Captives seen as viable option for covering cyber riskReprints
BURLINGTON, Vt. — Covering cyber risk in a captive insurer is not for every company, but it’s an option that every captive owner should explore, according to experts.
But concern about exposing the captive to a difficult-to-quantify risk is still making owners reluctant to include cyber in their captives, experts said at the Vermont Captive Insurance Association conference in Burlington on Wednesday.
Only 9% of companies are using their captive to cover the risk — a number projected to grow to 20% utilization by 2022, said Adam Peckman, global practice leader with Aon Risk Solutions in London.
“The challenge around not understanding the exposure creates a big hurdle for a lot of organizations about exposing the captive to the unknown,” he said.
Inaccurate quantification of cyber exposure is the major concern for those who have not added cyber to the captive, but it can sometimes be used to build reserves to handle potential breaches, said Teri Weber, partner with Spring Consulting Group in Boston.
“One of the things with cyber is really pushing your entity, pushing your business, pushing your captive, pushing your C-suite to understand the risk,” she said. “When you put risk in your captive, you’re more apt to analyze it and I think putting something like cyber in in your captive forces you to do that.”
It took a lot of convincing to persuade the captive board of University of Oklahoma’s College of Medicine’s academic medical practice to include some of its cyber exposure in its Academic Physicians Insurance Co. captive, said Heather McClure, chief operating officer in Oklahoma City.
“Certainly, they were concerned about cyber, but I think they thought it was a sensational topic that we probably need to let other people deal with first and then we would learn from their mistakes,” she said, adding that she persisted as brokers, consultants and others continued to warn about the exposure.
A couple of board members did not want to even analyze the cyber risk even though there was general agreement that medical data should be secured, Ms. McClure said.
“They were worried people would find out that maybe we weren’t as secure as we should be or other competitor companies were,” she said.
The risk management team looked at ways to fund the risk, including options in the commercial insurance market.
“We were concerned about the pricing there,” she said. “We were concerned because we knew we had some gaps in security. We were concerned about what kind of relationship we would have with the commercial insurance carrier, what kind of services they would provide. We looked at insuring some of it in our captive in a primary policy, but we didn’t have cyber experts around the table and didn’t have risk managers who were trained in assessing the cyber risk. The inexperience of my staff was a factor. We landed on this idea that we could look at insuring it with the captive, but we needed to have a heavy reinsurance partner that was very experienced in the area, who had resources to bring to us should we have an event.”
The organization experienced two cyber breaches within the first year of placing the exposure in their captive because of stolen unencrypted laptops, she said. One of the reasons the risk management team wanted to cover the exposure through the captive was because they knew that there were unencrypted laptops being used. The captive’s reinsurer, which she declined to identify, excluded coverage for the unencrypted laptops, but did allow the organization to access its available resources, including credit monitoring at rates 60% lower than the organization would have been able to secure on its own, Ms. McClure said.
The U.S. Department of Education’s Office of Civil Rights does not require credit monitoring in instances where patient data has been exposed, she said. However, the hospital system’s executives wanted to provide it to all those affected, which was the source of some disagreement among lawyers advising the organization who felt it could establish a precedent that would require it to offer credit monitoring in the future even when it wasn’t mandated and might create more fear in the minds of the patients, Ms. McClure said. But of the 6,500 affected patients, only 17% took the organization up on the credit monitoring offer.
“It ended up not being as expensive as we thought,” she said. “We feel like we kind of got back some good will from the community.”