Why cyber insurance?
Until recently USA has been the biggest market for cyber insurance. The main reason behind this is the legal development where the starting point was the California Database Protection Act of 2003, which required disclosure of any data security breach to each affected California customer whose Personal Information had been compromised. Following this act, many US States now have similar legislation.
And with the new EU General Data Protection Regulation (GDPR), in 2018 Europe will also get a uniformed legislation in respect of Personal Data and Breach Response. The US legal environment with respect to Personal Identifiable Information (PII) has been the primary market driver for Cyber Insurance in the US. As similar requirements have now been introduced in the European Union by means of the General Data Protection Regulation (GDPR), we are experiencing a similar demand here in Europe at the moment.
The risk of business interruption
The risk of business interruption is another important market driver. We have noted that some executives are failing to recognize a paradigm shift. Where it used to be possible to revert to manual labour when business automation failed, this option is no longer commonly available. Today process automation is integrated by means of robots and technology which can no longer be replaced after a loss by hiring workers at short notice because they will lack the knowledge, skills, tooling, and space to do the same job at the same costs.
The protection of Information Technology (IT) and Industrial Control Systems (ICS) should therefore be given top priority because as the unauthorized operation of IT and ICS may cause serious business interruptions as we have seen in recent cyber-attacks (e.g. WannaCry and NotPetya).
During these last couple of years, it has become obvious that "cyber" is part of our everyday life, with more and more things being connected with the internet and more and more business processes being dependent on access to the internet. With this connectivity and accessibility also comes the exposure for malicious tampering with your systems. With these exposures in mind, the insurance industry has responded with the development of cyber insurance products.
We cannot say that the market for these products would be mature. Therefore, the available limits and capacity are somewhat restricted. However, the products like If's new cyber products are fairly wide in coverage.
The risk is continuously growing and changing
The risk is continuously growing and changing. All companies should be working hard to evaluate the IT security of their systems and operations. The results can be seen in improved security and preparedness for attacks and other incidents, although variations in attitudes
and goals make all generalisations difficult.
For us as an insurance company, it is of paramount interest that we have a realistic view of the probability and exposure of our clients' assets that are at risk. Only then can we contribute to your risk management with adequate products and fair premiums. Cyber risks challenge our skills and ability to provide the needed assistance to customers. If P&C has invested in the underwriting and risk management skills to be able to support its clients.
If P&C’s Cyber Insurance Products
If has created three products to cover our clients’ cyber risks. The first one was computer crime insurance sold to small and medium-sized companies by If’s Business Area Commercial. It has been a success and is being developed further.
For larger enterprises and their specific needs, If provides two insurance products. The comprehensive stand-alone If P&C’s Cyber Insurance can be seen as a combination of traditional liability coverage (claims for compensation presented to the insured by third parties) and property coverage (first-party losses sustained by the policyholder itself) though with the difference that a cyber incident is the cause of loss.
The policy wording is built up of ten different coverage sections, of which some are part of the basic coverage while others are optional for the client to buy depending on the needs and exposure of the client. Each coverage section has to be tailored to the client’s needs.
The liability components are:
- confidentiality and privacy liability
- network security liability and
- media liability.
The property component
Or more correctly the first-party loss component, is
- Restoration of data costs
- Incident and breach response
- Business interruption
- Cyber extortion
- Cyber crime and
- PCI-DSS Coverage (PCI-DSS – Payment Card Industry – Data Security Standard)
With regard to insurance jargon: what actually is a cyber incident? In our insurance
product, it means a malicious act (e.g., a hacker attack), computer malware (e.g., computer virus), human error (e.g., insured’s employee causing a failure of ITsystems), denial of service attack, (unplanned system outage), or theft of data occurring on or aimed at the insured’s
If P&C Property & Business Interruption Programme’s Cyber Endorsement
In If’s studies, it has become clear that for our Industrial clients the main cyber risks are considered to be attacks or incidents through the client’s facility’s industrial control systems and consequential property losses and further losses due to business interruption.
If has developed a cyber product as a new endorsement to fit into a property master policy covering also Business Interruption of our client. It covers nonphysical loss to electronic data and media and consequential Business Interruption.
This product covers only the Insured’s own losses to data and media as well as business interruption and is thus a first party insurance only. The insured causes of losses are:
- Unauthorised access
- Unauthorised use
- Malicious code
- Malicious act
- Denial of service attack and
- Operational and administrative error.
In addition to the actual loss, the insurance covers necessary extra expenses to minimise, avoid or reduce an interruption in service. Of course, to take out this insurance, the client needs to fill in the questionnaire describing the status of the IT Security.
The insurance terms also require the insured to comply with some safety regulations
concerning, for example, back-ups and system protection methods.
Cyber insurance could not be sold without assessing the client’s risk thoroughly. There are great variations between businesses and individual clients and the statistics of historical data in this fast-developing risk area give only a faint picture of the risk of an individual client. The assessment also offers the opportunity to appreciate a client’s investments in high-level IT security in the insurance solution.
Nordic Liability Risk Management Specialist, If
Senior Underwriter, If