The risk of being the victim of a cyber attack has risen sharply in recent years. Against the damage caused by such attacks, firms can protect themselves with so-called cyber insurance. What services do Cyber Insurances offer, who can assure and what should firms know before completing a policy?
Cyber risks get more mature
Media reports on cyber incidents are everywhere these days. Just recently several Swiss online shops have become victims of a large-scale cyber attack. Amongst others, the websites of several online retailers were unavailable for multiple hours. According to the Global Risks Report 2016 published by the World Economic Forum such crimes in cyberspace cost the global economy an estimated US$445 billion, higher than many economies’ national incomes. Thus managing cyber risks should be a top priority for every company.
What happens in a company if a fire breaks out? Smoke detectors go off, the sprinkler system is triggered and employees call the fire brigade. However in some situations even these preventive measures cannot help anymore. In such situations fire insurance mitigates the company’s financial damage. These insights can be applied to cyber risks as well. Managing cyber risks by implementing protection measures and control systems are crucial for every company. But in certain situations, only cyber insurance can alleviate the financial damage of a cyber attack. The insurers financially support the firms to analyze the actions of the hackers, to plug leaks and recover data. Depending on the policy they even insure for damage to customers and provide legal staff and cyber crime experts.
Insights on Swiss Cyber Insurance Products
In Switzerland insurers started to develop cyber products only a few years ago. Most of the solutions are very much customized and can include almost every cyber risk, depending on the insurance rate. Denial-of-Service-Attacks, Recovery of stolen, destroyed or damaged data after a cyber-attack and the defense against unjustified claims by third parties are a few very common examples of cyber risks that can be insured with all of the insurance companies compared in the table below. Other risks, like damages due to intentional data changes by employees and theft of data carriers are only offered by selected insurance companies. Protection measures and control systems are a necessary condition of admission for most of the cyber insurances, where the amount of coverage is highly influenced by the quality of risk. Due to the high degree of customization, most of the insurers in Switzerland offer cyber insurances at all price levels, so that each company, no matter the size, should be able to insure their cyber risks.
What should your firm consider?
Most of the products provide an “à la carte” arrangement. This makes it hard to evaluate and select the most appropriate product. With all the options offered by insurers, consider the specific risks against which you wish to insure, and whether you really need all of the coverage being offered. Most variation in prices involves differences in coverage, services performed, risk factors, etc. Prior to selecting the coverage, you should take a hard look at your exposures. Coverage should be selected according to how technology dependent your firm is. An important element to include, especially for small companies, could be the coverage of earnings and income shortfalls due to malfunctions, as lack of income for even a short period may be disastrous.
Three key priorities for tackling cyber threats
If we define Cyber Insurance as the last resort to minimize the financial impact it is still useful to remind ourselves of the three key action points to take into account preventing an incident to happen (see Clarity on Cyber Security for more information).
- Understand the cyber risk: Whilst Cyber Security is on top of many board agendas, companies struggle to properly assess, measure and communicate to what extent their business is resilient against cyber attacks. This understanding is paramount in order to tackle cyber risk effectively.
- Balance people, processes and technology to mitigate the risk: Whereas cyber crime has a strong connotation with “technology”, fighting it effectively requires an integrated and balanced approach involving both people and processes as well as technologies. A study shows, that companies who have a competent responsible person for cyber risks, are less often victims of a cyber attack.
- From reactive to predictive: Given the strategic relevance of Cyber Security, a reactive approach to managing the cyber risk is no longer sustainable. The attention of the board presents an ideal momentum to develop an insight based, risk focused, and predictive management of cyber risk. This included evaluating and selecting the appropriate cyber insurance product to alleviate the potential financial damage of an attack.
- Full survey: Clarity on Cyber Security