Addressing Cyber - A Risk Without Borders
On 1 October, three US hospitals were forced to close to all but the most critical of patients. It followed on from a separate attack, which affected seven hospitals in Australia.
It may not have been on the scale of the 2017 WannaCry and NotPetya attacks, but it was nonetheless another widespread ransomware attack. These events demonstrate that cyber is truly a risk without borders.
Increasingly, due to the global nature of the risk, compliance and efficiency benefits on offer, organisations are opting to include cyber within the scope of their multinational insurance programmes.
A cyber attack may originate in one country and attack the servers of a large corporate in another country. It could affect the client's customers in many other countries, triggering multiple countries' regulatory schemes and data breach requirements. When a cyber event touches customers in five to 10 countries, there can be up to five to 10 regulatory regimes to navigate.
This is where the certainty of a multinational cyber insurance programme makes a difference. A controlled master programme offers the benefits of both local and global insurance protection, and serves as a backstop for all the local policies, providing consistent coverage and a seamless claims service across all covered territories.
"It is no surprise within AIG's multinational insurance solutions team that cyber is our fastest growing line of business," says Stephen Morton, Head of Multinational at AIG Europe. "We now have a standard cyber policy available in more than 70 countries and expect to add several more over the coming months."
"Over the next five to ten years, we envisage cyber becoming as important a product within organisations' multinational insurance programmes as D&O or even property & casualty."
For captive owners, the approach to cyber risk has come a long way. The best approach within a global programme is often a combination of effective use of the captive blended with risk transfer. The ultimate structure would depend on individual client needs combined with client and insurer risk philosophy and appetite. It could be that the captive takes more of the frequency loses with risk transfer being there to address severity impacts. In addition the fronting insurer (such as AIG) could provide ancillary services such as breach response, able to be accessed on a global basis to help mitigate reputational damage
A captive may be used to assume cyber risk on a primary, excess or quota share basis, simply to help manage local retentions (tailoring these to the risk appetite of a client’s subsidiary in a given jurisdiction) and/or to broaden the policy coverage.
"The captive is one way customers can manage different local retention rates across their group whilst supporting a single corporate tolerance," says Morton. "We have seen a few clients take this approach and it has proven very successful, because it has made the coverage more accessible to local entities."
Designing a multinational cyber insurance programme
The first step is an exposure analysis, mapping out the countries and territories in which a company has potential cyber exposures, including customers, suppliers, servers etc. From there, the risk manager can drill down further and begin asking some standard multinational questions, including:
- Is the local operation required, either by law or contractual counterparties, to obtain insurance from locally licensed carriers?
- Which countries have particularly demanding or complex regulatory requirements?
- Will claims need to be paid in-country?