The last few years have seen demand increase for a new growth market in the insurance sector: cyber insurance. Many insurers have jumped on the bandwagon in the meantime, with each of them taking a different approach. Some insurers are building up a completely separate Cyber Division, while others are integrating the product into their Property & Casualty Teams. Some are only insuring small businesses, while others are making the bold move of taking on titans. What is the right approach? What are the biggest challenges? Due to my personal experience in insurance underwriting, I have some questions myself. I will explain some of my own thoughts in more detail in the following article.

While I myself have never worked in the underwriting of cyber products or property/liability insurance, I can, however, see some difficulties that insurers could face in this respect. Underwriting often relies primarily on analyzing historical data. Based on the claims history, attempts are made to forecast potential future development. Whether this is done with simple calculations or using sophisticated simulations, such computations are carried out depending on the business area; sometimes, though, underwriters rely heavily on statistics.

Every underwriter knows that an experience rating isn’t “everything”. There is also what is known as a corresponding “exposure rating”. But what’s the best way forward when there’s no historical data available? No claims records are known? How is a relevant rate calculated in an insurance company?

What’s more, there’s the problem of asymmetric information. A company itself knows what measures have been taken with regard to IT security – for example, whether there’s a monitoring system or a separate SOC (security operations center) and whether backups are regularly created. The insurer does not. Questionnaires completed when an application is made can be used to try to reduce this risk. Nevertheless, it is difficult to prove later on in a claim that statements were not truthful, for instance. In large companies, it is also often difficult for the company itself to draw up an inventory of the infrastructure with the corresponding monetary values.

Let’s take a look at reinsurers. A primary insurer can reduce its risk by purchasing corresponding reinsurance products. Diversification is often one of the most important reinsurance concepts with regard to accumulation risks. Global activities should bring the portfolio into a certain balance. How likely is it that an earthquake in Japan will cause a great deal of damage and that a similar quake will occur in Switzerland at the same time? Not likely at all. But it is precisely this concept that might not work for cyber insurance. An immense attack is often global. This means that countries are affected simultaneously during a similar time window. So how can a reinsurer safeguard against this risk? Or how do they handle it? Cross-financing would be one option until a certain product is established and becomes profitable. For a product to be profitable, it must be calculated accordingly. The question of whether a “correct” rate can be calculated also arises here. Is the risk really tangible? After all, an excellent knowledge of IT is necessary first of all, but the mathematical skills to perform corresponding calculations and an understanding of insurance products are also required. Experts that tick all these boxes would be thin on the ground.

The possible consequences

Of course, the complexity of the insurance benefits also plays a decisive role. What exactly is insured? Only the replacement of equipment? Data recovery? Or also the profits lost due to business paralysis? What is the insurance limit?

Then there’s a difference between all-risk and named perils insurance policies. In the former case, everything is covered except exclusions outlined in the General Conditions of Insurance (GCI), while only the explicitly mentioned events are insured in the latter. The GCI are often overlooked, but they can be decisive for a match in a claim. What precautions does the policyholder have to take (e.g. due diligence obligations) and what are the exclusions?

It doesn’t hurt to have a certain amount of legal knowledge concerning the burden of proof either. The burden of proof often lies with anyone who derives an advantage from the claim. Especially in such a case, it can be decisive whether the insurance covers all risks or only named perils. The insurer is the party that derives an advantage from all-risk insurance and so should prove that a corresponding event is currently not insured (advantage = no claims payments). In the case of a named perils insurance policy, the policyholder is responsible for proving that the event that has just occurred is insured (advantage = claims payment).

Does cyber insurance have a future?

The NotPetya case in 2017 shows how difficult it is to calculate cyber insurance and how high a corresponding claim can be. A pending court ruling in the Zurich vs. Mondelez precedential case could have a significant impact on the future of cyber insurance. According to reports, Mondelez is seeking over $100 million in damages from Zurich. According to sources, the fact that Mondelez hasn’t purchased pure cyber insurance but property insurance with cyber protection included as additional coverage has to be put into perspective. Insurance company Zurich is claiming that a hostile or warlike action that is not covered under the GCI has taken place.

Generally speaking, we have to ask whether such economic giants are an insurance company’s target audience. On the one hand, they often have an appropriate budget available and could generate high premium income, but on the other, insurance companies must expect enormous losses, especially if and when a claim is made.

While smaller companies might be more “manageable” in this situation, they often don’t have quite as advanced an awareness of security and the risk is less tangible. Alternatively, they may also have the idea of it not being “worth it” for an attacker to attack such a “small” company.

Conclusion

In my opinion, cyber insurance will remain an issue in the years to come. But the way in which correspondingly larger claims develop will probably influence the range of policies on offer. The product itself may also change (having a greater focus on profitable target groups) or insurance benefits may be limited.

About the Author

Valérie Kastner studies Business Economics with focus on Risk & Insurance at the Zurich University of Applied Sciences. After several years in underwriting and technical center for insurances, she has been working in IT security since 2018 with a focus on Web Application Security Testing and Social Engineering. (ORCID 0000-0002-9214-572X)

Links

• https://malicious.life/episode/episode-64/
• https://www.handelszeitung.ch/unternehmen/toblerone-besitzer-mondelez-verklagt-zurich-wegen-cyberattacke
• https://www.nzz.ch/wirtschaft/versicherungen-cyber-attacken-sind-schwieriger-als-hurrikans-ld.1482675