Coming Soon: Cyber Ratings?


According to a recent report in, a new generation of cyber ratings firms are becoming known for rating a company’s cyber hygiene in much the same way that Moody’s and S&P set the standard by which we understand a company’s creditworthiness, or Fitch and A.M. Best test insurance companies.

New cyber ratings firms size up companies like a hacker would on a continuous basis, in a non-invasive way. They offer a numerical, FICO-like rating or a letter grade, much like the credit rating agencies employ. Performance levels for any of these factors can instantly raise or lower a rating. Bringing cybersecurity into the vendor risk discussion requires a cross-functional effort that typically involves finance, operations, procurement, and now IT.

Cyber rating data, and the reports that can drill down on all the factors, allows underwriters the ability to make decisions based on objective, real-time data, and rewards more secure clients by charging lower premiums. By “owning” this risk more closely through a captive, those responsible for cybersecurity will be more effective in justifying necessary technology expenditures and changes in organizational behavior that can improve their condition. As the report states, when these ratings become more visible in the marketplace, companies that have invested in security will enjoy a competitive advantage over their less cyber-hygienic peers.

I am heading out this weekend to attend the CICA annual conference in Scottsdale, so I hope to see a number of you out there. Dennis Harwick always puts on a good show, and it is a great opportunity to talk to industry leaders and hear what’s happening in our dynamic space.

Thank you all very much, and I look forward to hearing from you.

The Cyber Conundrum

cyberattack_1805164b Last month, the Federal Insurance Office (FIO) issued its third annual report on the insurance industry, and I found two things of note. First, the report criticized state insurance regulators for not doing enough to address ongoing concerns about captive reinsurance. Now, of course that caught my attention, and we know this is an ongoing issue between the NAIC and the FIO, but it was the report’s discussion of cyber risk that really caught my eye.

The report estimated that the U.S. cyber insurance market has about $2 billion in capacity, and the FIO indicated that underwriters should improve cyber risk processes to encourage the pooling of insurance data and improvements in cyber risk expertise. “Recently, concerns have been raised regarding the capacity and scope limitations of the cyber risk insurance market, with some market participants describing market capacity for cyber risks as ‘very small’ and observing that billion dollar coverage limits are needed to adequately address the losses posed by cyber risks,” said the report. There has been a lot of discussion of writing cyber risk in captives, and we have a good example in the case of Penn State’s captive, Nittany Insurance, writing cyber for all their students, researchers and faculty.  As Nittany’s Gary Langsdale outlined in the cyber webinar VCIA held in May of last year, on the average day at Penn State, 170,000 email accounts on over 100 separate systems receive 3.2 million emails; in addition, last year their email system filters blocked over 95 million spam emails!

As with terrorism risk, the question becomes are we now at a place where the impact of a cyber-attack could be so great and cover a large swath of territory, businesses and systems in the U.S., that cyber risk insurance programs will be overwhelmed?  To me it raises the question whether a program similar to TRIA, with the US government as a backstop, needs to be devised.  TRIA and its subsequent extensions serve as reinsurance for commercial Property and Casualty policies covering losses due to acts of terrorism in the U.S. In exchange for federal support, insurers are required to offer terrorism coverage.

As with terrorism coverage, a captive providing cyber risk with a federal backstop could offer several advantages over a commercial insurance carrier in addition to the typical advantages of a captive program. Because the typical aggregate-earned premium for a captive insurer is minimal compared to that of commercial insurers, the deductible amount is often quite low. The government, using similar TRIA guidelines, could respond to certified losses typically excluded in commercial cyber policies. Captives are not required to pay funds to their policyholders in advance of receiving reimbursement from the federal government, alleviating cash flow issues.  On the whole, corporations accessing TRIA directly through their captives generally have broader coverage, and, in the event of no loss, may recoup premiums.

My fear is that without a federal backstop similar to TRIA, capacity could dry up with one or two big cyber-attacks.  Something to think about.

Thanks and keep in touch!

Rich Smith
VCIA President

The Doctor’s In

Dr RichIn an article in Security Magazine this month which cited the 2015 Travelers Business Risk Index, 44 percent of executives think that business environments are becoming riskier and that businesses are ill prepared for such risks.   I like these studies (as many of you know) because I think they provide good indicators on what’s happening in our world of risk.

Of all the business risks currently in play, medical costs and cyber-risk are seen as the primary risks they are least prepared to handle. The biggest overall concern was medical cost inflation at 33 percent with cyber risk a close second at 29 percent (compared to 2014 when cyber-risk ranked fifth). Other areas cited as major concerns in the survey included global conflicts and political instability.  More than half of businesses noted extreme weather with growing anxiety.

Not surprisingly, we are seeing these risks have increasingly found their way into discussions with captives and risk retention groups. Unlike much risk that is covered under the traditional insurance industry, emerging risks continuously evolve – like a virus. And traditional insurance is like today’s antibiotics – less effective these days in treating the bugs!  Because captives are as mutable as the risks they are meant to mitigate, they are truly the new medicine to fight today’s highly contagious risks!

I hope I will see some of you at the upcoming National Risk Retention Association in Chicago next week. Thanks and keep in touch!

Rich Smith
VCIA President

The Matrix – the next captive frontier

Matrix-Rich-biggerAccording to a survey conducted at the Risk & Insurance Management Society conference in April, seventy-six percent of risk managers said the loss of confidentiality of information was the biggest cyber risk, followed by 16 percent who cited service interruption and 5 percent who cited government intrusion. About 70 percent of U.S. businesses experienced at least one hacking incident in 2014, and more than 50 percent of risk managers say their businesses are not doing enough to prevent cyber-attacks. Even with this information, surprisingly about 36 percent of businesses do not have any level of cyber insurance, while 46 percent said their business had purchased cyber insurance for the first time or increased its coverage levels in the last year.

Cyber risk is a hot topic for potential coverage by captives. Several educational sessions have been held to define, prepare for and prevent risk, but because it’s in relatively early stages, cyber risk still represents a small percentage of overall risks covered by captives. There are many issues one has to consider: selection, understanding the types of risks and exposures; how the risks are structured; capitalization and forms of capital; and access to reinsurance. VCIA hosted a webinar that included a case study by Gary Langsdale, the risk manager of Nittany Insurance Company (Pennsylvania State University), on cyber exposures they face and how they built a successful program to cover those risks.  Understanding the specific risks faced by your organization, and then crafting a cyber-program tailored to those risks has rigorously limited Penn State’s ongoing cyber exposure. The webinar is called “Captives & Cyber Risk: Exposure, Coverage and Opportunity” and it’s available from VCIA’s Resource Center on

So you have a choice, Neo: which pill are you going to take?

Thank you all very much, and I look forward to hearing from you.

Richard Smith
VCIA President