I want a "Red Teaming"
Michael Schneider
What cyber insurance is all about
While I myself have never worked in the underwriting of cyber products or property/liability insurance, I can, however, see some difficulties that insurers could face in this respect. Underwriting often relies primarily on analyzing historical data. Based on the claims history, attempts are made to forecast potential future development. Whether this is done with simple calculations or using sophisticated simulations, such computations are carried out depending on the business area; sometimes, though, underwriters rely heavily on statistics.
Every underwriter knows that an experience rating isn’t “everything”. There is also what is known as a corresponding “exposure rating”. But what’s the best way forward when there’s no historical data available? No claims records are known? How is a relevant rate calculated in an insurance company?
What’s more, there’s the problem of asymmetric information. A company itself knows what measures have been taken with regard to IT security – for example, whether there’s a monitoring system or a separate SOC (security operations center) and whether backups are regularly created. The insurer does not. Questionnaires completed when an application is made can be used to try to reduce this risk. Nevertheless, it is difficult to prove later on in a claim that statements were not truthful, for instance. In large companies, it is also often difficult for the company itself to draw up an inventory of the infrastructure with the corresponding monetary values.
Let’s take a look at reinsurers. A primary insurer can reduce its risk by purchasing corresponding reinsurance products. Diversification is often one of the most important reinsurance concepts with regard to accumulation risks. Global activities should bring the portfolio into a certain balance. How likely is it that an earthquake in Japan will cause a great deal of damage and that a similar quake will occur in Switzerland at the same time? Not likely at all. But it is precisely this concept that might not work for cyber insurance. An immense attack is often global. This means that countries are affected simultaneously during a similar time window. So how can a reinsurer safeguard against this risk? Or how do they handle it? Cross-financing would be one option until a certain product is established and becomes profitable. For a product to be profitable, it must be calculated accordingly. The question of whether a “correct” rate can be calculated also arises here. Is the risk really tangible? After all, an excellent knowledge of IT is necessary first of all, but the mathematical skills to perform corresponding calculations and an understanding of insurance products are also required. Experts that tick all these boxes would be thin on the ground.
Of course, the complexity of the insurance benefits also plays a decisive role. What exactly is insured? Only the replacement of equipment? Data recovery? Or also the profits lost due to business paralysis? What is the insurance limit?
Then there’s a difference between all-risk and named perils insurance policies. In the former case, everything is covered except exclusions outlined in the General Conditions of Insurance (GCI), while only the explicitly mentioned events are insured in the latter. The GCI are often overlooked, but they can be decisive for a match in a claim. What precautions does the policyholder have to take (e.g. due diligence obligations) and what are the exclusions?
It doesn’t hurt to have a certain amount of legal knowledge concerning the burden of proof either. The burden of proof often lies with anyone who derives an advantage from the claim. Especially in such a case, it can be decisive whether the insurance covers all risks or only named perils. The insurer is the party that derives an advantage from all-risk insurance and so should prove that a corresponding event is currently not insured (advantage = no claims payments). In the case of a named perils insurance policy, the policyholder is responsible for proving that the event that has just occurred is insured (advantage = claims payment).
The NotPetya case in 2017 shows how difficult it is to calculate cyber insurance and how high a corresponding claim can be. A pending court ruling in the Zurich vs. Mondelez precedential case could have a significant impact on the future of cyber insurance. According to reports, Mondelez is seeking over $100 million in damages from Zurich. According to sources, the fact that Mondelez hasn’t purchased pure cyber insurance but property insurance with cyber protection included as additional coverage has to be put into perspective. Insurance company Zurich is claiming that a hostile or warlike action that is not covered under the GCI has taken place.
Generally speaking, we have to ask whether such economic giants are an insurance company’s target audience. On the one hand, they often have an appropriate budget available and could generate high premium income, but on the other, insurance companies must expect enormous losses, especially if and when a claim is made.
While smaller companies might be more “manageable” in this situation, they often don’t have quite as advanced an awareness of security and the risk is less tangible. Alternatively, they may also have the idea of it not being “worth it” for an attacker to attack such a “small” company.
In my opinion, cyber insurance will remain an issue in the years to come. But the way in which correspondingly larger claims develop will probably influence the range of policies on offer. The product itself may also change (having a greater focus on profitable target groups) or insurance benefits may be limited.
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!