Cyber

Captives beware: cyber criminals will come for you too

“It seems as though every week a new corporate data breach makes the headlines or there is yet another form of malware holding the world to ransom,” says Nicolas Champ, senior associate at Kennedys Bermuda.

He adds: “Hackers are becoming increasingly sophisticated and hacking tools are readily available for purchase through the dark web. At the same time, companies are collecting an increasing amount of information about their customers and business partners that is ripe for theft and exploitation.”

Alongside the increasing frequency of attacks, awareness of cybercrime is higher today than it’s ever been, says Scott Reynolds, president of the Bermuda Captive Owners Association and president and chief executive officer of American Hardware & Lumber Insurance.

The Colonial pipeline ransomware attack (which closed one of the US’s largest pipelines in early May) has driven the issue home for residents in the US, he explains.

“In many ways the cyber risk landscape is such a changing situation. There’s no question about it, there’s an increasing demand from an insurance perspective. There’s a big opportunity here and Bermuda might be the perfect jurisdiction to offer re/insurance,” he adds.

Captive re/insurers—and re/insurers more generally—aren’t immune from cyber risks themselves and this is something the Bermuda Monetary Authority (BMA) is very aware of.

Shortly after the Bermuda government required all persons to move to remote working as a result of the pandemic, the BMA recognised the changes an organisation would face and how this would affect an entity’s cyber risk profile. In June 2020, the BMA issued “Cyber Resilience and Remote Working”, an information bulletin aimed at providing best practice guidance on cyber resilience and the risks and related risk response relevant to remote working.

Then, in April this year, the BMA cautioned that insurers should be aware that engaging with third party service providers leaves them exposed to heightened cyber risk, and need to take steps to mitigate this risk. The BMA advised insurers who trust third parties with data, or to deliver IT services, to consider having contractual clauses in place to ensure their security requirements are met.

According to Champ, while captives are not included in the data analysed by the BMA for the report, it’s interesting that for some cyber risks, “a lower than expected percentage of insurers indicate they have controls in place”.

These areas include third-party cyber risk management assessment, data classification, board approval of cyber risk strategy/policy, data loss prevention (DLP) and maintenance of software.

Reynolds adds that a risk management need has been created, requiring captives to be responsible and to make sure they’re adhering to the requirements of regulators and security protocols.

This includes the need for a captive to have its own cybersecurity policy reviewed on a frequent basis and for “any third party service providers to adhere to at least the same standard as they hold themselves to”.

He continues: “A third party who is going to have any attraction in the insurance industry should know full well that they need to document and be prepared to present their cybersecurity policy and any standards that they must comply with in the jurisdictions where they’re based.”

“Bermuda might be the perfect jurisdiction to offer re/insurance.”
Scott Reynolds, Bermuda Captive Owners Association

Code of conduct

Captives must not just focus on their own policy—every service provider, insurance company and captive needs to be fully aware of a code of conduct. The Insurance Sector Operational Cyber Risk Management Code of Conduct came into force on Bermuda on January 1, 2021.

Captives have until December 31, 2021 to comply with the code, which provides that the management of cyber risk is under the responsibility and oversight of the board. As part of this, the board is required to approve a cyber risk policy at least annually.

The board must appoint a chief information security officer (CISO) to oversee and implement an operational cyber risk management programme.

“The code requires the implementation of stable and secure management of information technology systems by captives. It requires each captive to have its own technology risk programme, to identify the top risks and decide the appropriate risk response requiring clear and defined governance and management of cyber risks,” says Champ.

He adds: “The BMA will assess each captive's compliance with the code on a proportionate basis having regard to the risk profile arising from the nature, scale, complexity of the business carried on by the captive.”

A review of any services provided by third parties services must be conducted as part of the overall assessment of cyber risk.

“Well-prepared companies can mitigate the damage a breach causes.”
Nicolas Champ, Kennedys Bermuda

Mitigating risk

For Bermuda captives looking to mitigate their risk and comply with the code, there are myriad approaches. Additionally, where captives outsource certain cyber risk management functions away from the board to third parties or internally to other affiliated entities, captives “must ensure there is the oversight and clear accountability for all outsourced functions as if these functions were performed internally, and subject to the captive’s standards of governance and internal controls”, adds Champ.

Aside from accountability and assessing service agreements, captives (like any other organisation) must ensure they are considering cyber risks throughout the entire organisation and, as part of the code, captives need to develop a ‘three lines of defence’ model (namely operational management, risk management and audit) and ensure that these controls can be used to reduce potential impacts on the captive.

Reynolds advises that within a captive’s cybersecurity policy, the protection of your database from hackers, having a plan in place to use backup information and what to do if you’re a victim of ransomware are integral parts.

Ultimately, the key message here is to take action. Take action, understand your risks and work to alleviate them, or face the consequences of ill-preparation.

Bermuda’s cyber-related work, including the advice published over the past year to the code, can be used as guiding light through the ‘dark forest’ of cyber.

Champ summarises: “Captives are, in common with most organisations, at risk of financial loss, damage, disruption and reputational damage from cyber-related exposure. They can also be at risk by not sufficiently protecting the data they have collected in connection with their clients and business partners.

“While any company can suffer a data breach, well-prepared companies can mitigate the damage a breach causes, to affected individuals and to their own bottom line, by preparing for and responding to the breach in the right way.”

Share this page

Image Credit: Shutterstock.com / iQoncept, Yarygin

BERMUDA FOCUS 2021