Captive Insurance in Interesting Times: Navigating Cyber Risk

Many businesspeople are familiar with the expression, "may you live in interesting times." Interesting is indeed an apt description for the current cyber-security environment. And with the astonishing rate of development fueled by artificial intelligence (AI), that environment is evolving more quickly than ever.

That is true for the technology—and every bit as true for the strategies and products companies use to indemnify their business risks related to cyber security.

Until recently, commercial insurance coverage for cyber security was what the industry calls a very hard market. Insurers were not only increasing premiums for the coverage they wrote, but they were also instituting large increases in expected risk retention. Companies that lacked best-in-class cyber-security controls discovered they might not be able to obtain the scope of coverage they desired or would be expected to pay elevated premiums. As last year ended, the commercial market began to show signs of softening.

Companies that adopted wide-ranging cyber-security controls, such as administrative and privilege controls, created strong backup protocols, had incident response operations in place, and deployed preventive tools such as network endpoint detection and multifactor authentication so that they were generally able to buy cyber coverage for less than the market average.

Still, those costs have remained high enough and coverages are restricted enough that a growing number of companies are exploring alternative ways to manage the potential cost of cyber risks. Prime among these strategies is the use of captive insurance companies. We'll explore the areas of cyber security that are currently generating the greatest concerns, then explain the advantages of using captive insurance to address cyber risks.

• Ransomware and data damage. Ransomware continues to be one of the top three cyber-related challenges facing companies. Organizations paying bad actors to restore access to their data frequently discover that a single payment rarely delivers access to everything that's been encrypted. Requests for the remainder lead to additional payment demands. In addition, companies often find that the encryption process has broken their data into bits and pieces, necessitating a laborious file-by-file and device-by-device process. Adequate coverage is needed to fund those extra resources.
• Supply chain interference. Bad actors seeking to create as much disruption and chaos as possible increasingly target digital elements of a company's supply chain. For example, they may focus on a vehicle manufacturer's second- or third-tier suppliers, such as rubber producers. Without access to a reliable supply of tires—so important with today's just-in-time sourcing—automaker production screeches to a halt. Cloud providers are another frequent target.
• Sophisticated social engineering. We continue to see that about 80 percent of cyber-security claims result from some kind of human misstep. Phishing and spearphishing attacks have become increasingly sophisticated, with bad actors leveraging AI to improve the quality and personalization of what they send. The days when misspellings and odd language made it easy to spot malicious messages have passed.

As legitimate organizations discover and deploy the powerful potential of AI and other technologies, they cannot afford to lose sight of the fact that bad actors are doing the same. Cyber-security professionals wage a continuing battle to identify new criminal strategies that are being used and respond with proactive defenses.

The captive insurance strategy's inherent flexibility makes it ideal for managing risks associated with cyber attacks. Every business, network, and program is unique—as are the cyber-related risks they may face. Captive consultants can creatively structure the captive by using tactics such as considering differences in conditions, manuscripting definitions and other policy language, and determining which types of risks are best retained through the captive and which will be taken to the commercial marketplace. The ultimate goal is to ensure companies have access to the resources needed to recover as quickly as possible.

While many captive insurance companies created during the hard market addressed high-deductible policies by taking the lower loss layers, the softening of the market has led to a greater focus on using commercial policies to tackle the primary layers of coverage, and using the captive to cover excess layers.

Another trend resulting from the softening of the market involves differences in conditions and limits. Many specific risks were excluded or affected by sublimits. That led captive consultants to manuscript policies to cover issues like data breaches and response times for ransomware attacks.

This also underscores the importance of drawing on outside expertise when crafting the company's overall cyber strategy. For example, a captive may be able to fill any gaps created by the combined use of commercial property and cyber coverage.

Skilled risk managers may be tempted to pursue a captive insurance strategy to address cyber risks on their own, but the do-it-yourself approach is rarely a wise move. Drawing upon outside expertise dramatically increases the likelihood that a captive insurance program not only stands up to current cyber challenges, but that it's poised and able to adapt to new and unforeseen types of risks.

The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.