Maintaining a strategy for mitigating common risks is an integral part of any business, and naturally this also includes cyber-risks. Cyber-resilient organisations have state-of-the-art security systems, contingency plans to minimise damage during a disruption, and maintain updated data systems. These are all vital elements of being cyber-resilient.
However, cyber-attacks may be unpredictable, and it is difficult to maintain a water-tight security system. This is where cyber-insurance enters as a potentially valuable part of the risk management strategy.
What is cyber-insurance?
Cyber-events have become a risk that form part of the day-to-day business of many organisations. Still, cyber-events rarely result in catastrophic consequences, as most organisations have procedures and security systems for dealing with them.
However, even the most robust cyber-security practice cannot avert every possible disruption, which means that the risk of downtime, damages and loss is inherent in any organisation that is reliant on IT.
The cost of a cyber-attack can be monumental. Cyber-insurance is an insurance which is meant to protect the insured organisation from some of the consequences of an attack. Therefore, cyber-insurance can be an important addition to the risk management system and other insurance policies the organisations already have in place.
What coverage do cyber-insurance providers offer?
Typically, the insurer will provide assistance to the insured organisation during the attack. The insurer often offers 24/7 emergency helplines with IT-expertise on standby. The aim of this service is to stop the attack and prevent data from being extracted from the organisation’s systems. The IT-experts are specialised in cyber-attacks and may be able to offer assistance which the organisation would otherwise have to contract externally during the attack.
Many insurers also cover the costs of reconstructing lost data following the attack, which is something that ordinary property insurance would usually not cover, as the cause of the damage is not physical.
Furthermore, insurers provide coverage of economic losses which may arise during the attack. Some insurers offer coverage of loss of profits during downtime, although this may require additional premium payment. If the organisation deals with personal information, GDPR may be applicable, and the organisation may be fined if personal data is lost in an attack. Some insurers offer coverage of fines or other liabilities which may be imposed due to the data breach (though the insurance coverage for fines will depend on whether fines from governmental bodies are considered insurable under applicable local legislation).
Many recent cyber-attacks are in the form of ransomware, with the Hydro-attack being a notable example. Hydro never paid the hackers but estimate that the attack cost them several tens of millions of USD. They acquired cyber-insurance after the attack.
Although the advice organisations receive during a ransomware attack is usually not to pay the hackers, law enforcement may strategically want a different approach. The insurers will often also actively provide advice, and some also cover the ransom payable to the hackers while others solely cover the cost of negotiations with the hackers.
In addition, many insurers also provide assistance with related problems the organisation might face during a cyber-attack. For instance, the organisation could require legal assistance or PR-advisors. The insurer could have contracts with leading firms in these areas which may assist the attacked organisation during the recovery process.
Some customers think that a cyber-insurance will cover all losses associated with the cyber-attack, no matter what risk management strategy they have in place. That is not the case, and the insurers often require extensive cyber-security measures to be in place before they underwrite. A cyber-insurance is therefore not a replacement of a sound security system and organisation-wide awareness towards cyber-risks..
Furthermore, the coverage under the cyber-insurance will depend on the policy in question, though it will generally not cover the full exposure in the event of a cyber-attack. In order to cover exposure to a greater extent, the insured will therefore also have to review other policies they have in place.
However, cyber-insurance could be an important complement to the security system as it is impossible to avert all risks. This particularly in a society where technology is rapidly developing, thus exposing users to constantly evolving cyber threats. In addition, it could be an important complement to other insurance policies, especially now that carve-outs for cyber risks have started to appear in regular insurance policies.
Challenges faced by cyber-insurance providers
In a global insurance market with decreasing premium levels due to an abundance of insurance capacity and fierce competition, new insurance products certainly are a great opportunity for insurance providers.
However, cyber-insurance is notoriously difficult to underwrite, and untested policies with unreliable pricing models constitute a potential risk for the insurers – largely due to the undefined limits of potential losses. The true cost of a cyber-attack, including loss of IP-rights, loss of profits during downtime, loss of reputation, fines and legal liabilities as well as potential ransom demands, could run into hundreds of millions of USD for some organisations. For instance, when A.P. Møller – Mærsk fell victim to a ransomware during the summer of 2017, losses were estimated at between 250 and 300 million USD.
Insurers are therefore dependant on flexibility in the insurance policies, which would enable them to avoid covering the most uncertain elements of the loss. For instance, losses caused by a loss of reputation may be impossible to estimate in advance. Coverage for loss of profits during downtime may need to be limited, as it could be difficult to predict the duration of the cyber-attack.
This need for flexibility and exclusions to coverage may come as a surprise to some customers. Cyber-insurance is relatively new, and many customers may not be familiar with the coverage and what cyber-security measures are required in order to remain covered. Ensuring that customers are aware of the limitation of their coverage, as well as providing guidance on how to remain covered, is a challenge insurers face.
Furthermore, insurers need to account for the fact that many organisations do not sufficiently integrate cyber-security in their day-to-day operations. Some may consider it as an issue only related to the IT-department. However, human error is one of the main reasons cyber-attackers gain access to organisations’ systems, often because employees open malicious emails.
Working proactively with the insured organisations in spreading awareness of cyber-security is therefore something many insurers aim to do, in order to prevent the attack from occurring in the first place.
While reports show that purchases of cyber-insurance have seen a tremendous increase the past five years, further increases are to be expected – thus accelerating the process of establishing an outline of stable premium cost levels and market standards for coverage and exclusions to cyber-insurance policies. To this end, the European Insurance and Occupational Pensions Authority (EIOPA) is now calling for a sound cyber resilience network and suggesting that a European-wide cyber incident-reporting database, based on a common taxonomy, could be considered. In the meantime, insurance companies providing cyber-insurance will be able to develop their own cyber-insurance products based on their customers’ reporting and thus build their own database.