Captive.com logo

Captive Insurance News

The COVID-19 Pandemic: Opportunities and Implications for Captive Insurance

The COVID-19 Pandemic: Opportunities and Implications for Captive Insurance

A FREE 12-page special report from Captive.com

The COVID-19 Pandemic: Opportunities and Implications for Captive Insurance explores the challenges presented by today's business and economic upheaval, as well as the hardening insurance market, and what it means for the captive insurance industry.

Show Me My Free Report

Cyber Insurance Is Just Part of the Process in Addressing Cyber Risk

A red computer chip with a lock on it as a part of a larger blue computer
August 18, 2020

Cyber risks are increasing, and organizations shouldn't assume that risk transfer will solve their cyber risk issues, according to one expert speaking at last week's Vermont Captive Insurance Association (VCIA) Virtual 2020 conference.

"Cyber attacks are almost always significant and disruptive," said Christopher Giovino, director of forensic services and cyber evaluation risk quantification at Aon. "Your coverage is only a beginning. This is the time to be prepared."

"Cyber events typically come in waves of attacks," Mr. Giovino said, noting that among other things, it's important that organizations have cyber incident response teams in place, people understand their roles, and they'll be reachable when an incident occurs.

Mr. Giovino and others discussed cyber risks and the response to them as part of a session titled "Cyber Risk: Seek, Shield, & Solve."

"Cyber risk isn't completely solved by an insurance policy, but it's a big part of managing the risk," said Shiraz Saeed, national practice leader for cyber risk at Starr Insurance Companies.

Mr. Saeed said "cyber" basically comes down to one of two issues: a network or computer security failure or a privacy incident. "Those two things can be mutually intertwined or mutually exclusive," he said.

The typical data breach is an example of those two exposures being intertwined, Mr. Saeed said, while a denial of service or ransomware attack is an example of the former, where no information is exposed, but the business is put out of operation for hours, days, or weeks.

Heather McClure, chief risk officer at OU Medicine at the University of Oklahoma and chief legal officer for OU Medicine's captive, discussed options for financing cyber risk, including commercial insurance, a primary policy with a captive insurance company, and coverage through a captive with reinsurance.

OU Medicine does place cyber risk in its captive insurance company, Ms. McClure said, first considering doing so in 2009 or 2010. "When we started thinking about putting cyber in our captive, it was fairly early on. It was before the cyber market exploded," she said.

Ms. McClure said that while her organization recognized that commercial cyber insurance pricing could be volatile, they wanted to build relationships with insurers and have access to their expertise to help address exposures and respond to data breaches. But using the captive provided the opportunity to write policies that specifically met OU Medicine's needs.

"We eventually chose a captive model with reinsurance, which is really the perfect blend for us," she said. The approach gives OU Medicine access to the reinsurers' expertise, as well as help with things like data breach response.

"Reinsurance with this line is extremely important," Ms. McClure said. "I don't envision a time we would ever not take out reinsurance for cyber, just because of the resources provided."

Matthew Wabby, a special agent with the Federal Bureau of Investigation, said that organizations experiencing cyber attacks should report them to law enforcement. "Time matters. Report the incident right away," he said.

"Save all your information. Do not delete it," Mr. Wabby said. "That helps on the investigative side."

Captive Insurance Company Reports
Follow Captive.com on Twitter

Twitter Feed