Cyber Insurance FAQ

Cyber Insurance FAQ


As the Fourth Industrial Revolution progresses, driven by widespread use of mobile technologies, cloud computing, corporate bring-your-own-device policies, big data analytics, and 3D printing, risks are evolving; so Cyber Risks emerge as one of the fastest growing risks for governments and companies across the globe. Equally or perhaps even more important is the growing realization that cyber risk, in some instances more pervasive than traditional exposures, is present wherever organizations use technology to keep in touch with people, suppliers, customers, and governments.

In light of these changes , our aim is to find out what large forward-thinking companies around the globe think about cyber risk and ascertain their attitude towards managing it. The most relevant surveys about risk management underlines how the cyber risk is perceived as arousing between relevant companies, and SMEs. These consequences potentially lead companies to have a more holistic approach to cybersecurity to improve their grade of conformity to sector specific frameworks or best practices and furthermore to protect their balance sheets from cat-events.

Cyber attacks With the aim to handle effectively cybersecurity risks, there will be an increasing demand for cyber security risk assessments, even with the aim to be compliant to a corresponding certification management system, but also to set-up proper mitigation strategies (as Cyber Insurance solutions) to face the impact of residual risks that can affect the companies’ continuity and in some cases their life itself.

A recent publication from ENISA “Cyber Insurance: Recent Advances, Good Practices and Challenges” underlines the “ last line of defense” as one of the ways to manage risks. In fact Cyber insurance has the main role to address risk that cannot be reasonably mitigated by remediation plans and technological, organizational or security measures.

While Cyber Insurance Carriers initially started with limited products/warranties, they have recently developed solutions to cover more and more types of cyber risk and of their financial consequences.

Cyber insurance Cybersecurity insurance is a relatively new type of coverage, which explains why it’s often misunderstood. That’s why maybe currently, if compared with other insurance sectors, cyber insurance appears to have a lower adoption rate, while the growth projections remain high. Projections estimate the global cyber insurance coverage is expected to double or triple over the next few years, growing from its current estimated $1.5 billion to $3 billion in U.S. premiums, some predict sales could soar $ 7.5 billion in annual sales by 2020 and over $ 20 billion by 2025.

The cyber liability-Response plans involve cybersecurity insurance, a policy designed specifically to trigger when a security incident occurs.

To detail the scope and to clarify some doubts of the reader, please find here below 10 FAQ about Cyber security insurance and the relevance of the Insurance Brokers in this field.

Cybersecurity insurance is a kind of standalone coverage. It helps companies to recover from a data loss, loss of profit, additional costs to face reputational issues or crisis management, liabilities, … caused by a security breach or other cyber event, such as a network outage or service interruption. Cybersecurity policies are different from property or general liability policies because these traditional policies usually exclude cyber events as triggers of a property or liability loss. Cybersecurity insurance is important to build a comprehensive strategy for risk management and response.

No business is immune to cyber attacks, network outages and data breaches; in fact, many studies show that small businesses are victims of 71% of cyberattacks. The impacts are often devastating, ranging from lost business opportunities to customer revolt, and from a damaged reputation to stolen data and funds. Repercussions can even extend to loss of employment, as Target’s former CEO discovered. Considering these potential repercussions, cybersecurity insurance may be a wise investment for your company. It mitigates many of the costs associated with investigating and resolving a security incident, and it helps a business return to normal operations quickly protecting your balance sheet and helping recovering your reputation.

Cybersecurity insurance warranties comes in two types: first party and third party. Most insurers offer policies that combine features of both, but not always. Many carriers also write provisions and exclusions into first or third-party policies, so businesses should carefully choose their cybersecurity policy to define the real needs (or if already underwritten, read it carefully to understand what is covered and what not, which coverage limits, which exclusions, …) . A cybersecurity plan that focuses on first-party coverage is what most businesses will need. It protects against losses suffered by the insured and can include reparations for some of the following incidents:

  • Damaged or lost digital assets, such as data and software
  • Lost business opportunities or increased operational costs due to an interruption of the insured’s computer systems
  • Cyber extortion if the hacker holds the insured’s data for ransom
  • Money stolen through an electronic crime (if included)
Third-party coverage typically cover costs associated to liabilities due to the following events:
  • Security breaches of employee confidentiality
  • Lost customer data and information
  • Customer notification after a security breach
  • Public-relations efforts as well as combatting defamation and intellectual-property violations.

