Captives: Underdogs in cyber security

Cyber risk is the same whether you’re insured captively or through the traditional market, but captives aren’t yet able to address the threat well

Captives: Underdogs in cyber security

Risk Management News

By

“The issue captives have is that they have no easy access to what I’m about to tell you.”

These were the first words in a conversation with John Mullen, one of the top Breach Coach lawyers in the US and a partner at Mullen Coughlin, LLC. What was he about to say? Before we get to that, let’s start with some context.

In the last 15 years, Mullen’s team has handled well over 5,000 data privacy events. Right now, he has a SWAT team of 28 lawyers who do nothing but event response, averaging five to six new cases each day. By the end of the year, he expects they’ll have handled 1,200 in 2018 alone.

Of all those cases in all those years, only three or four have involved captives.  

Captives are a hugely popular way for risk professionals to cover their tough-to-insure exposures. The vast majority of Fortune 500 companies have established captives, and there are now over 7,000 captive insurers operating across the world. Companies insure captively when the traditional market isn’t meeting their needs, either because coverage is unavailable or it’s prohibitively expensive. And it gives risk managers more control over things like safety and claims-control administration.

As far as challenging exposures go, none come to mind faster than cyber. The average cost of a breach in the last three years was US$349,000, according to a study by cyber risk assessment and data breach services company NetDiligence. For a large company, the stakes are 17 times higher – a breach puts you back US$5.9m, on average.

Yet hardly any captive owners are picking cyber up in their programmes. In fact, only 1% of captive owners are funding cyber risk through their captives, according to Aon’s latest ‘Captive Benchmarking Survey.’ 

“Given how unique cyber is, it seems it would be a place for captives, but it’s just not happening yet,” says Mark Greisiger, president of NetDiligence. “Captives are a crucial option generally in the risk management world, but [captive owners] haven’t yet layered in a cyber component. If you’re captively insured, you’re an underdog.”

A lot of the advantages to cyber cover in the traditional world can be chalked up to experience. “[Captives] haven’t had the benefit of the homework that the leading insurers have already done,” says Mullen. “Meaning, two decades of working through how to respond quickly in the event of a data privacy event. That’s a whole science in and of itself that few captives have the time to learn. They generally don’t know the right vendors, and they don’t know the processes and procedures. Often, they spend more than they would had they had access to the resources already identified by the lead carriers.”

Mullen has worked with most of the traditional major carriers that offer cyber to help clients respond to attacks. When there’s a breach, Mullen is often the first person clients talk to.

Which brings us back to what he was about to tell us.

When clients are insured by traditional cyber coverages, this is generally what happens in the first hours following a cyber attack:

– Friday afternoon –

4:30pm
A ransomware event hits a manufacturing company and 100 computers are frozen as a result of the ransomware that got in and spread.

5:30pm
Employees have unplugged systems and tried to stop the spread. They’re somewhat successful and it only spreads to half of their systems, but the damage is crippling. Someone runs into the risk manager in the hallways and notifies them of the event. The risk manager accesses their insurer’s eRiskHub risk management portal and calls the fee-free number for the insurer’s Breach Coach attorney and leaves a voicemail.

“That voice mail goes to 35 people in my office immediately – within seconds,” says Mullen. “We staff until 11:00pm at night and on weekends, too. We’re there. And if we’re not there, we’re at home watching our phones. We’ve had cases come in at midnight or 1:00am and have called back.”

5:35pm
The team clears the insured through conflicts of interest. With the insured’s approval, Mullen’s expert team of lawyers contacts claims and underwriters on behalf of the client and informs them of the event.

6:00pm
Mullen calls the client to communicate attorney-client privilege. “Even though we’re being provided to you through your insurance carrier, we’re your lawyers,” says Mullen. “We will report to them, but you will tell us it’s ok.”

During the call, his team is doing research on the company. “At this point, the risk manager, general counsel, IT lead or someone may be freaking out. Somebody thinks they’re getting fired, and our job is to smooth it out and reassure them that this happens every day and we’ll get them through it.” Which, with six cases a day, is not an exaggeration by any stretch of the imagination.

Then the legal team interviews the client to find out what Google won’t tell them about the entity. Now they move on to an examination of the actual event.

What happened? When did it start? Do you know it got in or how widespread it is? Have you captured the actual malware? Is it in your backups?

6:45pm:
At the end of the call, the team lays out a plan of attack, effective tonight.

  1. Mullen’s team flips over their contact information – including cell phones. They’ll be available all weekend.
  2. They send over a standard retention letter. In the case of most carriers, there’s no deductible for their services.
  3. A forensics team, pre-approved by the carrier, is brought in that evening to investigate, repair, and clean the system.
  4. Mullen reminds the risk manager that all his manufacturing employees have been sent home without telling them what’s happening. “While the scoping call is going on with forensics talking to [the client’s] IT, we have a separate call going on with messaging – for that night,” says Mullen. “[We determine] what we know, what you should and shouldn’t say, and who you should or shouldn’t say it to.”

7:00pm
The team also works with law enforcement on every aspect of the breach. “We don’t let the client do that,” says Mullen. “Half of our lawyers used to be district attorneys. We take care of that if necessary.”

 – End of day one –

By the end of Friday evening, all the different vendors are working collaboratively to manage the response. What started with one phone call to a fee-free number ended in a rapid assembly of expert breach responders.

 “There’s no way on earth that even if a client went to the fanciest law firm on earth, they would be able to respond that quickly on that Friday night,” Mullen says.

Which is part of the luxury of traditional cyber insurance policies that captives currently don’t have. “All these things are part of the benefits and processes you would be missing in captively insured programmes,” says Greisiger. “They don’t have this stuff in place.”

The carrier networks are a saving grace when the stakes are high and every minute is crucial. “You get this all because the carrier set it up,” says Mullen. “Trying to navigate that on your own, under pressure, when your systems are down – it’s not on the edge of impossible, it is impossible. Without the groundwork those carriers laid out for over a decade, there’s no way on earth a data privacy event is managed this smoothly.”

Captive owners may have services to get in touch with firms like Mullen’s, but the rates are often more prohibitive than if they had been included in a policy from the carrier, most of whom benefit from years of negotiating preferred rates.

“Whether you’re a captively insured organisation or traditionally insured, you have the same risk,” says Greisiger.  But when it comes to cyber cover, captives have room to grow.

“We have seen a few captives enquire about standalone cyber insurance,” says Tim Stapleton, senior vice president, cyber insurance product manager and information technology at Chubb. “There seems to be an acknowledgment that it’s not necessarily a risk that captive structures were designed to capture.”

“But generally,” he says, “we’re seeing more and more large organisations go outside their captives because that’s where they get the expertise. I think they’re acknowledging that the exposure is more complex than they might have originally have thought, and they do get access to all the value-added services that come in a standalone cyber insurance product.”

 

Keep up with the latest news and events

Join our mailing list, it’s free!