Threat Landscape of Cyber Attacks
Ransomware and other cyber attacks will continue to test the resilience of supply chains and business models in 2024. In any case, cyber incidents such as malware attacks, violations of data protection, and IT system failures are among the biggest fears for companies worldwide. The second concern is the associated risk of business interruption.
Cyber incidents (36 percent of all incidents) are thus the most feared risk globally for the third consecutive year, now with a significant lead (5 percent). Respondents to the Allianz Risk Barometer consider data breaches as the most worrisome cyber threat (59 percent), followed by attacks on critical infrastructure and physical assets (53 percent). The recent increase in ransomware attacks, with a concerning surge in 2023 and a more than 50 percent increase in insurance losses compared to 2022, ranks third (53 percent). In Germany, the concern about cyber incidents and business interruptions is also at the top of the survey. Not surprisingly, in 2022, almost three-quarters (72 percent) or 148 billion euros of the total damage to the German economy caused by data theft, sabotage, and economic espionage alone were attributable to cyber attacks. There are many examples of affected companies, including prominent names.
Why Cyber Insurance?
If a phishing email or a hacker attack paralyzes a company’s IT, it can quickly threaten its existence. Cyber insurance can help mitigate such damages. It is a contract that companies enter into to reduce financial risks associated with online business. For a fee, the insurance policy transfers part of the risks to the insurer. Cyber insurance is recommended for any company that operates with sensitive data and whose business operation depends on the availability of this data.
The first cyber insurance policies were introduced in the late 1990s in response to the increasing reliance on technology and the rise of cyber threats. Initially focusing on data breaches and cyber attacks, over time, providers expanded coverage to a broader spectrum of cybercrime, including ransomware attacks and other malware attacks, social engineering, system failures, and operational disruptions due to cyber security incidents.
What Services Do Cyber Insurance Policies Include?
Depending on the contract, a cyber insurance policy includes the following services:
- Financial Protection: Cyber insurance provides financial protection against damages caused by cyber incidents (see below). This includes expenses for investigations, credit monitoring, potential legal obligations, and other costs related to data breaches. Additionally, it may cover business interruptions, loss of revenue, and the restoration of computer systems.
- Prevention and Remediation: Cyber liability insurance protects companies against the risk of cyber events, including those with a terrorist background. It covers network security and assists in promptly addressing cyber attacks and similar incidents.
- Legal Support: Legal assistance is often included in cyber insurance. This helps companies navigate the complex legal system related to cyber incidents, covering costs for legal representation, compliance, and potential lawsuits due to data breaches.
Other Typically Covered Costs:
- Notification of customers after a security incident.
- Hiring forensic experts to recover compromised data.
- Restoring the identity of customers whose personal data has been compromised.
- Recovering altered or stolen data.
- Repair or replacement of damaged or compromised computer systems.
In addition, there are positive side effects: By obtaining cyber insurance, companies distinguish themselves from competitors by demonstrating their commitment to protecting customer data and actively preparing against cyber attacks. Furthermore, they demonstrate their dedication to high cyber security standards. This enhances reputation and trust among customers, stakeholders, and partners. Ultimately, cyber insurance provides companies with a sense of security by ensuring their financial stability during cyber crises. Companies can focus on their core business without constantly considering the potential financial and reputational consequences of a cyber attack.
What Cyber Risks Are Insured?
Regarding cyber attacks, cyber insurance provides protection against various risks arising from internet use. It’s important to note that the exact scope of insurance coverage varies depending on the provider and the policy. Here are some examples:
- Cyber Fraud: Damages caused by fraudulent activities on the internet, such as phishing.
- DoS and DDoS Attacks: Damages caused by attacks aiming to make a service or website inaccessible.
- Infections by Malicious Software: Damages caused by ransomware, worms, trojans, and other malware.
- Data Loss: Costs for the recovery or replacement of lost or stolen data.
- Violation of Privacy and Confidentiality Obligations: Fines and other costs due to violations of data protection laws.
- Cloud Outages: Damages caused by the failure of cloud services.
Are There Requirements for Obtaining Cyber Insurance?
Interest in cyber insurance is immense in the business world. However, not all companies meet the cybersecurity requirements that insurers now demand. While initially only basic protection was considered a criterion, companies seeking insurance must now demonstrate a high level of protection.
The basis for a required minimum level of IT security includes well-known measures such as regular data backups, individual access controls, protection against malware attacks, firewalls, and timely installation of security updates. However, it now extends beyond technical measures to address organizational and procedural measures. It involves including people, especially through employee awareness training on the topic, making policies (e.g., password policies) known and adhered to, and institutionalizing IT security processes. All this must be measurable and verifiable, with responsibility ranging from top management to each individual employee.
As with any insurance contract, the insurer asks about the risk. They may demand additional necessary security measures, which must be taken into account. Hence, the aforementioned traceability is crucial. All identified risks must be reduced or normalized. If this does not happen, the insurer may exclude certain damages in the contract.
A standardized system for managing identities and access rights for various on-premise and cloud applications is mandatory, for example. Like good fire protection, a well-implemented access rights system via IAM (Identity and Access Management) serves as a foundation for lower insurance premiums. Mechanisms such as escalation of violations in case of incompatible activities and other measures, like a need-to-know role model, protect compliance and assist in proving unauthorized access.
Furthermore, companies are obliged to adhere to applicable legal foundations. For example, the cyber insurance of a medical practice or a hospital is bound to compliance with industry-specific security standards (B3S), the Patient Data Protection Act, and other measures for critical infrastructures.
Certain certifications are not mandatory, though. While these give insurers indications of the quality of IT security, as requirements for certification imply certain security measures, certification does not necessarily ease the process of obtaining insurance.
What Factors Determine the Cost of Cyber Insurance?
The costs of cyber insurance are variable, and providing a blanket statement about the amount is challenging. Prices for cyber insurance typically depend on the annual turnover of the insured, the industry, the scope, and type of insurance coverage. In recent years, there has been a significant increase in cyber insurance premiums and payments, attributed to the growing attack surface and the evolution of attack techniques. To receive a specific quote, it is advisable to arrange a consultation with the respective insurance provider or request a quote.