Lights Out! Can Insurance Help?
In “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath,” author Ted Koppel suggests that a catastrophic cyber attack on America’s power grid is likely and that we’re unprepared.
Let’s examine his assertions from a risk management perspective.
• Power Grid Attack Likely?
Clients tell us that they are hacked more frequently than is reported. A Dec. 21, 2015 article, “Biggest U.S. Electric Company Battles Off Steady Cyberattacks,” reported that Duke Energy’s computer systems that manage dams, nuclear power plants and other types of generating plants are under constant attack. A reported cyber attack last month caused one-half of Western Ukraine to lose power.
• U.S. Unprepared?
Opinions differ on whether we have seen improved prevention, mitigation, response and resiliency since the Northeast power outage of 2003. Mr. Koppel described a bureaucracy that is moving slowly and with poor focus against a dynamic threat.
For example, the National Protection and Programs Directorate at the Department of Homeland Security, responsible for coordinating risk reduction to critical American infrastructure, is divided in two separate and distinct parts –- one physical and one cyber-related.
We are, however, seeing certain governmental actions and changes. The Cybersecurity Information Sharing Act of 2015, signed into law December 2015, provides immunity from liability to participating organizations that share certain cyber-threat information with the federal government and vice versa.
Federal and state agencies such as the Federal Energy Regulatory Commission may consider increased fines for grid failures that have ranged from $50,000 to $350,000. By way of example, Florida Power and Light Company was fined $25 million in 2009 for a February 2008 blackout.
However, most reported cases of cyber damage and regulatory action to date relate to protection of personally identifiable information, such as the Federal Communications Commission’s $25 million fine against AT&T and $100 million fine against Lifelock.
According to search engine Shodan, the U.S. has more than 57,000 industrial controls systems connected to the internet. But how do we quantify potential losses? Information on how companies and the government respond to hacks is often protected and sometimes classified, which can defeat transparency.
A 2015 Lloyd’s of London/University of Cambridge report, “Business Blackout,” sets forth the insurance implications of a cyber attack on the U.S. power grid. The report estimated a hypothetical worst case scenario of $243 billion to $1,024 trillion in direct and indirect losses, with between $21.398 billion and $71.109 billion in estimated insurance industry losses.
Currently there are not enough stand-alone cyber limits to pay for such losses.
Many property and general liability insurers are inconsistent and/or hesitant to cover cyber exposures likely because there’s insufficient actuarial data. Since we don’t have sufficient actuarial data for cyber exposures, we should borrow from other complex modeling situations like typhoons, earthquakes and hurricanes — relatively rare events that could have catastrophic impacts.
We’ve come to the conclusion that we need to break down the silos between the insurance company property/GL groups and cyber groups, and develop a combined all-risk policy that combines the actuarial data of property losses with cyber experts to identify and quantify frequency and severity. To analogize, a similar approach is used to build terrorism insurance programs, with mixed success (see graphic).
By combining an objective risk management context based on data analytics, we can learn from natural weather incidents and terrorism threats to develop robust public-private partnerships to help improve our preparedness and reduce losses stemming from a cyber attack.
Cybersecurity Doomsday: Bring in the Seals
A cyber security doomsday scenario is possible and would cause total destruction of most of the computer and communications systems on earth.
It would be the final day of judgment for IBM, Amazon, Google, Netflix, and others. It is as unimaginable as the destruction of the global financial system and collapse of AIG, Lehman Brothers, and Merrill Lynch.
Or is it?
We may not be able to avoid doomsday for the world. We can try to avoid a cyber disaster for our own organization. Let’s start by taking a quick detour into the world of cryptography.
Rivest Cipher 4 (RC4) is a widely used cryptographic protocol. This is what it does to encrypt data: For as many iterations as are needed, the algorithm modifies the state and outputs in a byte of the keystream.
In each iteration, it increments i, looks up the ith element of S, S[i], and adds that to j, exchanges the values of S[i] and S[j], and then uses the sum S[i] + S[j] (modulo 256) as an index to fetch a third element of S, (the keystream value K) which is bitwise exclusive OR’ed. Each element of S is swapped with another element at least once every 256 iterations.
Still with us?