Cybersecurity policies are relatively new and still growing, but some exclusions are more common as theft of intellectual property, lower sales due to damaged reputation, crimes. These shortcomings may change, but cybersecurity insurance is so new that underwriters remain unable to easily and accurately assess risk. As a result, they exclude items—such as product designs, software code and reputation loss—that are hard to quantify.

The best way to determine what kind of cybersecurity insurance your business needs is to perform a risk assessment and impact analysis. Businesses should carefully review their assets—including financial and customer data—as well as intellectual property, and categorize them as high or low risk. But also try to develop quantitative approaches to understand which needs of coverage they have to set-up proper insurance limits.

They should also recognize their main points of vulnerability during this process. The recent attack on Swift, which was once considered a highly secure financial messaging system, showed how hackers can exploit vulnerabilities in a system to steal a company’s physical assets.

Finally, business owners should visit with legal counsel and other department heads. Doing so will provide more insight into the implications of a data breach and pinpoint which assets are critical to safeguard when developing a risk-management strategy.

Businesses should work with a cybersecurity-insurance broker who has proven experience and expertise in designing/selecting a cyber policy. This individual will be able to offer advice about different policies, prices and exclusions, allowing businesses to choose the coverage that best fits their needs.

The perceived risk exposure of cybersecurity insurance is high, so it is currently available only through major carriers like AIG, Beazley Chubb, Allianz and UnipolSai and Generali (these insurance carriers are directly active in Italy, but there are more than 70 insurance carriers in the EMEA area). These companies have both the means and willingness to cover filed claims. The options will likely grow, however: as cyber threats increase, so does public demand for standalone coverage.

Insurers price cybersecurity coverage using the same method that they employ for traditional insurance packages. Underwriters analyze the insured’s risk and company’s risk management policies accordingly.

But pricing cyber insurance can be more challenging. Underwriters have a few data available, making it difficult to accurately assess risk, for this reason is very important to perform a cyber security risk assessment, preferably quantifying the impacts of cyber security incident scenarios, otherwise the price to pay and the scope to be secured could be seen as a black box by the insurer.

The premiums are risk-based and represent a high risk because they generally ensure the purpose of the "black box" of companies and for this reason may require large payments. However, insurance premiums for cyber security have increased significantly in recent years.

A cutting-edge and cost-cutting approach is to adapt policies to the needs of companies to create a tailor-made policy. The lack of actuarial data underlines the need to carry out qualitative assessments or rather quantitative assessments of a company's Cyber risk.

Although cybersecurity insurance doesn’t follow the new usage-based model of auto insurance, there are still ways to reduce premiums. One is by implementing best security policies and practices for your business. The Department of Homeland Security urges businesses to adopt preventative cybersecurity measures and encourages insurance companies to base premiums on the insured’s level of self-protection.

Hacks and breaches are on the rise, but businesses can make two types of offensive moves. First, they can adopt best security practices. Second, they can develop a robust recovery plan that prominently features cybersecurity insurance. These two tactics will not only help guard against cyberattacks, but they will also help get businesses back on their feet quickly if their data is compromised.

Events

27/11/2018 to 28/11/2018
Cyber Investor Days

On 27th and 28th November in Berlin, Germany, ECSO is organizing in collaboration with Secunet and TeleTrusT, the Cyber Investor Days.

The most promising European cyber security start-ups and SMEs will have an opportunity to pitch their solution and meet the influential German and international investors during strategic business matchmaking sessions.

CYBER INVESTOR DAYS will be officially opened by Andreas Koenen, Director General of the Cyber and Information Security Directorate at the German Ministry of Interior, and Clemens Kabel, Investment Director at IBB Investment.

13/12/2018 to 14/12/2018
Call for Papers: Halfway Through the Digital Single Market Strategy: “Bedrock of Trust” or illusion?

Call for Papers

The Law Faculty of the University of Lille cordially invites junior and senior researchers to participate in a conference held as part of the Horizon 2020 project “TRUESSEC.eu”, on the 13th and 14th December 2018. The conference will be hosted by the Law Faculty.