Captive Concerns: Addressing Cybersecurity
Over the past few years, cybersecurity incidents have made headlines around the world. It would be unusual for a week to go by without mention of another high-profile breach. Cybersecurity refers to a set of measures used to protect the integrity of computers, networks, programs, and electronic data against unauthorized access, damage, and use. Cybersecurity governance includes operating policies and protocols adopted to maintain an appropriate posture in terms of cybersecurity hygiene.
What Does This Mean for Captive Insurers?
As stand-alone, regulated companies, captives need to demonstrate due diligence in all appropriate matters including conducting activities at arms-length and demonstrating attention to significant developments in the industry. This basic objective creates an obligation without regard to specific compliance being imposed via regulation, law, etc.; these are issues of basic due diligence and reputational risk. The governing body of the captive insurer has an obligation to monitor environmental issues, and based on the current level of seriousness/risk to the organization, take reasonable action even though it may not yet be imposed by regulation or law.
While captive owners need to demonstrate due diligence as a matter of due course, there is growing list of cyber requirements already placing mandates on captives. Two key examples of laws or regulations currently in place – which afford a useful preview of what’s likely to come in other areas – are the affirmative regulatory obligations in place for New York-domiciled captive insurers and for captive insurers doing business with, or utilizing data of, citizens of the European Union. Several other domiciles are well along with actual cyber requirements coming into effect or active efforts currently underway.
- The European Union’s General Data Protection Regulation.
- The New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies.
- California Consumer Privacy Act of 2018.
- The United States’ National Association of Insurance Commissioners’ Insurance Data Security Model Law (which individual states are expected to adopt some form of soon).
- Bermuda Personal Information Protection Act 2016.
- Data Protection Law coming into effect in the Cayman Islands in January, 2019.
These laws and regulations directly affect not only captives, but captive managers, captive owners, and parent companies globally. The core requirements these laws impose will likely, if not already, be required in many jurisdictions soon and, even where not mandatory, set the standard for best practices. Accordingly, and based on the trajectory of the laws, regulations, proposals, and overall signals of what constitutes reasonable due diligence, Marsh recommends that all captive insurers work to put in place a basic cybersecurity governance framework that addresses vulnerability assessment, documentation, third-party service providers, and event reporting .
“High Value” Electronic Data
While data collected by captives varies, insurers, captives, and third-party administrators tend to capture a great deal of data, including data that qualifies as personally identifiable information (PII) and protected health information (PHI). Common sources include: biographical affidavits, banking documents, and claims files. In addition, captives and their third-party administrators are often privy to confidential or even “inside information,” as that phrase applies in various jurisdictions. For example, the loss of detailed product liability information could hurt the sponsor or impact their involvement with potential mergers and acquisitions activity.
With several laws already in effect and more on the way around the world, the message is clear – entities need to perform comprehensive cybersecurity due diligence if their operations entail the collection, use, transmission, or storage of information common to captive insurers. There is great interest in this area, particularly around breach notification, the collection and use of personal data, and minimum standards of conduct by companies related to cybersecurity. As this issue will be top of mind over the next few years, captive owners should begin working with their service providers now to introduce cybersecurity governance, such as building appropriate mitigation procedures, reducing the amount of protected data in the work stream, completing vulnerability assessments, and performing other related projects to protect their interests from the growing threat of cyber-attacks.
Marsh Captive Solutions is actively exploring and investing in more advanced technologies and software upgrades to address the cybersecurity governance needs of our clients. We have developed specialized materials and are continuously training our staff on risk factors related to various forms of data, cybersecurity threats, cybersecurity mitigations, and what governance should look like within an entity. These materials and our training efforts make it easier for our clients to customize their cybersecurity governance program with their captive management teams to their specific needs as efficiently as possible. In addition to seeking education, tools, templates, and administrative support from captive managers, captive owners should also engage legal, compliance, and/or cybersecurity experts where appropriate.