The Cyber Risk Collaborative

Evaluate. Collaborate. Elevate.

Program Overview

In today’s rapidly evolving landscape, the world is constantly threatened by cyber-attacks. These attacks are becoming increasingly sophisticated, posing risks not only to individuals but also to entire nations and their critical infrastructure. 

Even though the United States government has been strengthening its approach to protecting our nation’s critical infrastructure, they cannot do it alone.  We all play critical roles in helping ensure our nation’s long-term security.  This is especially true for critical infrastructure organizations, such as those in the defense supply chain.  Some of these organizations are already investing heavily to improve their own cyber programs.

We believe these security-forward organizations deserve to be rewarded for their efforts.  That is why we are building a “captive” insurance company just for them.

Captives are community-based insurance companies inspired by the age-old mutual insurance model.  The Cyber Risk Collaborative (CRC) elevates the captive concept by leveraging, and even strengthening, the interdependence of our members.  We do this through not only traditional risk sharing, but also by creating a culture of shared resources and information sharing.  This minimizes the cost of risk, allows more rapid responses to incidents, unleashes a more resilient critical infrastructure supply chain, and contributes to a more secure future for every American.

Shared Risk Approach

Operating as a subsidiary of a group of businesses, the captive insurance company collaborates within a shared risk model.  The captive provides insurance coverage exclusively to its parent companies.  In this arrangement, the businesses pool their resources to form the captive, which then assumes the risks of its parent companies. With a captive insurance company, the collaborating businesses can effectively manage and control their own insurance coverage.  This allows the captive to tailor its policies to fit the specific needs and risks of its member companies.  The shared risk model allows businesses to have more control over their insurance costs, claims process, and risk management strategies.  This leads to potential cost savings and improved risk mitigation.

High Standards

The impact of a single cyber incident to an individual company can be crippling. An October 2020 study from the United States Cybersecurity and Infrastructure Security Agency (CISA), entitled “Cost of a Cyber Incident: Systematic Review and Cross-Validation,” indicates that the average per-incident cost to small businesses of less than 250 employees and medium-sized businesses of at least 250 employees, but less than 1,000 employees, could range from $5,000 to $226,000.  For large businesses of 1,000 or more employees, that cost jumps to $102,000 to $40 million. 

As a first line of defense, only organizations holding a current Cybersecurity Maturity Model Certification (CMMC) certification, or those holding a Joint Surveillance Voluntary Assessment (JSVA)-validated Supplier Performance Risk System (SPRS) score of 110, are permitted to participate in the CRC.  One of the CRC founders, Jim Goepel, co-created the ecosystem surrounding the CMMC program.

Although CMMC certifications were created to ensure that defense contractors are properly handling and protecting the government’s sensitive information, CMMC certifications are also an objective measure of an organization’s cyber maturity and resiliency.  This means that CRC members can be confident that the other members of the captive have also embraced the security-forward culture necessary to stay safe in today’s challenging world.

Shared Information

Our adversaries are smart.  They share information and resources with each other, understanding that this makes them much more powerful than if they work independently.  We need to beat them at their own game.  Rather than leaving members to work in isolation, the CRC creates an information sharing community.  

To ensure confidentiality and attorney/client privilege, members sign appropriate nondisclosure and common interest agreements.  The common interest doctrine is an extension of attorney-client privilege that protects the confidentiality of communications that are part of a joint defense strategy, such as in an insurance relationship. 

This approach allows real-time dissemination of indicators of compromise and other sanitized threat and event information to the members.  Combined with expert-curated threat intelligence from trusted sources like InfraGard, law enforcement, and ISACs/ISAOs, CRC members have the information and resources they need to stay ahead of our adversaries.  This means members can better protect themselves, reducing their individual risk, the overall risk the captive, and ultimately reducing the insurance costs to members of the captive. 

As an optional component, the captive can also make the Rapid Response Defensive Network available to members.  RRDN is a combination of carefully curated resources, including incident response teams, legal teams, crisis management teams, consultants, managed service providers, cloud services, software, and much more.  All at discounted rates, and some at no cost to members as part of an incident response.

Comprehensive Coverage & Financial Transparency

With a captive insurance arrangement, members can design comprehensive and tailored coverage, ensuring financial protection in the event of a cyber incident. Members also benefit from understanding the financial impact of their cybersecurity-related investments by gaining visibility into the operational and management costs associated with the captive.


A cyber insurance captive focused on those in the defense supply chain could prove to be immensely successful, ensuring the safety and security of all Americans while also helping to reduce the overall economic burden of cyber protections.  By implementing strict security standards, fostering transparency, and actively sharing threat information within the CRC members, we can create a proactive and resilient defense against cyber-attacks. This collaborative and supportive approach not only protects the individual organizations involved but also contributes to our national security.  By providing the necessary support and resources, we can fortify the cybersecurity landscape for all while giving the leadership of our member organizations the peace of mind they need to sleep at night.

Scroll to Top