Captives take on cyber risk

June 14 2019 by Nick Ferguson

Television news shows have been worrying about hackers taking over our cars and crashing us into things for at least the past decade. In reality, the risk to individuals is small, but it is a different story for companies.

Individual hackers, cyber terrorists and even state agencies are all actively targeting businesses — and those corporations are increasingly interested in insuring themselves against a cyber incident that results in bodily injury, whether from a deliberate act by a third party or, more likely, from a piece of machinery or equipment that goes awry as an unintended consequence of an attack.

The increasing overlap of digital and physical systems in production environments is creating a growing array of vulnerabilities, through autonomous vehicles, industrial robots and internet-of-things devices that have the potential to cause harm if their operations are disrupted.

In 2014, for example, a German steel mill suffered “massive damage” and narrowly avoided a more serious incident after hackers gained access to its production systems.

Specific cover for such an incident is not widely available in the market and this is leading some companies with these kinds of exposures to turn to their captive insurance units for protection, according to a survey by Aon.

Indeed, almost a quarter of captives currently writing cyber are now covering liability associated with a bodily injury event. More broadly, captives are rapidly becoming a popular vehicle for writing cyber policies, with 41% of the captives owned by Aon clients now incubating cyber risk, led by those in the healthcare industry.

“Captives continue to play a valuable role in addressing emerging risk issues for all companies,” said John English, chief executive of captive and insurance management at Aon.

Business interruption and regulatory are the most popular types of coverage beyond traditional cyber crisis costs, with greater control of their insurance programme and cost efficiencies most commonly cited as the rationale for using a captive.

“Our survey demonstrates that a captive not only can provide access to innovative coverage and unlock additional capacity for this fast-moving risk topic, but also better coordinate key internal teams in a company to improve overall capital allocation, strategic planning and risk improvement for cyber risk,” said English.

Using captives to provide cover beyond crisis and liability is a response to the evolution of cyber threats during the past few years, but Aon questions whether organisations have the necessary level of understanding around mission critical assets to underwrite this risk with sufficient certainty.

Most captive owners, it says, are still using a relatively unsophisticated approach to retention, limits and premium determination, relying on traditional data points such as peer group benchmarking, management intuition and experience, and adviser recommendation.

Such approaches are not a good way of gauging an organisation’s individual technology or cyber threat profile requirements.

“It is critical that cyber risk is treated as an enterprise risk and framed within the existing risk management framework,” said Adam Peckman, global practice leader for cyber solutions at Aon. “Risk managers can lead this change by utilising captives as a key strategic tool to demystify cyber risk through more sophisticated analysis and drive more fit-for-purpose balance sheet protection.”

That means identifying and mapping cyber risks that are specific to the company, building financial models that can quantify balance sheet exposure to these risks, evaluating the merits of using a captive and ensuring that limits and coverage are appropriate to the exposure.

This is increasingly relevant in Asia, where the use of captives is growing. The region experienced a 116% increase in gross premium to US$1.1 billion during the past five years, according to Guy Carpenter.

However, as the market grows, a more sophisticated approach to underwriting cyber will be needed.

MORE FROM: Insights