Use state-of-the-art encryption even if we don’t understand it.
We could read more of this Wikipedia description but that would not be helpful. Most of us do not understand cryptography even as our organizations rely on encryption for securing our computer systems.
Experts can explain it to us and our senior management and the board. It sounds impressive but will it really work? Security experts do not calm our fears.
One of them said, “We can no longer count on keeping the hackers out. Let’s work on ensuring we can catch them once they break in.”
Catching the bad guys and fixing the damage changes the game, particularly since we know that a number of state cryptologic agencies possess the capability to break any cryptographic system.
The danger of attack is augmented with 10,000 or so hackers possessing ultra-sophisticated computer software skills. Vulnerability is now the “normal” cyber security world. All hope is not lost.
We can take steps to reduce the harm from these parties:
- Use state-of-the-art encryption even if we don’t understand it.
- Abandon obsolete and unsecure legacy systems.
- Build business applications on relatively secure, private and trustworthy enterprise cloud computing platforms.
- Monitor all data and systems 24 hours a day.
These security practices help us, but we must do more to prepare for a cyber security doomsday attack.
- Backup our data off the grid.
- Store it securely on guarded systems far away from our people, computers, networks and mobile devices.
- Isolate highly sensitive data on the system and severely restrict access to it.
- Create and train a Cyber Security Seal Team Six.
The last recommendation may seem extreme but a serious cyber failure cannot be ruled out. The possibility demands a reaction force. Not actual U.S. Navy personnel. Rather, a cyber special operations force to be activated when needed to avoid our own organization’s cyber doomsday scenario.
The team needs to be composed of the most skilled and capable people, trained to do the job and available to be activated on a moment’s notice. This is the strategy to respond to a cyber security attack.
Bring in the Seals.
7 Questions to Answer before Choosing a Captive Insurance Domicile
Risk managers: Do your due diligence!
It seems as if every state in America, as well as many offshore locations, believes that they can pass captive legislation and declare, “We are open for business!”
In fact, nearly 40 states and dozens of offshore locations have enabling captive insurance legislation to do just that.
With so many choices how do you decide who is experienced enough to support the myriad of fiscal and regulatory requirements needed to ensure the long term success of your captive insurance company?
“There are certainly a lot of choices,” said Mike Meehan, a consultant with Milliman, an actuarial firm based out of Boston, Massachusetts, “but not all domiciles are created equal.”
Among the crowd, there are several long-standing domiciles that offer the legislative, regulatory and infrastructure support that makes captive ownership not only a successful risk management tool but also an efficient entity to manage and operate.
Selecting a domicile depends on many factors, but answering these seven questions will help focus your selection process on the domiciles that best fit your needs.
1. Is the domicile stable, proven and committed to the industry for the long term?
The more economic impact that the captive industry has on the domicile, the more likely it is that captives will receive ongoing regulatory and legislative support. The insurance industry moves very quickly and a domicile needs to be constantly adapting to stay up to date. How long has the domicile been operating and have they been consistent in their activity over the long term?
The number of active captive licenses, amount of gross premium written in a domicile and the tax revenue and fees collected can indicate how important the industry is to the jurisdiction’s bottom line. The strength of the infrastructure and the number of jobs created by the captive industry are also very relevant to a domicile’s commitment.
“It needs to be a win – win situation between the captives and the jurisdiction because if not, the domicile is often not committed for the long term,” said Dan Kusalia, Partner with Crowe Hortwath LLP focused on insurance company tax.
Vermont, for example, has been licensing captives since 1981 and had 589 active captives at the end of 2015, making it the largest domestic domicile and third largest in the world. Its captive insurance companies wrote over $25 billion in gross written premiums. The Vermont State Legislature actively supports an industry that creates significant tax revenue, jobs and tourist activity.
2. Are the domicile’s captives made up of your peer group?
The demographics of a domicile’s captive companies also indicate how well-suited the location may be for a business in a particular industry sector. Making sure that the jurisdiction has experience in the type and form of captive you are looking to establish is critical.
“Be among your peer group. Look around and ask, ‘Who else is like me?’” said Meehan. “Does the jurisdiction have experience licensing and regulating the lines of coverage for other businesses in your industry sector?”
