Business interruption due to breach top cyber risk concern for captive insurers: Aon

The costs of business interruption due to a breach is the top cyber risk concern for businesses across all industries, according to Aon Global Risk Consulting’s (AGRC) 2016 Captive Cyber Survey report, released on Monday.

As Aon’s first cyber captive survey, the findings offer a better understanding of organizations’ current attitude towards cyber threats, risk assessment, insurance purchasing trends and loss adjustment concerns, AGRC said in a press release. The survey also provides insight into current retail market trends, including captives and other risk financing solutions, said the release from AGRC, the risk consulting business of Aon plc, a global provider of risk management and human resource consulting and outsourcing.

The survey findings indicate that 94% of companies would share risk with others in their industry as part of a captive facility writing cyber. What’s more, Aon experts anticipate alternative risk transfer options to become increasingly sought after as these solutions give companies some control over underwriting, coverage scope and claims adjustment, while providing an opportunity to share best practices, experience and data in a private setting, the release said.

The survey gathered input from risk managers and directors of more than 125 captive insurance companies.

Additional highlights of the report include:

• 61% of survey respondents buy cyber limits in the US$10-25 million range, but overall 60% of large companies do not buy cyber insurance;
• Of those that do, 68% of companies surveyed buy cyber for balance sheet protection, closely followed by ensuring due diligence comfort for the board;
• Only 25% of respondents that buy limits are confident that they comply with international best practices and standards for information security  governance; and
• 95% of companies surveyed state clear policy wording as the most important issue in the cyber risk market and 75% of large companies express concerns about the loss adjustment process.

“Given the evolving nature and complexity of cyber exposures, we found that the use of cyber risk assessments is surprisingly low,” Kevin Kalinich, global practice leader for cyber/network risk at Aon Risk Solutions, said in the release. “Conducting such an assessment is a useful tool for improving risk understanding and maturity as well as for helping organizations better prepare for potential business interruption during or after a breach.”

Peter Mullen, CEO of Aon Risk Solutions’ Aon Captive and Insurance Management practice, spearheaded the report. He said that the findings also indicate that there is a “disparity between companies recognizing that cyber is one of the fastest growing and permeating risks, and actually understanding what their individual exposures and coverage needs are. Captives are a great alternative risk transfer solution for bridging this gap while the industry’s approach to cyber risk management catches up to the evolving pace of technology.”

Aon recommends the following three steps to begin a cyber risk assessment:

1. Scenario analysis: Benchmark the existing cyber risk profile and work with business stakeholders to prioritize cyber risk scenarios;
2. Financial modelling: Leverage advanced financial simulation tools using deterministic modelling to quantify first and third party costs of select cyber scenarios. Consider performing an analysis on non-damage business interruption scenarios using forensic accounting capabilities; and
3. Insurability risk review: Test the adequacy of limits against the assessed cyber risk as well as review the optimization of the proposed insurance program.