Captive Insurance Provides The Versatility Needed To Address Cybersecurity Risk
Businesses and organizations need flexible, active approaches to stay a step ahead of would-be cybercriminals. And, with flexibility in mind, captive insurance is the most versatile approach to prepare for the financial impact of a cybersecurity loss.
Will it ever end? Cybersecurity breaches continue to make headlines. In recent news, 23 Texas towns were hit by a coordinated ransomware attack, according to the state’s Department of Information Resources. The attacks come on the heels of ransomware attacks in Louisiana, New York, Maryland and Florida—all costing local governments huge sums of money. The DNC was hacked. Target was hacked. Capital One’s recent data breach affected over 100 million customers. These days, no company is safe.
Cybersecurity breaches, such as these, cost companies more than just a negative public image. There are fees and fines that can quickly add up and devastate a business.
Earlier this year, Equifax agreed to pay up to $700 million to settle a 2017 security breach. In mid-June, Retrieval-Masters Creditors Bureau Inc. filed for Chapter 11 bankruptcy protection as a result of costs associated with the American Medical Collection Agency breach.
And data breaches are on the rise.
In 2018, cyber breaches hit a new record high and according to the Annual Data Breach Year-End Review by Identity Theft Resource Center, there has been a 44.7 percent increase in the number of cyber incidents since 2016. Cybersecurity will continue to be a preeminent threat throughout 2019 and beyond as technological advances, cloud computing and social media continue to grow and cybercriminals become more sophisticated.
Although cybersecurity is a significant, escalating threat facing businesses of all sizes, few businesses are fully prepared for cyber risks. The primary reason is that cyber threats are a challenging risk to insure against. However, there is a solution to cybersecurity risk that stands out from the rest: owning a captive insurance company.
This is how captive insurance differs from other insurance options and is uniquely suited to effectively cover this risk:
One specific way that captive insurance can be more effective at covering cybersecurity risk than commercial insurance alone is that many commercial insurance policies don’t cover human error by an employee. Many times, human error is the gateway to a breach. Even trained employees may make an error or be tricked (for example, if an employee clicks a link from an unknown source or goes to a malicious website). Captive insurance can fill the human error gap.
Compared to commercial insurance, captive policies can be more easily changed to match a rapidly changing and ever-evolving threat like cyber risk. In fact, a policy could even be modified or re-written mid-year, provided it was substantiated via underwriting and priced by an actuary. Adapting commercial policies is usually more cumbersome.
A captive insurance company can issue a more flexible, customized risk management solution to its parent company. And based on the potential types of risk the business faces in terms of cybersecurity, a policy can be customized—unlike a third-party commercial insurance policy. Cyber threats are complex and vary greatly, so the ability to customize the policy is crucial.
With third-party commercial insurance, if a business doesn’t have a claim, the premiums paid are a sunk cost. However, when insurance is purchased through a captive insurance company, owned by the business and business owner, and there are no or low claims, then underwriting profit is retained in the captive.
AON Global Risk Consulting surveyed over 100 captive executives and directors on their opinion on the rankings of various global risk findings. The survey found that “Cyber risk, including computer crimes, hacking, viruses, and malicious codes, was the most contested risk, with 82 percent of captive owners commenting that the risk’s ranking of 18 was severely underrated.”
Businesses that have third-party insurance in place should consider supplementing their cyber insurance with a blanket cyber policy in a captive insurance company. Many businesses do not have cyber insurance policies in place. It’s not always an easy decision as it is difficult for business leaders to get excited about purchasing additional insurance. For many businesses, insurance is a necessary evil. It is definitely a necessity but can also be viewed as a sunk cost. Owning a captive insurance company gives a business an additional tool to address “non-traditional” but very real risks like a cyberattack. A business can purchase cyber insurance from its captive insurance company and simultaneously grow profit in its captive insurance company when claims are low.
Also, because captive profits are at stake, the business has an even greater incentive to take active security measures to reduce the likelihood of a cyber-attack and other digital threats to business data.
Preparation is critical to whether a cyberattack. It can mean the difference between survival and utter disaster.