3. Are the regulators experienced and consistent?
It takes captive-specific expertise and broad experience to be an effective regulator.
A domicile with a stable and long-term, top-tier regulator is able to create a regulatory environment that is consistent and predictable. Simply put, quality regulation and longevity matter a lot.
“If domicile regulators are inexperienced, turnaround time will be slower with more hurdles. More experience means it is much easier operating your business, especially as your captive grows over time,” said Kusalia.
For example, over the past 35 years, only three leaders have helmed Vermont’s captive regulatory team. Current Deputy Commissioner David Provost is one of the longest tenured chief regulators and is a 25-year veteran in the captive insurance industry. That experienced and consistent leadership enables the domicile to not only attract quality companies, but also to provide expert guidance on the formation process and keep the daily operations running smoothly.
4. Are there world-class support services available to help manage your captive?
The quality of advisors and managers available to assist you will have a large impact on the success of your captive as well as the ease of managing the ongoing operations.
“Most companies don’t have the expertise to operate an insurance company when you form a captive, so you need to help build them a team,” Jeffrey Kenneson, a Senior Vice President with R&Q Quest Management Services Limited.
Vermont boasts arguably the most stable and experienced captive infrastructure in the world. Many of the leading captive management companies have their headquarters for their Global, North America and U.S. operations based in Vermont. Experienced options for captive managers, accountants, auditors, actuaries, bankers, lawyers, and investment professionals are abundant in Vermont.
5. Can the domicile both efficiently license and provide on-going support to your captive as it grows to cover new lines of coverage and risks?
Licensing a new captive is just the beginning. Find out how long it takes for the application to get approved and how long it takes for an approval of a plan change of your captive’s operations.
A company’s risks will inevitably change over time. The captive will need to make plan changes which can include adding new lines of business. The speed with which your domicile’s regulatory branch reviews and approves these plan changes can make a critical difference in your captive’s growth and success.
The size of a captive division’s staff plays a big role in its speed and efficiency. Complex feasibility studies and actuarial analyses required for an application can take a lot of expertise and resources. A larger regulatory team will handle those examinations more efficiently. A 35-person staff like Vermont’s, for example, typically licenses a completed application within 30 days and reviews plan changes in a matter of days.
6. What are the real costs to establishing and managing your captive?
It is important to factor in travel costs, the local costs of service providers, operating fees, and examination fees. Some states that do not impose a premium tax make up for it in high exam fees, which captives must be prepared for. Though Vermont does charge a premium tax, its examination fees are considered some of the least expensive options in the marketplace.
It is also important to consider the ease and professionalism of doing business with a domicile in the ongoing operations of your captive insurance company.
“The cost of doing business in a domicile goes far beyond simply the fixed cost required. If you can’t efficiently operate due to slow turn-around time or added obstacles, chances are you have made the wrong choice,” said Kenneson.
7. What is the domicile’s reputation?
Make sure to ask around and see what industry experts with experience in multiple domiciles have to say about the jurisdiction. Make sure the domicile isn’t known for only licensing certain types of captives that don’t fit your profile. Will it matter to your board of directors if your local newspaper decides to print a story announcing your new insurance subsidiary licensed in some far away location?
Are companies leaving the jurisdiction in high numbers and if so, why? Is the domicile actively licensing redomestications — when an existing captive moves from one domicile to another? This type of movement can often be a positive indicator to trends in a domicile. If companies of a particular size or sector are consistently moving to one state, it may indicate that the domicile has expertise particularly suited to that sector.
Redomestications made up 11 of the 33 new captives in Vermont in 2015. This trend is a positive one as it speaks to the strength of Vermont. It reinforces why Vermont is known throughout the world as the ‘Gold Standard’ of domiciles.
Asking the right questions and choosing a domicile that meets your needs both today and for the long term is vital to your overall success. As a risk manager you do not want surprises or headaches because you did not ask the right questions. Do the due diligence today so that you can ensure your peace of mind by choosing the right domicile to meet your needs.
For more information about the State of Vermont’s Captive Insurance, visit their website: VermontCaptive.com.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with the State of Vermont. The editorial staff of Risk & Insurance had no role in its preparation.