In 2013 cyber insurance was still a brand new product on the insurance market. At the time, only a negligible minority considered this policy to be useful. In the meantime, the number of online processes in the business world has steadily increased and the risks are no longer under discussion. Furthermore, Europe is placing cyber security high on the agenda with its new privacy legislation (GDPR).
Most companies already know that the GDPR requires a multi-facet initiative. Approaching data privacy risk from a legal, process and data point of view is fundamental. Cyber insurance can be an extra component in this approach and can be the missing link that gives companies the extra guarantee to cover its end to end privacy risk.
We interviewed Tom Van Britsom, cyber insurance expert at Vanbreda Risk & Benefits, to give you insight in the Cyber Insurance state of business. Vanbreda Risk & Benifits is a well known independent insurance broker and risk consultant.
The business world and cyber criminals have both changed. Can you explain?
The increased importance of cyber insurance is a direct consequence of a metamorphosis that has unfolded in two areas over the past few years. First of all, the business world has become largely digitized. Major steps have been taken not only in production processes, but in terms of invoicing and finance. The B2C market has become highly digitized too, with virtually everything now being able to be ordered online.
Second, cyber criminals themselves have become much more professional. In the past, individuals represented the greatest threat in this area. They explored the boundaries of what was possible and tried to corner companies. This initial form of cyber crime has now given way to a more professional form which defies belief. For example, today there are gangs that employ an entire army of hackers and an accompanying call center to hold companies to ransom with maximum speed and efficiency.
How is a cyber policy tailored to this new reality?
Cyber insurance covers damage incurred by a company following a cyber incident. This can be caused by exposure to malware, viruses or hackers, as well as human error by an employee. The consequences are often severe: from loss of income due to interrupted operations, overtime logged by IT staff and the deployment of other professionals to sizeable claims from customers or suppliers affected by the data leak.
Today, cyber insurance is a comprehensive policy which – spurred on by the insurance industry – has adapted to the new context. Initially, there were two separate policies: one covered the insured party’s liability – from fines and notification fees to claims from companies that incurred damage as a result of a data breach or a virus via the insured party’s servers. A second policy was designed to cover personal damage incurred by the insured party, e.g. after operations were interrupted.
Now, however, both elements are combined into a single cyber insurance policy.
In recent years, the policy has been further expanded with new coverage, including cover against cyber theft and telephone hacking. The triggers of this policy have also become broader. Cyber insurance as it stands now can cover the financial consequences resulting from a security breach, human error or natural causes such as lightning.
Furthermore, many extra services have been added to this policy. Insured parties can now turn to helplines for legal assistance, crisis management and IT and PR support. Free scans are also offered that provide insight into a company’s vulnerability to cyber attacks and hackers.
The number of policies is obviously increasing exponentially – But what about the damage incurred?
In 2016, cyber insurance made its definitive breakthrough. Our experts at Vanbreda i.e. noticed that in 2017, the number of cyber policies taken out doubled in comparison to the year before.
The new European privacy regulation (GDPR) clearly creates an incentive for this, as there are substantial fines for those companies that do not comply. Today, administrative fines – along with all costs associated with the obligation of notification – can be insured in a cyber policy.
Unfortunately, many companies have recently been confronted by (attempted) cyber crime. This has also served as a wake-up call.
Vanbreda’s damage figures, and those of a few major cyber insurers, do not lie: one in thirteen of those insured have submitted a claim in the past five years. Our own figures (see graph below) show that 43% of the cases involved CryptoLockers. A data breach was the cause of just 5% of the claims, although that number will undoubtedly increase in 2018. From May 2018 onwards, an obligation of notification will apply for data leaks under the GDPR legislation.
There are two damage categories. One involves CryptoLockers. Although they are now quite common, the damage is fortunately limited to up to EUR 10,000. The other form of damage is increasing all the time, with instances of cyber theft where one million euros disappears or operations are interrupted for a period of days or weeks. The financial impact of this is huge. In Europe, there have been several well-known examples of cyber damage leading to millions of euros being lost.
What does the cyber insurance future hold?
The previous graph, with data from 2017, will almost certainly look completely different within a few years.
Due to the obligation of notification for data leaks, this type of damage will join the top three. In addition, Europe will impose fines amounting to up to 4% of global turnover in the event of data leaks following non-compliance with the GDPR regulation. This will also become evident in the amount of damages paid out.
It is clear that legislation is tightening and ignorance will no longer be accepted. Neither the government nor the business world is in any doubt of the current risks. In short, the usefulness of cyber policies is no longer under discussion.