Cyber continues to evolve

Two decades ago, the word cyber did not denote much in the way of a threat. It was something new, something esoteric, something that had to be explained by an expert.

Fast-forward to today and times have changed. Cyber threats seem to lurk behind many everyday objects as technology moves increasingly quickly—and cyber seems to move at an equally fast pace.

With computers increasingly present in everything from cars to refrigerators, that has increased the sheer number of areas that could be impacted by a possible cyber attack—and there has been a steady stream of such attacks in recent years, from hospitals to manufacturing facilities, all creating a lot of headlines and publicity.

Insurers of all kinds have often struggled to catch up with changes in this area, especially as insurance increasingly touches so many areas of people’s lives as they buy insurance for new products.

Dealing with said changes means understanding the risks in some detail, something easier said than done in some cases as victims of ransomware attacks, for example, sometimes don’t let on that they have been affected.

As a consequence, cyber has become an area where re/insurers have become highly sensitive about prices and coverage.

In an Insight paper published in March 2022, management consultant Oliver Wyman said that with cyber insurance premiums more than doubling for many clients in 2021 and many insurers looking to restrict coverage provided by cyber policies, the company is seeing an increasing number of clients considering insuring their cyber risk through their captive.

According to Adrian Lynch, executive vice president–North America at Artex Risk Solutions, when looking at the current state of the insurance market from a macro level, with the most recent event being Hurricane Ian, there will probably be some coverage constraints and capacity constraints within the re/insurance market as a result of Ian. As a result, Lynch predicts, there will be a knock-on effect in other lines of insurance, and a hardening of rates and a constriction in capacity.

According to Lynch, cyber is one of those very esoteric coverages that everybody has been talking about for the last number of years.

“I’ve been back in Cayman for eight years and I can tell you that for the last five or six years every client board meeting I have been at, every captive board is talking about cyber and whether they should be writing it or whether they shouldn’t be writing it,” Lynch told Captive International.

“What’s happened now is cyber has gone from being that fringe cover that everybody could probably say that it’s a ‘nice to have’ versus now saying ‘OK we absolutely recognise that we need to have it and we need cyber insurance as a sustainable, reliable, predictable coverage as well’. It has now become an integral part of the suite of insurances that most companies need.”

According to Lynch, from an underwriting perspective, the types of coverage that are available and the capacity that is available will make it necessary that the captive must in fact and in practice have a role to play in supplementing, subsidising, or supporting cyber coverages of the parent.

Coverage gaps

Artex Risk Solutions is seeing a recognition that there are gaps in coverages that exist as a result of cyber. Compared to regular coverage such as a building burning down and a claim being paid, a cyber claim can be almost like a spider’s web of connectivity across the group, because you don’t know where the vulnerability originated, where and what coverage that attaches to, and the knock-on ancillary effects of that cyber breach and what it does to the business in terms of attachments from other coverages.

As a result, Lynch thinks, over recent years there has been an education that has been taking place in terms of narrowing the scope, aligning the loss control and aligning the underwriting elements of those coverages to work to a point now where risk purchasers and risk managers and indeed brokers are becoming more attuned to how to articulate their cyber needs.

As a consequence of this underwriters themselves are becoming more attuned to how to actually assess the risk and the financial impact of it.

“In terms or pricing, we’re still in that early stage, the nascent stages of cyber as a coverage, so I would still see a situation where the underwriting approach is not as consistent as it would be for other coverages,” Lynch predicted.

“Each particular underwriting approach is going to be on the basic merits of the individual applicant. In terms of the cyber risk-readiness, the vulnerability assessments all of those will feed into driving a pricing model.

“I just don’t think that there is a pricing model out there right now that would accommodate all comers on cyber risk underwriting. It is going to be on a rated basis, it’s going to be each individual assessment. So, it’s going to be, I think, a long time before we see an industry acceptable model that covers all cyber coverages.”

Lynch believes there will be an increase in captives being involved in cyber coverages. However, he’s not necessarily sure that there will be an increase in captives actually underwriting cyber.

“A cyber claim can have a very materially negative impact on the balance sheet and the last thing a company will want to do is to enter into writing coverage that maybe they don’t truly understand, or truly have their arms around from an exposure perspective,” he said.

Reinsurance pays a significant role behind the captive, so where Lynch would see the captive playing a material role in captive coverage is probably on an incremental step-up deductible or retention basis within the captive.

“In other words, if the parent company is carrying a $500,000 deductible and wants to take it to a one or two deductible, they might write some of that buffer layer coverage or might get some of that deductible reimbursement coverage within the captive, so that it steps up its retention to get a greater credit from the reinsurance market,” he said.

“But it must come with an understanding that we have a true and complete analysis on where the insurance gap analysis is, if there’s an insurance remediation strategy needed and what the loss control for that would be.

“A lot of companies, if they are very comfortable in terms of how they have invested in their own IT infrastructure and are comfortable with their vulnerability or readiness assessments, then I can see them playing a role. However, I would not be comfortable with having the captive play a role simply because the parent company can’t get coverage elsewhere.

“If you take it down to a basic level, on average cyber premiums are going up by 25 to 30 percent. That kind of a rate increase suggests to me that it’s an underwriter who doesn’t necessarily know what they should be pricing their business on, they’re just whacking on a 30 percent increase. So premium increases alone are not a solution to create a stable or predictable insurance market.”

Lynch pointed out that the National Association of Insurance Commissioners came out with reports in 2021 that cyber insurance expenditures are surpassing 120 percent of premiums paid, which then tells him that the losses would be outstripping the premiums coming in, which means the market has a huge capacity issue.

The focus needs to be on the remediation, he said. When Target and Home Depot had cyber incidents, they were badly managed from a publicity perspective, Lynch said, as they accepted they knew they were vulnerable but seemed to do little about it from an IT perspective.

In direct comparison to that when Anthem reported a breach a number of years ago, according to Lynch the chief executive came out and said: “We were prepared for this, we have an action plan and as a consequence we know what our remediation requirements are, we’re instituting our action plan and we’re very comfortable in emerging from it.”

The remediation requirements usually centre around data and what data has been shared—the communication required to tell each stakeholder how their information has been shared will often dictate how the company is perceived afterwards.

Lynch concluded with a warning. “As cyber evolves, technology evolves, it’s moving so quickly now it’s difficult for us to stay on top of it. As an underwriter I would struggle to try and figure out how to price this business.

“It’s a case of segmenting it onto certain elements and that’s where the gap analysis is so important, the incident response, planning, preparation and remediation and all of that. I think we’re on the upcycle as a market, I think over the next 10 years we are going to be learning where we get to, it’s a very interesting space be in.

“A captive, as an alternative risk financing tool and as an alternative risk management tool, has an integral role to play.”