No company is immune from the wrath of cyberattacks these days. So to tackle the threat, businesses are equipping themselves with the tools they need for protection upstream, and so they can get back up and running again after an attack. But more and more firms are also turning to cyber insurance.
2017 saw attacks involving the likes of ransomware on an unprecedented scale. According to a recent survey carried out by French IT security experts association CESIN, 73% of companies were hit by ransomware at some point in the last year. With the sheer amount and capability of cyberattacks rising, demand for cyber insurance has skyrocketed.
A growing market
The global cyber insurance market today is believed to be worth between US$3 billion and $3.5 billion. In 2017, 40% of corporations took out a cyber insurance policy, up from 26% in 2016, according to CESIN. These statistics are largely explained by the aftermath of the NotPetya virus, which cost French multinational Saint Gobain €250 million.
“Taking out cyber insurance can reduce the financial impact of an incident to a minimum, but it will also allow you to carry out a preliminary assessment of the level of security risk, so you can find out the level of maturity of your IT system and its various vulnerabilities” explained Michael Bittan, Cyber Risk Services Lead Partner at Deloitte France.
When a policy is underwritten, the options to cover the risk include loss of personal data (42%), protection of intellectual property (32%), viruses and ransomware (24%), the company’s image (20%), and security incidents (15%).
In 2017, European insurance supervisory authorities, banks, and markets published a report on the vulnerabilities of the EU’s financial system. “The demand for cyber insurance is expected to grow, while cyber coverage products are still relatively new in the market, with limited underwriting experiences. Unlike other types of insurance, there is a severe lack of historical data that can be used for pricing purposes. Therefore, restrictive conditions regarding the policies are often applied in order to contain the underwriting risk,” the report states.
Insuring cyber risk
A report entitled ‘Insuring cyber risk’ published by French legal think tank Club de Juristes makes a number of recommendations for insurers to improve the way they cover cyber risk:
- Speed up their efforts to develop a cyber risk culture
- Clearly explain the content of various policies and help customers to compare insurance offers
- Boost the relationship of trust between insurers and policyholders in managing cyber insurance contracts
- Develop a digital security framework for VSBs/SMEs
- Share details on cyber incidents
- Manage the exposures and cumulative risks of insurers and reinsurers
- Define a set of technical standards at a European level allowing the cyber security level of policyholders to be assessed
- Establish conditions for fair competition between cyber insurers
- Set up a regulatory body and monitor market developments at a European and international level
- Direct public and private investment towards developing a French and European sector of excellence in cyber technology.
Boosting security standards and certifications
Cyber insurance seeks to protect companies against the effects of cyberattacks. And we are seeing cyber insurance policies move along with the times, in view of the growing threat of these attacks.
Security standards today still essentially rest on companies’ being aware of the risks, even though some organizations, such as Operators of Vital Importance, have their hands tied by regulations. The development of cyber insurance requires benchmarks to set the rates, according to the level of protection of required by customers. A company that is certified will simply benefit from a lower price than one that isn’t. Through this process, much like the bonus-malus scheme in car insurance, cyber insurance will promote the adoption of security certifications and standards – such as France CyberSecurity, ISO standards, or SecNumCloud by the French National Cybersecurity Agency (ANSSI), which is perhaps the most demanding of them all.