Mitigating Cyber Risk via Captives

Increasingly challenging

The reality today is that virtually every individual and organization is vulnerable to a cyberattack, and the nature of the threat is continually evolving. The mayor of Atlanta, for example, was recently quoted as saying, “We are dealing with a hostage situation.”

She was referring to the computer systems supporting many of the city’s departments. A shadowy group of hackers had gained access to the city’s networks and encrypted massive amounts of data; they demanded USD 50,000 in Bitcoin to release it. While Atlanta authorities will not comment on whether or not they paid the ransom, the city’s employees and citizens are still grappling with the many headaches and inconveniences caused by this attack.

OK, perhaps your organization has robust protection measures in place to guard against a ransomware attack like this that is usually launched via a worm embedded in an email attachment. But what about all of those internet-connected devices like surveillance cameras, printers or “smart” building controls that are now common in all types of settings.

Another example: A casino installed an internet-connected thermostat in the fish tank in its lobby. Being able to regulate the water temperature remotely seemed like a good idea; until hackers used the thermostat as a backdoor into the casino’s networks. Once inside the system, the hackers found personal data on the casino’s high roller clients, which they pulled up to the cloud, again using the thermostat as a conduit.

There are innumerable other examples of hackers exploiting flaws in a connected object for malicious purposes. And considering the number and variety of IoT (Internet of Things) devices in use in different settings, preventing hackers from exploiting security gaps in connected objects can be a daunting proposition.

In practical terms, that can mean making sure someone in the organization is continually monitoring all of the various IoT devices in use in all of its locations for known vulnerabilities and available patches. And when a fix is needed, that could entail, for instance, a worker climbing a ladder with a thumb drive to update the firmware in a surveillance camera.

Moreover, cyber attackers today also have other increasingly sophisticated tools and methods – including phishing, malware, denial-of-service, SQL injection, man-in-the-middle, and so on – for taking advantage of vulnerabilities in devices and systems.

Increasingly expensive

For many organizations, understanding, managing and mitigating their specific exposures to a cyberattack is now one of the most – if not the most – critical components in their overall risk management programs.

Responding to this threat also means looking at different options for funding the direct and indirect costs of a cyberattack. According to recent news reports, for instance, the city of Atlanta has already spent more than USD 2.6 million to respond to the ransomware attack there.

And these costs are escalating. A 2017 study conducted by the Ponemon Institute and Accenture found that the cost of cyberattacks increased by 23 percent in just one year. The companies included in the survey – 254 firms in seven countries with at least one thousand employees – averaged 130 security breaches per year, and spent on average USD 11.7 million annually to detect, recover, investigate and manage cyberattacks.

Increasingly valuable

Captives have historically been used to finance stable, predictable risks. And there is no question that they are well-suited for that. Cyber, however, generally manifests as a volatility risk that is not so predictable.

In recent years, however, more and more captive owners are starting to recognize the value a captive can deliver as an efficient and effective mechanism for financing and managing less predictable categories of risk, like cyber.

In my view, there are two important benefits to writing cyber within a captive.

The first is that a captive enables the parent company to cost-effectively fund this risk. Since cyberattacks are a matter of “when, not if” for many companies, it makes sense to set aside funds in advance to cover at least some of the costs of an attack.

As noted, though, cyber is a volatile and evolving risk, and trying to anticipate where and how a company could be attacked, as well as the potential economic impacts, can be challenging. These attributes, however, also bolster what I see as the second benefit of covering cyber within the captive. That is, managing cyber within a captive allows the corporate risk manager to monitor this risk and capture valuable data and insight on the parent company’s vulnerabilities and the direct and indirect costs of different types of attacks.

In other words, a captive can help the organization develop a more informed understanding of this specific risk and the particular threat it poses to the parent company.

Better data about and deeper insight into a company’s cyber exposures can only strengthen the organization’s efforts to manage this elusive and evolving risk effectively.

That includes creating greater alignment over time with the parent company’s risk profile and appetite, especially by structuring the policy(ies) to better reflect its specific circumstances and needs. Moreover, capturing lessons learned from different attacks can help the organization identify where and how it needs to strengthen its defenses.

The learnings developed over time can also highlight the particular capabilities and expertise that should be embedded within the risk management program to minimize the potential for an attack and to promote a fast and effective response when one occurs.

Increasingly collaborative

As noted, cyberattacks continue to manifest in new and unexpected ways. And few captives have the breadth and depth of resources needed to effectively prepare for and respond to an incident.

That’s why captives that opt to cover cyber should seek out fronting partners with dedicated cyber teams that can offer an array of pre- and post-event services and capabilities delivered by both internal resources and via partnerships with outside experts.

Having ready access to these capabilities is particularly important in the event of a major attack. When an organization’s systems are breached, for example, being able to quickly call in specialists who are already familiar with the company’s systems and operations can be enormously helpful in limiting the impact of the event and enabling a quicker recovery. These typically include technical specialists who work to remediate the loss and perhaps identify the source of the attack, as well as attorneys and PR/crisis management experts who focus on lessening the collateral damages.

A final thought: using the captive to cover both stable, traditional risks along with less predictable, emerging risks can increase volatility within the captive if there are unusually high losses in a particular year. One way to address that is with a multiline, multiyear program supported by structured reinsurance. This type of set-up enables the captive to mitigate the impact of unexpectedly large losses as premiums for future years are pre-agreed, and the multiyear policy has remaining capacity.

Steven Bauman
Head of Global Programs and Captive Practice, North America, XL Catlin