Interesting Times for Cyber and Captives

This article originally was published on Captive.com and is reprinted here with permission.

Many businesspeople are familiar with the ancient Chinese curse, “May you live in interesting times.” Interesting is indeed an apt description for the current cybersecurity environment. And with the astonishing rate of development fueled by artificial intelligence (AI), that environment is evolving more quickly than ever.

That is true for the technology—and every bit as true for the strategies and products companies use to indemnify their business risks related to cybersecurity.

Until recently, commercial insurance coverage for cybersecurity was what the industry calls a very hard market. Carriers were not only increasing premiums for the coverage they wrote, but were also instituting large increases in expected risk retention. Companies that lacked best-in-class cybersecurity controls discovered they might not be able to obtain the scope of coverage they desired or would be expected to pay elevated premiums. As last year ended, the commercial market began to show signs of softening.

Companies that adopted wide-ranging cybersecurity controls, such as administrative and privilege controls, created strong backup protocols, had incident response operations in place, and deployed preventive tools such as network endpoint detection and multifactor authentication were generally able to buy cyber coverage for less than the market average.

Still, those costs have remained high enough and coverages restricted enough that a growing number of companies are exploring alternative ways to manage the potential cost of cyber risks. Prime among these strategies is the use of captive insurance companies. We’ll explore the areas of cybersecurity that are currently generating the greatest concerns, then explain the advantages of using captives to address cyber risks.

Ransomware and Data Damage

Ransomware continues to be one of the top three cyber-related challenges facing companies. Organizations paying bad actors to restore access to their data frequently discover that a single payment rarely delivers access to everything that’s been encrypted. Requests for the remainder lead to additional payment demands. In addition, companies often find that the encryption process has broken their data into bits and pieces, necessitating a laborious file-by-file and device-by-device process. Adequate coverage is needed to fund those extra resources.

Supply Chain Interference

Bad actors seeking to create as much disruption and chaos as possible increasingly target digital elements of a company’s supply chain. For example, they may focus on a vehicle manufacturer’s second- or third-tier suppliers, such as rubber producers. Without access to a reliable supply of tires—so important with today’s just-in-time sourcing—automaker production screeches to a halt. Cloud providers are another frequent target.

Sophisticated Social Engineering

We continue to see that about 80% of cybersecurity claims result from some kind of human misstep. Phishing and spear phishing attacks have become increasingly sophisticated, with bad actors leveraging AI to improve the quality and personalization of what they send. The days when misspellings and odd language made it easy to spot malicious messages have passed.

Using Captives to Address Cyber Risks

As legitimate organizations discover and deploy the powerful potential of AI and other technologies, they cannot afford to lose sight of the fact that bad actors are doing the same. Cybersecurity professionals wage a continuing battle to identify new criminal strategies that are being used and respond with proactive defenses.

The captive insurance strategy’s inherent flexibility makes it ideal for managing risks associated with cyberattacks. Every business, network, and program is unique—as are the cyber-related risks they may face. Captive consultants can creatively structure the captive by using tactics such as considering differences in conditions, manuscripting definitions and other policy language, and determining which types of risks are best retained through the captive and which will be taken to the commercial marketplace. The ultimate goal is to ensure companies have access to the resources needed to recover as quickly as possible.

While many captives created during the hard market addressed high-deductible policies by taking the lower loss layers, the softening of the market has led to a greater focus on using commercial policies to tackle the primary layers of coverage and using the captive to cover excess layers.

Another trend resulting from the softening of the market involves differences in conditions and limits. Many specific risks were excluded or affected by sublimits. That led captive consultants to manuscript policies to cover issues like data breaches and response times for ransomware attacks.

This also underscores the importance of drawing on outside expertise when crafting the company’s overall cyber strategy. For example, a captive may be able to fill any gaps created by the combined use of commercial property and cyber coverage.

Skilled risk managers may be tempted to pursue a captive strategy to address cyber risks on their own, but the do-it-yourself approach is rarely a wise move. Drawing upon outside expertise dramatically increases the likelihood that a captive program not only stands up to current cyber challenges, but that it’s poised and able to adapt to new and unforeseen types of risks.

Related Reading: What Is Captive Insurance?

The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.