May 2017: Tens of thousands of computers from businesses, government agencies and consumers are paralyzed by a global cyber attack. British hospitals had to transfer patients. In Germany, Deutsche Bahn was hit. In the summer, the world’s largest shipping company Moeller Maersk was hit by another cyber attack and was unable to take orders. Such reports are now part of the daily agenda.
At a safety conference, the University of Berlin showed how easy it is to penetrate company networks in order to transmit its own commands to the control devices of the production machines and thus manipulate entire factories. Countless sensors are already integrated into production machines, cars, security cameras or household goods. According to Gartner, there will be around 26 billion networked devices by the end of 2020.
Insurance companies have been dealing with this topic for several years. According to a KPMG study, with an annual premium volume of up to EUR 26 billion, Cyber is becoming the largest insurance line in property-casualty business in Germany, Austria and Switzerland. In comparison, the gross premium income of the German motor vehicle market amounts to approx. EUR 25 billion.
Is cyber really an interesting and high potential market for the insurance industry or will the complex risk issues lead to restraint? The course of time will give us an answer. Today we are more interested in the question of what is behind Cyber and what challenges need to be mastered.
A uniform definition that is generally accepted does not exist. An answer to this question is obtained by looking at the insured risks from the policies. The scope of cover and benefits of the policies includes, for example:
- damage to data,
- theft of data,
- unauthorized publication of data,
- help with data recovery,
- business interruption,
- PR and crisis communication,
- notification of customers, service providers and other affected parties,
- Reimbursement of costs in the search for causes, i.e. costs for IT forensic investigations by IT security specialists,
- data rights violations,
- resulting liability claims,
- costs of litigation,
- help or compensation in the event of misconduct on the part of employees or breaches of company secrets,
- reimbursement of the costs of cyber blackmail,
- cloud failure.
The insurance broker Dr. Sven Erichsen of Erichsen GmbH in Essen defines cyber insurance as follows:
“Cyber-insurance deals with the consequences of unauthorized use of IT systems or data protection incidents, for example in the case of
- unlawful appropriation and misuse of data,
- the intrusion into technical systems for the processing or transmission of information and their damaging influence,
- the consequences of the appropriation of foreign identities,
- cases of bullying and damage to the reputation of natural and legal persons in the digital world,
- operating errors.”
The list of insurable risks could be supplemented by further cover possibilities. However, each industry has different focal points to which insurance solutions must be adapted. Therefore, it is not possible to approach customers with a ready-made standard solution. As a rule, manufacturing companies would have a greater need for insurance in the area of business interruption. However, if the customer works more with data of third parties, such as hospitals, department stores, online shops or hotels, the focus is usually on the handling of personal data (e.g. credit card theft from POS systems).
One challenge is therefore to work with the customer to pick the precisely fitting, individual modules and put them together in a tailor-made manner that the customer actually needs for his business.
The above definition gives rise to three significant, partially overlapping forms of cyber risks:
- IT-controlled processes can be disrupted or brought to a standstill.
- The rapidly increasing amount of data stored can be stolen and used illegally.
- Cyber attacks can affect several companies simultaneously, regardless of their geographical location.
These characteristics, which can take place simultaneously, lead to another challenge, namely the cross-line risk assessment for a specific company. This risk assessment must take place in connection with the cumulative interaction of the individual characteristics and at the same time of the individual divisions. These are for example shared systems, shared software, outsourcing of sub-areas, involved persons, processes, involved areas such as human resources, production, logistics, purchasing or external areas such as cloud providers or partners from the supply chain.
Christoph Guntersweiler, Head of Engineering Insurance at Helvetia Switzerland, sees cyber risks as “mutating risks”:
“The risks are constantly changing. Accordingly, risk management must be reassessed on an ongoing basis.”
To give just one simple example: in almost every machine controller there is a USB slot for direct access to the machine controller with the appropriate devices. Even if no data is to be transmitted in a specific process but only the battery of a smartphone is to be charged – when plugged in, a connect occurs which can lead to a security risk. Especially if a malware is installed on the smartphone which exploits this connect and penetrates the control system (partly in unawareness of the smartphone owner). The concept of such open systems leaves security gaps and forces companies to rethink; whether they like it or not, they must severely restrict access to their systems. The industry must learn to better protect its intelligent and networked devices.
Questions to Christoph Guntersweiler:
What about the accumulation view? Are we not dealing here with cross-industry accumulation risks, which represent a new dimension compared to other insurance products?
Christoph Guntersweiler: “Yeah, that’s right. Take the example of a cloud or data center operator. Here, a loss event can affect several companies at the same time because, for example, they have a business interruption due to a cloud failure. Or let’s take the example of ransomware: if it is distributed over a large area (as seen last summer) via an infected software update, so that a “single” event simultaneously hits the entire cyber portfolio regardless of geography.”
How should insurance companies address this issue with their customers?
Christoph Guntersweiler: “In our opinion, it is important that customers are technically and organizationally positioned accordingly. The insurance solution itself can only supplement the technical and organizational measures. Insurance should require a minimum, specific security standard, also in coordination and cooperation with appropriate IT security companies. We are convinced that this interaction of all parties involved will lead to the best results for the customer.”
Christoph Guntersweiler, thank you very much for the interview.