Cyber Insurance Is Just Part of the Process in Addressing Cyber Risk

Secured electronic chip

August 18, 2020

Secured electronic chip

Cyber risks are increasing, and organizations shouldn't assume that risk transfer will solve their cyber risk issues, according to one expert speaking at last week's Vermont Captive Insurance Association (VCIA) Virtual 2020 conference.

"Cyber attacks are almost always significant and disruptive," said Christopher Giovino, director of forensic services and cyber evaluation risk quantification at Aon. "Your coverage is only a beginning. This is the time to be prepared."

"Cyber events typically come in waves of attacks," Mr. Giovino said, noting that among other things, it's important that organizations have cyber incident response teams in place, people understand their roles, and they'll be reachable when an incident occurs.

Mr. Giovino and others discussed cyber risks and the response to them as part of a session titled "Cyber Risk: Seek, Shield, & Solve."

"Cyber risk isn't completely solved by an insurance policy, but it's a big part of managing the risk," said Shiraz Saeed, national practice leader for cyber risk at Starr Insurance Companies.

Mr. Saeed said "cyber" basically comes down to one of two issues: a network or computer security failure or a privacy incident. "Those two things can be mutually intertwined or mutually exclusive," he said.

The typical data breach is an example of those two exposures being intertwined, Mr. Saeed said, while a denial of service or ransomware attack is an example of the former, where no information is exposed, but the business is put out of operation for hours, days, or weeks.

Heather McClure, chief risk officer at OU Medicine at the University of Oklahoma and chief legal officer for OU Medicine's captive, discussed options for financing cyber risk, including commercial insurance, a primary policy with a captive insurance company, and coverage through a captive with reinsurance.

OU Medicine does place cyber risk in its captive insurance company, Ms. McClure said, first considering doing so in 2009 or 2010. "When we started thinking about putting cyber in our captive, it was fairly early on. It was before the cyber market exploded," she said.

Ms. McClure said that while her organization recognized that commercial cyber insurance pricing could be volatile, they wanted to build relationships with insurers and have access to their expertise to help address exposures and respond to data breaches. But using the captive provided the opportunity to write policies that specifically met OU Medicine's needs.

"We eventually chose a captive model with reinsurance, which is really the perfect blend for us," she said. The approach gives OU Medicine access to the reinsurers' expertise, as well as help with things like data breach response.

"Reinsurance with this line is extremely important," Ms. McClure said. "I don't envision a time we would ever not take out reinsurance for cyber, just because of the resources provided."

Matthew Wabby, a special agent with the Federal Bureau of Investigation, said that organizations experiencing cyber attacks should report them to law enforcement. "Time matters. Report the incident right away," he said.

"Save all your information. Do not delete it," Mr. Wabby said. "That helps on the investigative side."

August 18, 2020