Tag Archives: third party risk

SMBs Need to Bulk Up Cyber Security

Third-party risks—the notion that a contractor or a supplier could inadvertently expose the first-party organization to a network breach—may not be the sexiest cybersecurity issue out there. But at RSA 2017—the weeklong cybersecurity conference that drew 43,000 attendees to San Francisco’s Moscone Center last month—there was much talk that third-party risks are destined to ascend as a bellwether phenomenon.

I mean that in this sense: Actually addressing third-party risks is something companies of all sizes—from enterprise-class first-party organizations to SMB-size third-party suppliers—must come to grips with, probably sooner than later. What’s more, as the journey to mitigate third-party risk unfolds, trustworthiness of internet-centric commerce naturally will rise, perhaps dramatically.

New market emerges

One marker is that tech research firm Gartner has begun monitoring a dozen or so technology vendors marketing third-party risk solutions to large enterprises. Gartner refers to this fledgling cottage industry as the “IT vendor risk management” market. In a report last fall, Gartner predicted that the IT VRM market would expand 30% by 2019.

See also: Ransomware: Growing Threat for SMBs  

The main growth driver: regulatory requirements.

Case in point: New York state’s freshly minted Cybersecurity Requirements for Financial Services Companies, which took effect March 1, includes provisions that require financial services companies to ensure the security of the systems used by their third-party suppliers.

Meanwhile, Europe has begun to roll out a comprehensive set of data-handling rules that also call out the need to address third-party risk. These include the new framework for commercial data exchange between the U.S. and the European Union, referred to as the EU-U.S. Privacy Shield, as well as the new EU privacy rules known as General Data Protection Regulation or GDPR.

SMBs in hackers’ cross-hairs

To be clear, the burden does not solely rest with large enterprises to mitigate third-party risks. This issue profoundly affects small and medium-size organizations. SMBs no doubt will face increasing requirements to prove their cybersecurity fitness to win contracts from first-party business customers.

“Third-party issues are driven by the fact that outsourcing trends are continuing unabated,” says Jonathan Dambrot, CEO and co-founder of Prevalent, one of the leading IT VRM vendors tracked by Gartner. He says third-party suppliers, in fact, are believed to be the source of as much as 70% of the network breaches that occur today,

Professional cyber criminals are fully aware of capabilities of the multimillion-dollar security systems that large companies have in place. So they wisely target “the small provider who’s providing some service and who doesn’t have their security controls,” Dambrot says.

Vendors lack knowledge

Meanwhile, all too many third-party suppliers continue to operate either ignorant of, or in denial of, the exposures they’re creating by failing to adhere to security best practices.

“A lot of smaller firms are still struggling with even understanding what they need to do, from a policies standpoint all the way down to the technical controls,” Dambrot says. “Do they have appropriate controls for encryption, identity management and multifactor authentication?”

It’s very early in the ballgame. A Ponemon Institute survey conducted last May found that the majority of the 600-plus respondents agreed that third-party risk was both serious and has been significantly growing in their organizations.

See also: Cyber Attacks Shift to Small Businesses  

However, Ponemon found that only a third of those organizations had formal programs in place to manage third-party risks, and only about a quarter of them purchased cyber insurance to reduce the economic impact of third-party risks.

But the potential for elevating internet security, in the longer run, is palpable.

This post originally appeared on ThirdCertainty.

Risk Distribution – Where Is The Risk?

What if a captive insurance company has virtually no real practical risk except to its own related insured? Is risk distribution really present?

Every captive insurance company must demonstrate, among other things, that it has sufficient “risk distribution” to qualify as an insurance company for tax purposes. This concept was first mentioned by the United States Supreme Court in 1941 with little further definition or guidance. As a result, since that time, many judicial opinions and two Revenue Rulings have attempted to interpret and quantify the “law of large numbers” inherent in the idea of distributing risk.

This article will not analyze all of the case law on the subject, but instead will highlight the typical manner in which captives today attempt to achieve risk distribution and will question whether the attempts will ultimately prove successful.

