I recently had a conversation with a person who spent decades in the C-suite of some of the world’s largest organisations. He said to me, “the thing I used to fear most was the Saturday morning question.” “What do you mean?”, I said. “Well, often on Saturday mornings I would get a phone call from our CEO who often just read something in the press about a new emerging technology risk and he would ask me what we were doing about it.
My Saturday was over then and there. I spent the rest of the day on the phone with my team getting an answer.”
He then asked me, “what is the Saturday morning question for your customers?” I found this to be an apt way to define Intangic’s mission.
The questions we hear from risk managers at large companies with captives are: “Do we have enough of the right cover? Are the captive premiums too high? How can we consistently validate our risk posture? What are the best metrics to report to CEO and Board?”
For large organisations, managing cyber risk in captives continues to make sense after years of ransomware increases, rising costs, reductions in cover and the market requiring more self-insurance.
How do we answer this questions?
Getting better answers starts with first asking different cyber risk questions and then ensuring you have the correct data to answer those questions.
For example, I was managing hedge funds prior to founding Intangic. While investments benefited from profitability of companies investing in digital transformation, I had an uneasy feeling that we – “the market” – didn’t understand the operational risks that came along with cloud migrations, outsourcing technology and digital supply chains.
As a result, I developed my own Saturday morning question for executive teams where we were shareholders: “With one phone call, I get a validated answer on your credit risk (the credit ratings agencies), your governance and financial risks (Wall St. analysts), so can you validate how you are managing your technology risks (i.e. your cyber)?”
Ten years ago, I couldn’t get a good answer to my question. With technology driving the value of most corporations, I was sure other risk stakeholders wanted similar answers.
As a result, I ended up seeking answers with alternative datasets that could give me solutions. That process led to what became the data-science foundation for creating Intangic.
Ultimately, that solution is what we provide to large companies: “How do we validate the performance of our cyber risk posture?” “How much should I spend to improve it? “What resources are needed?” etc. Our answers are especially relevant for captive programmes’ need for an independent lens.
What about captives?
Unfortunately, my unease about operational risks due to rapid digital transformation proved right with the rise of ransomware over the last five years. Risk managers’ motives for turning to a captive structure is a smart reaction to the insurance market’s response to ransomware.
To quote one FTSE 100 risk manager: “We lost confidence in the value of the product the market was offering. We were being put in the wrong risk bucket by the market. Our best solution was running cyber through the captive.” I’d be looking in the same direction.
For risk managers looking for more control, the captive structure is well suited to generate value by achieving greater relevance of cover at a lower price. But again, how do you know—with predictive market data, not opinions—that you are getting the right value to price ratio?
We assess the risk for companies by looking on a continuous basis at real-time threat activity with unmatched scale and accuracy. No checklists or self-assessments of security controls. By looking across 10,000 networks every day over several years from an attacker’s (not defender’s) perspective, we’ve correctly predicted 82% of large publicly announced breaches over the past 5 years.
With this kind of predictive accuracy (i.e. frequency factor), we then help customers reprice the risk for the captive and save cost on the cover in the process. And with a risk as dynamic as cyber, this is not an annual process. The assessment of breach likelihood is updated monthly.
A vehicle for loss prevention
We can then help companies turn the captive into a ‘first line of defence’. With our early warning system for cyber, we give risk and security teams the ability to spot small problems before they become big ones.
With the cost savings generated, risk and information security teams can use things like risk bursaries as a vehicle for smartly investing in risk prevention efforts if and when the risk posture justifies it. Because we don’t just want to answer the Saturday morning question, we also want to help the CISO from ever having to answer the ‘3am phone call’.
More to come at the Airmic Captives Forum
I’m looking forward to speaking with many captive owners and managers at the upcoming Airmic Captives Forum on 6 March at Lloyd’s. I’ll be talking more about the opportunities AI-powered data science can unlock and why well-managed security controls are important, but unfortunately no longer sufficient to lower the risk of a big breach.