Mark Camillo, Brian Botkin, and Nuno Antunes, of AIG, share their views on creating a cross-border cyber policy, modelling cyber risk within different territories, the current trends in cyber risk coverage and more.

Captive Review (CR): Where should those who want to bring a cyber policy across borders start?

Brian Botkin (BB): The first step in designing a multinational cyber insurance programme is an exposure analysis, mapping out every country and territory in which a company has potential cyber exposures, including customers, suppliers, servers, and more. From there, the risk manager can drill down further and begin asking some standard multinational questions, such as:

  • Is the local operation required, either by law or contractual counterpar-ties, to obtain insurance from locally licensed carriers?
  • Which countries have particularly demanding or complex regulatory requirements?
  • Will claims need to be paid in-country?

Ultimately, a multinational programme that reflects a company’s preferences, goals, and risk management appetite is created. To meet the needs of the smaller local subsidiaries, a captive may be introduced to the cyber programme to help “buy down” high retention levels that they otherwise could not meet. The captive becomes a way for the client to control the different retention rates across their network and level the playing field, so to speak. We have seen a few clients take this approach and it has proven very successful for them, because it encourages local entities to agree to the programme.

From a captive perspective, cyber insurance is still in its infancy, but there has been a natural progression towards multinational cyber insurance, which is even more so in its infancy. However, cyber is our fastest growing line of business in the multinational and captive space.

Mark Camillo is head of cyber, EMEA and is responsible for the CyberEdge® suite of end-to-end risk management solutions at AIG. Prior to this role, he led the cyber team for the Americas including oversight of the Personal Identity Coverage (PIC) and Payment Fraud Products. Camillo has a Masters of Business Administration from SUNY Buffalo and a Bachelor of Science degree from the University of Wyoming.

Brian Botkin is head of multinational, financial lines and is responsible for providing leadership and strategic vision for multinational placements within financial lines at AIG. In addition, Botkin and his team are responsible for the design and execution of multinational programme structures for clients of all sizes and in all industries. Botkin graduated from the University of Pittsburgh, where he received a Bachelor of Sciences degree in Physics and Astronomy.

Nuno Antunes is based in London and is currently SVP and UK head of multinational and global fronting, a member of both the global multinational and the UK leadership teams and a board member of AIG Global Benefits Network (Brussels) and AIG Russia. Antunes is ultimately responsible for the multinational and captive fronting offering to AIG’s UK produced clients and is a senior point of contact within AIG for large multinational clients.

CR: What have you been seeing on a global basis in terms of cyber claims?

BB: The majority of cyber claims are multinational. A cyber-attack originates in one country, and attacks servers in another country – a tier one financial institution with servers based in Bulgaria, for example – and this is where the cyber-attack ultimately takes place. The data breach or ransomware could affect customers in many other countries. The entire event is therefore multinational and triggers multiple countries’ regulatory schemes.

This is why cyber lends itself so well to a multinational programme. Today and against this landscape, different countries have differing levels of maturity in terms of the regulatory environment surrounding cyber. When a cyber event occurs, and it touches customers in 5-10 countries, there may well be 5-10 different regulatory regimes to navigate. And, as an example, the rights of customers in some regions may be explicitly protected – like those of EU/EEA citizens under GDPR – but they may not be in other places where the regulatory infrastructure is less developed.

Because of these local variations, a controlled master programme (CMP) offers the benefits of both local and global insurance protection and serves as a backstop for all of the local policies, providing consistent coverage and seamless claims service across all covered territories.

CR: What are the challenges of using a cyber product in the multinational programme context?
Nuno Antunes (NA): Given the relative newness of the product in many countries around the world, the first challenge will be around product availability. This is an area where AIG has been putting a lot of effort and resources over the last couple of years and we now have a standard policy available in more than 70 countries. While that is remarkable and makes AIG one of the best-equipped insurers in this space – when measured against more standard lines like D&O,property or casualty, where we have coverage available in 215+ jurisdictions – you see that there is still a long way to go.

Another important point is the fact that in many countries, the legal and regulatory framework is fairly unsophisticated when it comes to standalone cyber coverage. Understanding things like necessary documentation to issue such a policy or applicable taxes may prove to be challenging as well.

The buying process is also different from that of other lines of business. When it comes to cyber there are still a lot of “first time buyers” and within their organisations the understanding of this type of exposure is still evolving. So, over the years, we have seen delays in the implementation of cyber programmes because the organisations themselves were struggling to properly understand the risks on a global basis. Often we’ve seen companies begin with a few local policies, and then continue to add others gradually as their understanding of the risk develops. In any case, there has been a steady shift towards the increasing adoption of cyber multinational programmes, which we expect to continue.

Another thing to consider when we look into global programmes (and not just for cyber) is the company’s risk manage­ment strategy. While some are centralised, with the organisation’s risk manager mak­ing the decisions around purchasing protection and for whom, others may utilise a more decentralised approach, wherein the risk manager functions like an internal consultant, helping local managers recognise the value of a given type of coverage before purchasing. This second option obviously presents more challenges in terms of not only the implementation of the programme, but also from a consistency of coverage perspective.

A final consideration is one that relates to the cyber risk appetite of a client’s captive. A captive may be used to assume cyber risk on a primary, excess or quota share basis, simply to help manage local retentions (making these suitable to the dimension and risk appetite of a client’s operation in a given jurisdiction) and/or to broaden the policy coverage. Here again, as this type of risk is still relatively new, we often see delays in the implementation of programmes that will be linked to the definition of the captive’s premium and retention levels.