The Internal Revenue Service issued two Revenue Rulings in 2002 that set their standard for determining whether a captive insurance company has “adequate” risk distribution to be considered an insurance company for tax purposes. This determination is critical since the ability of the taxpayer to deduct premiums paid to a captive is dependent on a finding that the captive qualifies as an insurance company for tax purposes. The standards set forth in the Rulings are arguably tougher than those found in the judicial opinions on the subject, but they remain the basis on which the IRS conducts audits of captive insurance companies.

The two Revenue Rulings represent two different paths to risk distribution. Revenue Ruling 2002-90 examines the number of related companies that must be insured in order to sufficiently distribute risk. If the insured cannot provide a sufficient number of separate insureds, then the captive must rely on Revenue Ruling 2002-89. That Ruling establishes the amount of third party risk that a captive must carry in order to qualify as an insurance company for tax purposes.

Revenue Ruling 2002-90 requires that the captive insure at least 12 separate companies (single member LLCs do not count), with no one company representing more than 15% of the total premium paid to the captive. [In practice, the IRS seems to accept as few as 6 separate insureds with none paying more than 45% of the total premium, but it is difficult to rely too heavily on such practice as it may change without notice.]

Most closely-held companies cannot meet the standard of Revenue Ruling 2002-90. While the entrepreneur may own separate companies for real estate, distribution, etc., usually there is one main operating company that carries the bulk of the exposures.

Captives insuring those companies must therefore rely on Revenue Ruling 2002-89 for guidance as to risk distribution. That Ruling states that the captive must show that “more than 50%” of its risk comes from unrelated third parties. (“Risk” in this case is typically measured by premium). [For captives located in the Western United States, a Ninth Circuit Court of Appeals case reduces that percentage to 30%, but the opinion is not binding on the IRS outside of that jurisdiction.]

The typical way for small captives (such as those qualified under section 831(b) of the Code) to accept risk from unrelated parties is through a pooling mechanism where a number of unrelated captives “swap risk.” This risk sharing is accomplished a number of ways, with two common forms:

  • First, the captive may pay all of its premium to a single “fronting captive” (usually owned by the captive manager) who then will cede 50% back to the captive as reinsurance premium and retain 50% for a year or more to potentially pay losses of the other captives who are also using this fronting mechanism.
  • The second common method is a direct ceding/retrocession agreement among unrelated captives under which each promises to pay for 50% or more of the losses of the other captives who have signed the agreement.

In theory, either one of these approaches to third-party risk should qualify under Revenue Ruling 2002-89. But in actual practice, questions arise.

Many risk sharing programs exempt the first $250,000 of any loss of any single captive from the pooling arrangement. In other words, if the captive pays its insured less than $250,000 on any single claim, that captive will have no right to receive reinsurance from the other captives in the pool. Indeed, it is possible that the captive could pay multiple claims — each less than $250,000 — and still not have any reinsurance. On the other hand, any client considering such a pool might feel comfortable that his captive would not be at much risk to pay reinsurance out to other captives, absent a large loss.

These pools are constructed so that in a catastrophic loss, at least 50% is paid by the other captives. They therefore argue that the pool still qualifies under 2002-89. But few captive pools ever suffer such losses — particularly pools that share risk among 831(b) captives. The types of risks generally insured by these types of small captives rarely generate large losses. Indeed, one captive manager boasts that in 12 years, no captive in his pool has ever suffered a loss above that first “no reinsurance” layer.

So, is this really risk distribution?

Large group captives typically use a similar A/B loss structure, but the nature of the risks insured by group captives (auto, general liability and workers’ compensation) commonly result in losses above the A layer, so risk distribution is not an issue.

The judicial opinions on the subject of third-party risk have never addressed the question of layers within a risk sharing pool. Perhaps that is why these types of pools apparently continue to pass muster when one of their captives faces an IRS audit.

Several years ago at a national captive insurance conference, an IRS representative stated that if he found that actual captive losses always fell within an exempted layer, he would deny the existence of sufficient risk distribution. But he has now retired and there is no current indication that the IRS is thinking that way.

Logic would dictate that the lack of actual shared losses would also indicate the lack of risk distribution. The IRS may soon test this question in the Tax Court. If logic prevails, then many risk sharing pools will be in trouble.