Cyber Risk and Self-Insurance

Alternative risk management tools such as mutual self-insurance structures is an ideal risk mitigation option in the ever-evolving cyber risks threat
Alternative risk management tools such as mutual self-insurance structures is an ideal risk mitigation option in the ever-evolving cyber risks threat

Technology can be a double-edged sword. It makes processes faster and easier whilst at the same time, exposes companies to new risks, especially as more and more companies interlink their processes with the Internet of Things to improve operational efficiency and effectiveness. However, more often than not, with the implementation of such technologies, organisations are in turn exposed to other types of vulnerabilities.

One such notable example of a large scale cyberattack is the WannaCry ransomware that disrupted numerous global telecommunication providers, energy companies, banks and government ministries. In fact, an IBM study revealed that in 2016 alone there were more than four million data breaches globally and this amount was a hike from the combined total for 2014 and 2015.

Akamai’s findings also showed that there was a 14% increase in the total number of distributed-denial-of-service attacks in the last quarter of 2017 from the previous year and while the 2017 Cost of Cyber Crime Study revealed that businesses spent nearly 23% more than 2016 with an average of USD11.7 million to manage incidents and disruptions from cyberattacks.

According to the Organisation for Economic Co-operation and Development (OECD), the estimated loss suffered by small firms due to denial-of-service attacks is estimated to be over USD50,000 and around USD450,000 for larger companies.

However, a much unrated cost is the cost of managing this risk! And why are companies spending even more to counter attacks or risks arising from the technology that they have already invested in?

Ruben Tan, Chief Technology Officer at Neuroware.io (a company that helps organisations define new opportunities by adopting technologies such as blockchains) describes cybercrime and cybersecurity is always in neck to neck competition, and as such ensuring proper and customised insurance coverage is an important step in managing cyber risks.

“Almost as soon as a new security measure is released, it gets broken. A foolproof security does not exist. Companies should not merely rely on their current defense systems, no matter how advanced they may be, to keep their core businesses safe. Instead, they need to think about contingency plans, redundant backups, and most importantly, a proper and customised insurance coverage to cover inevitable losses,” said Tan.

The ever-evolving risk in the digital landscape, and the role of self-insurance?

Risks are dynamic, and risk profiles in new technology is even more so. Indeed the ability to keep pace in this new digital landscape is no mean feat, and while there are various cyber insurance policies available in the market, many are not suitable, have limited coverage for certain types of risk and do not address the risk of a multifaceted digital threats, which invariable include reputational risk, loss in market confidence and even the risk of insolvency especially for businesses in the financial and banking sectors.

For many such businesses, customised self-insurance coverage such as captive insurance becomes an option to manage and mitigate cyber risks.

“In a rapidly evolving industry such as technology, traditional insurance struggles to meet the changing demands of customers and entities. Captives technology provides a more flexible, nimble and innovative solution. Captive provides the ideal vehicle to ‘incubate’ these risks until sufficient loss history is available to enable the commercial market to sensibly compete,” said Malcolm Cutts-Watson, Managing Director of Cutts-Watson Consulting Limited.

On the same note, Anthony Egerton, Principal Officer of Huntington Underwriting Limited said self-insurance tools are adequately applicable to underwrite increasingly pervasive risks related to technology.

“These self-insurance tools (such as captives) can be just as applicable to the increasingly pervasive risks associated with technology or digital, as they have been historically to property, casualty, marine and other traditionally insured risks,” said Egerton.

Although these self-insurance tools are a well-established, Egerton noted that the capacity of a captive insurer to assume these ‘newer’ risks will be determined by the availability and cost of reinsurance noting that the breadth and cost of risk transfer capacity for newly emerging technology risks are currently limited in the Asian region.

Despite that, he believed that the risks handled by these tools will continue to develop as greater knowledge and broader experience emerges, allowing captives to fulfil the gap in the insurance marketplace in respect of new and emerging risks.

On his take on using self-insurance, Egerton also explained: “Planned self-insurance (cf. non-insurance) via simple risk retention, captive insurance or other similar arrangements, are now standard components within the risk management tool-kit. The manner and extent of use of such components need to recognise the risk retention capacity and appetite of the holding company and its stakeholders.”

