The recent WannaCry ransomware attack made a lot of companies wanna cry. As such attacks become more frequent and gain scale, cyber insurance promises to be the next blockbuster in the insurance industry...
Recently, WannaCry, a ransomware program, infected more than 230,000 computers in 150 countries. Hackers demanded payments in bitcoins to allow users to access their data.
The attack hit several large companies, including a major American parcel delivery company, a European car manufacturer and a Spanish telecom company. It disrupted the operations of Britain’s National Health Service and affected some operations of German rail network Deutsche Bahn, among others.
The incident again highlighted how vulnerable companies are to cyber risks – be it a technical glitch, a human error or a cyber attack – and the business interruption that usually follows.
Reuters reported that the total cost of resuming operations could run into billions of dollars for companies, with European and Asian companies particularly vulnerable. As such attacks become more frequent, companies are becoming aware of the need to protect themselves – not just from such attacks but also from the losses that they could bring.
This is why cyber insurance promises to be the next blockbuster in the insurance space, says Hartmut Mai, Chief Underwriting Officer for corporate lines at Allianz Global Corporate & Specialty (AGCS).
While cyber insurance is already a mature market in the United States with an estimated premiums volume of $3 billion, it is still an emerging segment in Europe and Asia.
The need for cyber coverage
Technology is a double-edged sword. On the one hand, it makes processes easier and less time-consuming; on the other, it opens companies up to new risks. Industrial companies are increasingly interlinking their equipment and processes – the so-called Internet of Things (IoT) – to improve their operations but this exposes them to the greater risk of business interruption in case of an attack or a glitch.
“The more the industry integrates supply chains and processes, and digitalizes production into ‘smart factories’, the more vulnerable the long-established industrial companies become as well. For them, the risk of business interruption tends to be paramount,” says Mai. The threat doesn’t always come from hackers. Many a times, it’s just a technical failure or an employee deliberately or accidentally introducing viruses or paralyzing computer systems.
When a crisis unfolds, compensation for financial loss is important, but the support services that often accompany cyber insurance are invaluable. Computer forensics, data and systems recovery as well as professional crisis communication can help a policyholder get back on its feet quickly. “Assistance services, which we provide ourselves or through our partners, are therefore becoming increasingly important,” says Mai.
Of course, developing solutions for new risks comes with challenges. Given that cyber crime is a relatively new threat, the insurance industry needs to tread with caution in developing such products.
“We lack historical claims data because it involves an insurance product that is still relatively new in our portfolio. Also, companies shun publicity when they have been victims of a hacking attack because they are worried about their reputation. The duty to report incidents is developing in Europe only gradually,” Mai explains.
The portfolio management of cyber risks is also challenging and the accumulation risks are enormous. Through the digital networking of companies and supply chains, an incident at an individual company can quickly spread like wildfire, immobilizing entire industries.
Imagine the operations of an energy provider or a cloud services provider are disrupted due to a cyber attack. It will trigger numerous policies - not just cyber policies, but also other coverage if property damage and business interruption occur.
“At the moment, the accumulation risk is still manageable because not even 10 percent of companies in Europe have cyber insurance yet,” Mai points out.
However, just like director and officer (D&O) liability coverage, cyber insurance is expected to become the standard for European companies over the medium term. “Cyber insurance will be a blockbuster – and we must prepare ourselves for it. When the much stricter data protection regulations take effect in Europe in 2018, not just big corporations but also mid-market and smaller companies will want to buy cyber coverage,” Mai says.
Other Allianz subsidiaries such as Allianz Germany and Allianz Suisse have recently started offering dedicated cyber products for small and mid-sized companies. Allianz Germany, for example, offers cyber insurance for companies with an annual revenue up to 150 million euros. For ransomware attacks such as WannaCry, a customer also needs to buy cover for extortion incidents, which Allianz Germany offers as a special cover.
Data as a tool
According to Mai, insurers have to consider evaluating the technical standards and the information technology maturity of a company differently. “Individual risk dialogues and detailed IT and process audits that we usually do for large companies would be too complex for smaller and mid-sized companies,” he says.
“Going forward, we aim to increase our automated cyber risk analytic capability by cooperating with data analytics companies. They use IP address-based screening, linguistic algorithms and other comparable methods to evaluate the level of IT security of a company. Such cyber resilience ratings could especially help us offer cyber coverage to small and medium-sized businesses and retail clients through digital distribution platforms,” Mai adds.
C for cyber strategy
Given the frequency of cyber events in the recent past, there’s no denying that cyber security and related insurance will soon become an important part of corporate risk management strategies.
“In 2016, AGCS generated premiums in the mid-range double-digit millions with our cyber policies. Demand and policy transactions continued to increase significantly in the first quarter. No management board member or Chief Information Officer has any doubts about the danger anymore even if their IT security is state-of-the-art.”
The market is gathering steam and we will likely see more modular cyber solutions that can be adapted individually to a particular company.
At the moment, AGCS limits its share of cyber coverage to 100 million euros per client as the market is still new and the risks are harder to assess. For individual companies, up to 500 million euros capacity is available in the cyber insurance market.
As a new ‘normal’ emerges, companies may not be able to completely avoid the bite of bytes. What they can do, is ensure that the pain is minimal.
This article was orginally published on allianz.com