The 3 Cs of Uninsurability: How to Manage and Mitigate Risk Effectively

Matthew Studley CFA, SVP Complex Risk Unit, HUB International

Cryptocurrency is all over the news these days, but the risk is high with the recent downturn creating a so-called crypto winter.

Cryptocurrency is just one example of an extremely difficult-to-insure class known as uninsurable risk. Since virtually all risks are insurable, with enough money and time, it’s important to define the term. Generally, uninsurable risks include one of the following characteristics:

  • Premium costs are operationally prohibitive.
  • The amount of time needed to obtain coverage is burdensome.
  • Available coverage is exceedingly limited or restrictive.

The question is how to manage and mitigate risk effectively when faced with these risks.

Cryptocurrency—An Industry Example

Commercial clients operating in the cryptocurrency industry range from start-ups without revenue to highly sophisticated multi-billion-dollar organizations. Their risk management needs are very different, but what unites them is their uninsurability. The small firms realize insurance costs are much higher than they had first assumed, while the larger firms struggle to obtain broad enough coverage relative to their size.

From an operational standpoint, the sophisticated firms safeguard their businesses by relying on indemnity agreements, contractual stipulations surrounding the custody of private keys, delineation of hot vs. cold storage or additional technological protection such as Fireblocks. Yet, many are still relying on basic insurance products available to the traditional financial services community.

“With the high cost of business interruption and the liability associated with a data breach, cyber insurance is no longer optional.”

Cyber Security—A Product Example

Cyber security has become a risk of increasing concern over the past decade. As a result, the premiums have ballooned while the coverage has become much more restrictive. With insurers pulling back, ransomware costs rising, and clients experiencing huge price increases, the future of cyber-security insurance seems to be trending toward uninsurable.

With the high cost of business interruption and the liability associated with a data breach, cyber insurance is no longer optional. Without these protections, an organization hit by a cyber attack could be out of business. But, with premiums increasing aggressively, along with higher requirements just to obtain a quote, businesses are being stretched too thin.

Yet it’s possible to demonstrate that you and your organization are an attractive risk. Tell your story with an emphasis on the ways you have already lowered your risk. For example:

What operational risk management procedures have you invested in since last year?

Have you done a tabletop exercise with your C-suite to plan for an eventual cyber security event?

Which firms do you, or your insurers, have relationships with to protect legal privilege, or to obtain quick relevant advice, if a breach was to take place? 

If you needed to pay a ransom demand in cryptocurrency, how would you do that? Buying a material amount of Bitcoin on short notice isn’t easy.

Does your firm have additional protections in place to protect against the risks of social engineering loss? Do you have insurance protection for that risk?

Captive Insurance—An Alternative Option 

All of these challenges have led many commercial clients to consider whether some form of self-insurance would be more economical.

A captive can provide customized insurance, risk transfer and risk management solutions that are specific to the needs of the company. The captive reduces costs by setting aside premiums in a loss fund to pay claims. Some of this money could be invested until it is needed, rather than paying it to a third party. It’s possible the captive could even pay a dividend back to the parent entity, further reducing the true cost of the program.

In short, if firms can invest capital and take the time to improve their operational risk management procedures, they can improve their insurability. They need to control what they can control to shed the uninsurable label.

No Comments Yet

Leave a Reply

Your email address will not be published.