With a steady increase in cyber attacks, it is no wonder that insurance companies want to profit by offering cyber-insurance policies not just to companies but also to individuals. However, given the peculiar nature of cyber attacks, insurance companies and their customers face complex challenges.
Risks have been a constant side-effect of human life and doing business. Over time we have come up with various ways of dealing with them, from simply accepting certain risks to lowering the probability of a risk occurring to insuring against their consequences. Nowadays, companies and individuals can buy insurance policies for almost any imaginable risk.
Insurance is a key pillar in many risk management frameworks. So it is hardly a surprise that with a growing occurrence and growing awareness of risks related to digital technologies, the cyber-insurance market has been growing steadily over the last years, especially because damages incurred after cyber attacks were almost never covered by existing insurance policies.
Given the often very high sums of alleged damages after cyber attacks and the interrelated nature of their damages (a weakness in an operating system can affect almost everybody), reinsurance companies were the first onboard the cyber-insurance ship but were quickly followed by cyber-insurance policies for companies and individuals.
This development seems like a win-win: insurance companies have found a new market and new products to sell in an otherwise pretty stagnant industry. Buyers of insurance can rest a little easier in the face of new malware, hacking attempts, data breaches etc.
But as often, if it sounds too good to be true, it usually is – mainly for three reasons.
First, in contrast to other risks that have been around for much longer, the legal framework surrounding damages from cyber attacks is still very much unclear, beginning with various definitions for incidents. Where do the responsibilities lie when it comes to defending against cyber attacks? What would a reasonable standard of IT security be in order for the policy to kick in? And what if a cyber attack is state sponsored?
This last question is not as far-fetched as it might seem. In the biggest case so far in cyber-insurance, Zurich argued that it does not need to pay out on a cyber-insurance policy for its client Mondelez as the attack responsible for the damages claimed was conducted by state actors and hence not covered under the acts-of-war exemption.
Second, there are conceptual issues that cyber-insurance needs to deal with, foremost how to measure damages and quantify risks. The first challenge, mainly for the customer, is to even discover damages as many cyber-attacks are still not discovered or only after an extended period of time. The second challenge, more for the insurance companies, is to calculate the damages.
While damages incurred because a data center was down for a couple of days might be relatively straightforward to calculate, other questions are much harder to answer. For example, what is the value of a stolen dataset? How would an insurer rate the IT system of different clients? But also, how to define the scope of a standalone cyber-insurance policy vis-à-vis other insurance policies? After all, at least from a client’s perspective, you do not want to pay for overlapping insurance policies nor leaving blank spots in the overall coverage.
The example of the data center mentioned earlier demonstrates this challenge. Is this covered under the business continuity insurance or is it part of a cyber-insurance policy? Hence, clear and transparent communication between the issuer and buyer of a cyber-security policy is key to prevent any misunderstandings and bad surprises.
Third, given that recognition of cyber-risk is relatively new compared to other risks, there is not only a lack of actuarial data but also of standards that would help insurance companies to come up with premiums. For health risks insurance, companies can rely on an extensive dataset giving indications what a reasonable premium would be for a client, given certain health characteristics of this client (young and healthy people usually pay less than older or sicker people).
Likewise, for fire insurance there are certain standards a client can fulfil that have a direct impact on the insurance premium. For example, a company following best practices such as having a fire extinguisher and smoke detector present will pay a lower premium than another company that does not follow best practices.
However, when it comes to cyber-insurance, we neither have clear standards linking the likelihood of a cyber attack or the incurred damage to certain practices. Nor do we as of yet have enough data to come up with something similar to actuarial tables. Of course, some basic precautions can and should be taken and are indeed emphasized by cyber-insurance sellers, e.g. updating software and training employees in cyber-security.
But there is still a lot of uncertainty which makes it likely that insurance companies will probably try to be on the safe side and setting relatively high premiums for cyber-insurance policies. This, combined with the issue of coverage, reduces some of the benefits for customers.
Cyber-insurance is not a silver bullet to solve all cyber risks for companies or individuals. There is no way around shoring up your own cyber-security instead of opting to ‹buy away› the issue with insurance. Nevertheless, as one of several pillars in the risk framework, cyber-insurance can play a valuable role, especially as the understanding of cyber attacks at insurance companies and customers grows over time.