“Cyber insurance is still in its infancy, but there has been a natural progression towards multinational cyber insurance, which is even more so in its infancy. However, cyber is our fastest growing line of business in the multinational and captive space”

Brian Botkin

CR: From a US manager standpoint, what does the current cyber landscape look like?

BB: When putting together a controlled master programme for Directors and Officers (D&O), for instance, the first question to ask is: in which countries are the organisation’s directors and officers located? These tend to be the big financial centres around the world. When putting together a cyber programme, however, the countries we often see are places like Indonesia, Poland, Serbia – countries with large ‘server farms’. It’s also a question of where the customers are. If you look at the top 20 countries where cyber policies are issued, the D&O list is very different than the cyber list.

This difference highlights the importance of having a multinational insurance partner with an extensive global network. The ability to have local policies issued is critical in territories where the legal and regulatory framework is less developed. A global policy issued in English in the UK will not perform in such jurisdictions as it does in London.

In the case of cyber, a local policy form may not yet exist in many territories. Depending on the location, we begin with a standard policy issued in the UK, France, Dubai, etc., and localise it to fit local language, law and custom. At AIG, we don’t believe in a one-size-fits-all approach.

CR: What does the process of modelling cyber risk with the insurer look like?

Mark Camillo (MC): Clients are asking more questions around how their cyber risk is being underwritten and if they have an advanced level of cyber-security maturity, they want to see how that translates to better insurance coverage terms, more reasonable retentions, and lower premiums. And they often also want to know whether they are benefiting from the investments being made on the security side.

In order for us to bring more transparency to the underwriting process, we’ve been looking at ways to model cyber risk in order to give better information back to clients. This begins with monitoring threat data as the circumstances are always changing based on the actors and the geographic regions they are targeting.

We pull in multiple threat data sources that are continually updated, and these give a general picture of what the threat landscape looks like, which varies by industry. We then look at the business impact that a particular threat or event could have on an organisation to calculate the implicit risk. Next we evaluate the control effectiveness to get to the residual risk, comparing this to our probability and claims data in order to model the exposure.

With such data, we can also begin comparing a company with its peers, and we can highlight what the top threats are at a given time, what the firm should be the most concerned about, as well as the top five risk reducing controls that we as the insurer would recommend. From this, we can help clients identify which controls would give them the greatest benefit and overall value for the money.

In addition, we give clients information on how we view them from both a frequency and severity perspective – showing them what we think a worst-case data breach would look like as well as a worst-case business interruption scenario. Combined with their own internal modelling, this can help clients determine which coverage to purchase and how much.

CR: What threat trends are you currently seeing in the EMEA region?

MC: In 2018, 23% of our clients’ incidents were related to business email compromise (BEC). This is not surprising as bad actors are always looking for the simplest attacks that have the most potential for financial gain (for example gaining access to mailboxes to find sensitive personal information or use them to divert funds). This can be costly for our insureds in terms of both the ensuing forensic investigation and the steps taken to control the damage. Ransomware is also significant and is our second largest cause of loss. We expect to see a continuation of more sophisticated, targeted attacks, where bad actors are going to make much higher extortion demands.

In terms of impacted industries, the professional services sector was most targeted with 22% of claims coming from this sector. Accountants, solicitors and consultants tend to have their own networks with secure information, but they also deal with multiple clients. By targeting those in professional services, bad actors have the potential to access even greater volumes of sensitive data.

Within the first 48-72 hours post-event, we provide these types of services without retention because we feel strongly that dealing with an incident effectively in the early stages can significantly reduce the ultimate cost to the organisation.

Mark Camillo

CR: Why are service providers important and what makes for a good one?

MC: The focus for the past few years has been on the service providers who provide post-incident support. After having experienced an incident, clients want to have access to a 24/7 hotline for immediate support and access to forensic investigators who are able to understand, from a technical perspective, what is going on and how the situation can best be controlled and remediated.

Within the first 48-72 hours post-event, we provide these types of services without retention because we feel strongly that dealing with an incident effectively in the early stages can significantly reduce the ultimate cost to the organisation.

Over the past few years, there’s also been a focus on loss-prevention services. A part of this would be the aforementioned modelling process, giving the insured a better idea of where they could make cyber-security improvements. But it also means providing services that can reduce the risk, and we include these at no additional cost as part of the policy for qualified insureds. They include vulnerability scanning and a cyber-security e-learning curriculum (a gamified programme that includes 40 cyber training modules available in 11 different languages).

The e-learning platform serves the further purpose of tracking employee completion and testing the employees to ensure a well-developed understanding of the inherent risks, such as scam emails or false links embedded within them, and the role employees must play in risk-mitigation.

CR: What are the current challenges in the cyber market?

MC: One of the biggest challenges in the industry is viewing ‘cyber as a peril’ vs. cyber as just a single insurance product. A cyber event can impact almost every insurance policy that we write, so it is important to understand what policies include cyber coverage and how these policies will respond when a cyber event occurs. Our goal is to have affirmative cyber coverage across all of our products. That is, we want to make it clear within our policies what we intend to cover: cyber physical – losses that cause some type of kinetic or physical event; or cyber non-physical – intangible losses that the traditional cyber insurance market addresses, such as responding to network and data incidents.

    This article first appeared in Captive Review - June 2019