Rules expected for cyber risk in captives

As an evolving exposure, regulators are monitoring cyber risk and will likely introduce rules related to how captive insurers can cover the exposures, according to industry sources.

State regulators “like to keep up with the rest of the world,” and they risk eventual federal intervention if they are not proactive about cyber regulation, according to David Provost, Montpelier, Vermont-based deputy commissioner of captive insurance for the state.

“If we do nothing, we’re just leaving the door open for more federal intervention,” Mr. Provost said. “Every captive insurance jurisdiction is going to be looking at the likelihood of passing some form of regulation that is similar to the (National Association of Insurance Commissioners’ data security) model regulation.”

Additional regulation in the cyber arena is almost a given, said Jim Swanke, director of risk consulting with Willis Towers Watson P.L.C. in Minneapolis, citing the recent implementation of cyber security regulations on companies by the New York State Department of Financial Services and the higher duty of care being imposed upon boards concerning cyber security issues. “If you are on a board or in company management, you should get a head start on this, because the regulation is coming.”

The New York regulation, which began taking effect this year, requires insurance and financial services companies under jurisdiction of the department to follow specific protocols and file reports on cyber defenses and preparedness.