Cyber Risk Is Business Risk, Making Captive Insurance Even More Valuable

Sit down with a group of risk management professionals these days, and one topic will definitely come up at least once: cyber. Regardless of the subject of the discussion, cyber will inevitably pop up like a Whac-A-Mole game.

That's because cyber never sits still. The threat environment keeps evolving, and risk managers race to shift coverage where it's needed most. Last year's solutions may not be enough for today's threats. For technology-dependent organizations, the stakes keep getting higher.

There's a simple way to understand why cyber is so pervasive: Information technology (IT) risk is business risk, and business risk is IT risk. That may seem obvious, but it represents a fundamental shift in risk management philosophy. For years, companies have treated cyber as though it were solely a technical issue, pushing it off on those people in IT. Today, company leaders recognize that cyber is an operational issue, a financial issue, and can easily become a reputational issue affecting a company's long-term viability.

The threat is more severe in companies and industries that depend heavily on keeping their systems up. When something takes those systems down, the impact is immediate, affecting production, revenue streams, and even personal safety.

Bad actors aren't just looking for easy targets these days. They're trying to find organizations that can't afford to stay down. It's one thing for companies to have an incident response plan on paper. It's something completely different when it comes to executing that plan while the company is at a complete standstill, with costs increasing by the hour.

When company leaders envision cyber events, they usually think of major breaches and ransomware attacks that make headlines. But for many companies, their cyber losses start in much smaller ways, whether that's a fraudulent invoice, a stolen password, or bad email hygiene. While those events may not seem as catastrophic, they are accretive and can result in significant financial issues if not detected early.

You've probably heard that most cyber losses involve a human element, such as an employee falling for a phishing scam. That's completely true, which can seem discouraging. But the good news is that, unlike natural disasters, human behavior can be influenced through training, awareness, and even culture. The organizations investing in education, enforced controls like multifactor authentication, and incident response protocols may not be able to avoid every incident, but they can limit the damage caused by those that occur.

Limiting damage is at the heart of how today's risk managers think about cyber. Instead of assuming they'll never face a problem, they focus on reducing the "blast radius" when an attack occurs. Unfortunately, commercial cyber-insurance coverage is lagging behind that kind of thinking, with its limitations becoming more obvious.

Cyber policies aren't quite as standardized as coverages for other risks. Two policies that appear very similar may behave very differently when a claim occurs, thanks largely to factors such as sublimits, exclusions, and subtle wording differences. One policy might restrict losses caused by social engineering, while another might have exclusions for terrorism. Given the rapid advances in artificial intelligence (AI), today's coverage may be inadequate. Coverage gaps aren't always readily visible and may not even be noticed until a claim is denied.

That cyber environment creates a number of reasons why more companies are looking to establish captives to round out their cyber strategy. While captives have long been recognized as a prudent way to finance business risks, in the cyber space, we're seeing them used to provide customizable coverage.

Through a captive, a company can build a cyber program reflecting its unique set of specific risks, operations, and priorities. The captive structure allows the company to include how coverage is structured, which exposures are addressed, and how incident responses will be handled.

Business interruption provides a particularly relevant use of captives for cyber. While most commercial cyber policies address some type of contingent business interruption coverage, it typically applies when a third-party vendor or service provider's cyber event impacts your operations. But what if the disruption comes from the other direction?

Suppose your largest customer is hit by an attack and can't place orders or receive shipments until it's resolved. Imagine your major distribution partner going offline for days or even weeks. Your own systems may be functioning just fine, but your revenue will take a huge hit.

What's known as "silent cyber" is another example. That's when cyber events create consequences beyond the technology itself, like physical damage, equipment malfunctions, or systems breaking down. Companies with interconnected systems, such as chemical processing, manufacturing, or agriculture, are particularly at risk. Losses like these often fall into a gap between traditional insurance coverage and cyber policies, leaving companies uncovered. A well-structured captive can cover those gaps.

As if cyber wasn't already keeping risk managers awake, the rapid development and adoption of AI is changing the cyber landscape in many ways. When companies use AI well, it can create competitive advantages by improving efficiency and streamlining processes. But it can also create new risks when it's used poorly. Plus, bad actors are using AI to refine and automate their efforts to target more companies.

That's why governance is an ever-more-important part of the conversation. Who decides how AI will be used? How are new tools evaluated? What safeguards are in place? How are employees trained? What happens if something goes wrong?

These aren't just IT questions. They're business questions. In that sense, cyber security is less about technology itself and more about coordination. Using a captive allows a company to create a flexible cyber framework that's capable of evolving along with the business and the risks it faces.

The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.