Large corporate cyber programmes must look to the whole market, as well as consider utilisation of captives and mutuals, in order to find the capacity and coverage required, according to the risk, insurance and captive team at Belgian multinational chemical company owner Solvay.
The challenges of managing cyber security and the role of risk financing was debated at length in a GCP Short, featuring experts from Zurich Insurance alongside risk, captive and information security professionals at Solvay.
Solvay works closely with Zurich on fronting for its cyber programme, which contains large self-retention and captive layers.
“The cyber landscape of threat is evolving all the time so optimization means for us, in risk management and insurance, to get enough capacity to cover a catastrophic risk scenario,” said Sonia Cambier, head of corporate insurance and prevention at Solvay.
“It’s about loss of intellectual property, trade secrets, but also business interruption. It’s clear that there is not enough capacity in the market, so to optimize and to obtain what we need, we use extensively the captive, but also all initiatives to bring capacity into the market like mutuals, like MIRIS, where we are participating.”
MIRIS is a European cyber mutual launched in December 2022, which Solvay is a member of.
Concerning the evolving cyber threat landscape Xavier Paulus, Solvay’s deputy chief information security officer (CISO), also joined the discussion to provide an assessment of current trends and what direction cyber risk is heading.
He said Solvay’s cybersecurity strategy is built on the three pillars of defence, resilience, and insurance.
“The defence pillar is all about implementing strong cybersecurity measures to prevent cyber-attacks from succeeding,” Paulus explained.
“It includes cyber threat intelligence that allows us to receive real-time information on emerging threats and vulnerabilities, and that helps us to identify and respond to potential attack proactively.
“The resilience focus on our ability to detect, to respond and to recover from cyber incidents. That includes a robust incident response plan, backup and disaster recovery strategy.
“Finally, we also have the insurance pillar that provides a protection against the financial and the reputational damage that can be caused by a cyber-attack.”
Xavier Groffils, the Luxembourg based captive director for Solvay, explained that the group’s captive plays three key roles in financing cyber risk.
“The first one is to be a first layer cover to increase the attachment point for the insurance market, so that they are attaching much higher than just after the true deductible,” he said.
“The second role for our captive is to work as a solution to cover gaps in the insurance market capacity.
“Generally, you can sometimes find a fronter and first layer insurer, and then you find high excess cover, but sometimes you are not finding the in-betweens very easily and so the captive is sometimes a facilitator in order to close your capacity.”
The third and future role for the captive is on risk prevention.
Cybersecurity and prevention
Cambier said she expects the captive to play a role “more and more” in financing cybersecurity initiatives at the group level to reduce the risk of future losses.
“Historically, we have always been focusing on prevention first before insurance,” she added.
“We are taking a huge self-retention, we have a big captive, but the next role for the captive to play is to help investing in resiliency and risk prevention in respect of cyber.
“We are, with Xavier Groffils, developing a project where a percentage of the captive premium will be dedicated to prevention to provide additional resource for developing programmes, training and so this is the next step.”
Vivien Bilquez, principal cyber risk engineer at Zurich Resilience Solutions, said cyber insurance is “the most important safeguard today, but it is triggered when it is too late, when the bomb has exploded”.
“To limit and avoid it, it is crucial to be prepared,” he added.
Risk, insurance, CISO collaboration
Collaboration between group risk and insurance, those responsible for the captive and the CISO was the key to designing and implementing a fit-for-purpose risk financing strategy for cyber.
“A collaboration at the level of risk management and cyber security with regular meetings to update each other, that’s a basic, but important thing to mention,” Groffils said.
“Collaboration is key because it’s not possible to be efficient by working in silos on the risk prevention and the risk financing since all represent the three risk protection pillars, that’s our philosophy, especially for cyber risk. All aspects must collaborate together in order to develop the best solution for the company.”
Andreas Ruof, head of proposition development & senior captive services specialist at Zurich, said he expected to see more risk managers going down a similar path and utilising their captive to access greater capacity, contribute to group cybersecurity efforts and understand and market the risk better.
“More and more risk managers are leveraging their captive to centrally collect high quality cyber claims and cyber incident data,” he said.
“It enables superior cyber risk analysis, risk insight and, as a result well-targeted, effective cyber risk mitigation measures. Over time, the cyber risk quality continuously improves which can further boost your captive’s cyber underwriting profitability as well as your cyber risk marketability.”
Listen to the full GCP Short discussion here, or or any podcast app. Just search for ‘Global Captive Podcast’.