Computer security is a driver for insurance and will be even more important in the future, given the growing of cyber-threat. About 8 companies out of 10 suffer computer attacks, sometimes without realizing it. Insurance companies can be a kind of “lifebuoy” and a “swimming instructor” as well, with respect to cyber security, as also said in this interview by Alessandro De Felice, President of ANRA, National Association of Risk Managers and Insurances Inspectors.
IT security also represents an opportunity for insurance, as confirmed by BDO, a major international network of business review and consulting services, pointing out that in the US, cutting edge in cybercrime, nearly one in three companies have a cyber-risk policy. While completely preventing a cyber-attack is not possible, insurance coverage can serve precisely to protect against events that may not be in any way planned in advance. The company must determine what these events are and should negotiate custom insurance cover. A policy can therefore mitigate the economic-financial risks, which can be huge. According to BDO network data, the annual average cost of business data breach in the US amounts to $4 million. In quantifying cyber damage, several elements need to be evaluated: the cost of repairing and securing of system and data; reputational damage, namely the amount invested in PR and communication activities and the loss of earnings resulting from the damage; any sums paid data “ransom”, (as it happens with ransomware), or monies stolen by attackers. Additionally, the “regulatory” must be included: more and more national and international jurisdictions are introducing fines and penalties for companies not adequately prepared and equipped for cyber-risk.
In Europe, where this type of policy is less widespread, key boost could come from the GDPR (the new European General Data Protection Regulation, here an article), as explained by Lorenzo Mazzei, Partner Intelligence & Cybersecurity by BDO Italia.
“It will become effective in May 2018 for all EU Member States. The General Data Protection Regulation, will penalize companies that are not promptly communicating a data leak, with a fine up to 4% of the company’s turnover or 20 million euros – the manager said – These are obviously huge amounts that will justify the payment of an annual premium for risk prevention. It is desirable that both the GDPR and the NIS (Network and Information Security) directive will be taken over by companies, organizations and institutions as an opportunity rather than a task, to generate a new culture of risk prevention in Europe and Italy. New policies, not yet widespread, would play a strategic role in this regard.”
Certainly, cyber risk policies are not very widespread even because of the difficulty of the carriers to “compete” with such a new kind of risk that makes the data used to set the risk, weak and flimsy. According to BDO security standards have not yet been developed in cyber security and this means that insurance carriers currently provide some flexibility and negotiation margin on policy terms when signed up. What are the coverage that a company can negotiate with the insurance carrier? Policies can provide coverage for system recovery costs and associated costs related to the necessary investigation; reputational damage; lost revenue; blackmail or economic theft linked to the cyber-attack. In addition to corporate coverage, insurance cover may also be required in relation to so-called third parties, namely all the companies considered suppliers, customers or partners. In such cases, insurance cover may be made towards the risk of “contamination” of the cyber-attack from the third party, breach of confidential information or intellectual property, fines and penalties potentially resulting from a third party attack.
“There is no doubt that cyber-attacks and data breaches are growing in number and sophistication, causing great concerns both to large and small and medium-sized businesses – Mazzei said. – Given the serious reputational damage a cyber-attack can lead to a company, it is clear now that this issue can no longer be considered an exclusive prerogative of the IT department, but rather must be taken into consideration by the board of any company. A truly effective cyber security policy involves all aspects of business, not just technology. This is where the possibility of securing business data violations comes into play, a trend that will lead growth in the insurance industry in the mid-term.”