NEW YORK — Insurers remain reluctant to cover cyber risks, leaving some companies to explore insuring the risk in their captives.
Given the lack of sufficient historical data, global insurers are being “very sensible” in offering limited coverage for cyber exposures though there is huge client demand and media coverage about “the industry failing to step up to the plate,” Dominic Casserley, president and deputy CEO of Willis Towers Watson P.L.C., said last week.
“Lloyd’s of London has been very focused on what syndicates are doing in the cyber space and has basically been saying, ‘Be careful,’ for good reason,” Mr. Casserley said. As more data is available on the effectiveness of cyber security practices, procedures and technologies, “I think we will see more capital come in.”
Industrial control systems operating critical U.S. infrastructure are particularly vulnerable because they use outdated software, said Ryan Spelman, program executive of the Center for Internet Security in East Greenbush, New York.
“But it’s tough,” he said during Business Insurance’s Risk Management Summit in New York City last week. “It’s difficult to turn off a power plant to do a system update. That’s a hard sell” to facility operators.
“We need to be able to develop control systems cyber security metrics … so you have some idea of should they or should they not even be insured, unless you want to take a very big bath,” said Joe Weiss, managing partner of Applied Control Solutions L.L.C. in San Francisco.
The Department of Homeland Security last year put out an alert about disconnecting industrial control systems from the Internet due to system compromises experienced during the BlackEnergy malware campaign, he said.
“What are (insurers) going to do when somebody disregards what DHS told them ‘do not do?’ ” he said.
Malicious or criminal attacks accounted for 49% of breaches, 32% were caused by system glitches and 19% by employee negligence, Traverse City, Michigan-based consultant Ponemon Institute L.L.C. said in an analysis last year.
“In our world, the only difference between malicious and unintentional is often motivation,” Mr. Weiss said. “If you’re going to offer cyber insurance, you better realize that distinction doesn’t exist in our world in most cases.”
In the absence of sufficient capacity in the standard market, some companies are looking to their captives to cover their cyber exposures, said Delaware Captive Insurance Director Steve Kinion.
“Rarely do I see a captive application for a new captive cross my desk … without some type of cyber coverage component, whether it’s the entire cyber (risk) or insuring the deductible portion of a commercial insurance policy,” he said of such applications that typically are from single-parent captives.
Captives can provide coverage that insurers often exclude from general liability insurance, he said.
“Is electronic data tangible property?” Mr. Kinion said. “No, not under most general liability policies. That’s why captive owners form captives so they can cover those excluded types of items such as electronic data.”
Carolyn Snow, director of risk management at Humana Inc. in Louisville, Kentucky, said caution should be used in putting cyber coverage in a captive.
“You don’t have the benefit of a feasibility study, and you have to think about how you’re going to manage your claims,” she said. “And there is the catastrophic exposure to your captive.”
The average organizational cost of a breach over the past 10 years peaked at $7.2 million in 2011 and was $6.5 million in 2014, according to the Ponemon Institute study.
Steps that can be taken to guard and defend against cyber threats include having information technology staff check logs to see whether the system is being accessed by employees at unusual times or from locations such as China, Mr. Spelman said.
Risk managers should make a list of all company assets such as laptops and printers, ensure that systems are configured to require the use of strong passwords and other protections, and limit administrative privileges to the system, he said.
“Administrative privileges give somebody the ability to make changes,” Mr. Spelman said. “It’s the keys to the kingdom. If an admin gets infected, it is a problem.”