I recently had a conversation with a person who spent decades in the C-suite of some of the worldโs largest organisations. He said to me, โthe thing I used to fear most was the Saturday morning question.โ โWhat do you mean?โ, I said. โWell, often on Saturday mornings I would get a phone call from our CEO who often just read something in the press about a new emerging technology risk and he would ask me what we were doing about it.
My Saturday was over then and there. I spent the rest of the day on the phone with my team getting an answer.โ
He then asked me, โwhat is the Saturday morning question for your customers?โ I found this to be an apt way to define Intangicโs mission.
The questions we hear from risk managers at large companies with captives are: โDo we have enough of the right cover? Are the captive premiums too high? How can we consistently validate our risk posture? What are the best metrics to report to CEO and Board?โ
For large organisations, managing cyber risk in captives continues to make sense after years of ransomware increases, rising costs, reductions in cover and the market requiring more self-insurance.
How do we answer this questions?
Getting better answers starts with first asking different cyber risk questions and then ensuring you have the correct data to answer those questions.
For example, I was managing hedge funds prior to founding Intangic. While investments benefited from profitability of companies investing in digital transformation, I had an uneasy feeling that we – โthe marketโ – didnโt understand the operational risks that came along with cloud migrations, outsourcing technology and digital supply chains.
As a result, I developed my own Saturday morning question for executive teams where we were shareholders: โWith one phone call, I get a validated answer on your credit risk (the credit ratings agencies), your governance and financial risks (Wall St. analysts), so can you validate how you are managing your technology risks (i.e. your cyber)?โ
Ten years ago, I couldnโt get a good answer to my question. With technology driving the value of most corporations, I was sure other risk stakeholders wanted similar answers.
As a result, I ended up seeking answers with alternative datasets that could give me solutions. That process led to what became the data-science foundation for creating Intangic.
Ultimately, that solution is what we provide to large companies: โHow do we validate the performance of our cyber risk posture?โ โHow much should I spend to improve it? โWhat resources are needed?โ etc. Our answers are especially relevant for captive programmesโ need for an independent lens.
What about captives?
Unfortunately, my unease about operational risks due to rapid digital transformation proved right with the rise of ransomware over the last five years. Risk managersโ motives for turning to a captive structure is a smart reaction to the insurance marketโs response to ransomware.
To quote one FTSE 100 risk manager: โWe lost confidence in the value of the product the market was offering. We were being put in the wrong risk bucket by the market. Our best solution was running cyber through the captive.โ Iโd be looking in the same direction.
For risk managers looking for more control, the captive structure is well suited to generate value by achieving greater relevance of cover at a lower price. But again, how do you knowโwith predictive market data, not opinionsโthat you are getting the right value to price ratio?
We assess the risk for companies by looking on a continuous basis at real-time threat activity with unmatched scale and accuracy. No checklists or self-assessments of security controls. By looking across 10,000 networks every day over several years from an attackerโs (not defenderโs) perspective, weโve correctly predicted 82% of large publicly announced breaches over the past 5 years.
With this kind of predictive accuracy (i.e. frequency factor), we then help customers reprice the risk for the captive and save cost on the cover in the process. And with a risk as dynamic as cyber, this is not an annual process. The assessment of breach likelihood is updated monthly.
A vehicle for loss prevention
We can then help companies turn the captive into a โfirst line of defenceโ. With our early warning system for cyber, we give risk and security teams the ability to spot small problems before they become big ones.
With the cost savings generated, risk and information security teams can use things like risk bursaries as a vehicle for smartly investing in risk prevention efforts if and when the risk posture justifies it. Because we donโt just want to answer the Saturday morning question, we also want to help the CISO from ever having to answer the โ3am phone callโ.
More to come at the Airmic Captives Forum
Iโm looking forward to speaking with many captive owners and managers at the upcoming Airmic Captives Forum on 6 March at Lloydโs. Iโll be talking more about the opportunities AI-powered data science can unlock and why well-managed security controls are important, but unfortunately no longer sufficient to lower the risk of a big breach.