Self-insurance for technology-related risk? Captives for small-sized fintech firms

Notwithstanding, Tan strongly believes that small-scale companies such as the fintech should consider using customised risk management tool such as captives.

“Small-scale fintech companies can use such solutions because these fintech companies can grow at exponential rates really quickly, far quicker than their technology infrastructure can accommodate most of the time.

“Additionally, fintech companies usually handle sensitive information right off the bat, they require all the protection and safeguards they can afford from the get-go. The stakes are far different compared to say, a consumer app,” he explained.

On awareness level, Tan thinks most startups have little awareness on the use of self-insurance tools such as captive insurance and for fintech startups, it will be beneficial for them to be well-aware of the benefits and advantages of self-insurance.

“I believe startups in general have very little awareness about insurance products. And to be honest, most generic startups have no need for that. Fintech startups though, are a whole different ball game. From the get-go, they need to deal with regulators, sensitive information, above average security measures and so forth.

“Therefore, fintech startups shouldn’t be ignorant about insurance coverage either, considering the fact that if an attacker were to target a company for a heist, most likely they would gravitate towards fintech companies considering the kind of commodities they can steal (valuable personal information or financial information at the very least).

CEO of Labuan IBFC Inc, Farah Jaafar-Crossby agreed that there is a need for tech startups to use self-insurance tool to underwrite their unique risks.

“Captive insurance is a unique concept and can be structured according to the needs of the business or indeed the idiosyncratic demands of the risk being mitigated – including cyber risks.

“Tech startups, for instance, often have unique business models and risk profiles – with very much of their competitive edge stemming from concepts and technologies that are new to the market – their unique risks can be tailored underwritten by setting up a group, association or mutual captive and this could be used alongside with the traditional insurance approach,” said Farah.

Additionally, Farah believes that: “It is important to truly appreciate that self-insurance is not just for large conglomerates. It is a suitable solution for medium-sized business, or even groupings with shared interest as well, for example groups of professionals such as lawyers, medical practitioners etc., where there are advantages and cost-efficiency to be had in the pooling of risk”.

“As such, there is no reason why fintech start ups are not able to pool their interest together towards ensuring better risk mitigation, especially as cyber risk coverage is not standardised,” she added.

Labuan IBFC: Well-placed for technology-related risk captives

A great proportion of the captive premium written by companies in the Asian region is held in captives domiciled in the jurisdictions located in the region itself. One of these jurisdictions is Labuan IBFC that has been making its mark among other Asian jurisdictions.

According to the World Domicile Update published by Captive Review recently, of the 14 new captives established in Asia in 2017, six were set up in Labuan IBFC, making it the fastest most active jurisdiction in the region.

Indeed, the midshore jurisdiction is also known to be the only jurisdiction in the region to offer Protected Cell Companies and Shariah-compliant captive structures. In addition to its unique offerings, Cutts-Watson believed that Labuan IBFC has the necessary legislations in place to host cyber risk captives given its reputational as a well-regulated jurisdiction and its agility to welcome captives writing various risks.

“Labuan is well-placed to host these captives given its internationally accepted regulatory regime yet always open to consider new risks. Given the growth in Asian tech companies, Labuan provides proximity, similar time zones and cultural alignment and therefore an ideal captive domicile,” he said.

Besides this, Labuan IBFC has also been making concerted efforts in developing the self-insurance industry in the Asian region.

Returning for its second year, Labuan IBFC and Labuan International Insurance Association is organising the Asian Captive Conference (ACC 2018) in Kuala Lumpur on August 1-2. Themed “Challenges of Self-Insurance: Transparency and Digital Disruption”, the ACC 2018 aims to highlight the challenges and disruptors risk managers face from technology while meeting the growing demands of tax transparency and substance brought about by multilateral organisations and regulators.

The ACC 2018 will also share best practices and strategies relating to various self-insurance models, risk retention approaches and domicile selection adopted by multinational companies and industry professionals. Find out more about ACC 2018 here.

Source: https://www.labuanibfc.com/resource-centre/featured-articles/cyber-risk-and-self-insurance