed and sold cyber policies inside of commercial general liability, business interruption, and directors and officers liability policies, which have not provided sufficient coverage for liabilities resulting from computer crime, hacking, and/or viruses.
The size of those liabilities and the nature of coverage may need to stem from different attributes than those that have been historically used for other types of coverage. Those attributes may include the level of vulnerability to cyber risk, exposure to service providers, and common vectors of attack.
Captives provide governance structure and a framework for focusing on risk management outcomes and loss prevention. Responsibilities of the captive board of directors include, among other requirements, fiduciary activities (such as the approval of budgets and audit of financial statements), approval and audit of actuarial reserves, and investment performance.
Taking that into account, it’s fair to ask: If public insurance companies are finding it hard to underwrite cyber policies, how can a captive owned by your company do it?
There are many steps involved in establishing a captive, but two come to mind in terms of establishing appropriate levels of cyber coverage. The first is determining the current level of cybersecurity of the organization through the use of a recognized methodology. One such methodology, recommended by SEC Commissioner Luis A. Aguilar, is the Framework for Improving Critical Infrastructure Cybersecurity, which was released by the National Institute of Standards and Technology (NIST) in February 2014.
The second step is analyzing, developing, and implementing response to highly-rated risks. Such a risk analysis, required, for example, for health care organizations under the Health Information Portability and Accountability Act (HIPAA), requires the identification of all threats to and attacks on an organization’s information assets, the vulnerabilities that may exist, and a resulting risk rating dependent on the potential frequency and severity of a successful cyber-attack.
There’s a wealth of industry data to help determine the potential frequency. The severity factor can also be estimated using industry statistics published free by the American National Standards Institute (ANSI).
Recent data breaches have affected financial performance, stock prices, continuity of leadership, talent attraction, and business operations at Target, Adobe, Home Depot, Anthem, Premera Blue Cross, and the U.S. Office for Personnel Management, just to name a few. Not surprisingly, the #1 risk cited in the Aon study is “Damage to Reputation/ Brand”, described by respondents as “priceless.”
Organizations need to find a method for hedging their losses when it comes to cybersecurity risk. Risk-readiness involves undertaking a formal review of risks and putting in place a comprehensive risk management plan. Only 56% of the Aon survey participants reported “readiness” for damage to reputation/brand. That’s a shockingly low percentage. A bona fide risk management plan needs to be conducted before insurance underwriting can begin and annually thereafter.
Mary Chaput is CFO of Clearwater Compliance in Nashville, Tennessee.