Risk management and computer security
Does cyber insurance have to be part of the security strategy?
By Bernd Ericsen
providers on the subject
Cybercriminals have done a great job in the last 18 months. The threat situation and the resulting damage have never been so dramatic. However, this no longer seems to generate any special enthusiasm at present. On the contrary, those responsible for companies have apparently become accustomed to the idea of taking permanent and consistent precautions to avoid worse things, that is, in two parallel ways.
Obviously, one strategy is to massively upgrade IT security. According to Hiscox’s Cyber Readiness Report 2022, spending in this area is up 60 percent from the previous year, and 250 percent from 2020. Without these investments, the damage situation would undoubtedly be even worse. unfavorable than the current status quo, as can be seen from the sobering figures of the SOPHOS Ransomware Report 2022: The number of companies affected by a ransomware attack in Germany increased in 12 months from 46 percent to 67 percent. At the same time, according to this report, the average costs to eliminate the consequences of an attack have increased in Germany, contrary to the global trend, from 1.09 million euros to 1.61 million euros. This development is expected to reverse in Germany in the foreseeable future. future.
The other strategy, more and more often, is to cover cyber risk with an insurance solution when, as statistics show, it cannot be fully controlled. In this way, the immense costs of a cyber attack can be absorbed, at least in retrospect. Published figures on the prevalence of cyber insurance protection today vary. Hiscox’s 2022 Cyber Readiness Report, for example, reports that 64 percent of all businesses worldwide now have cyber insurance coverage, compared to 58 percent two years ago, though in addition to separate cyber policies , cyber coverage in other insurance products is also taken into account. At the same time, it is clear that the insurance solution has established itself as one of the key instruments in defending against the damage of cyber attacks.
Of course, the rapid evolution of risk in recent months has not gone unnoticed by cyber insurers either, of course, not least because they are increasingly having to pay damages due to the growing number of cyber policies. In order to be able to continue operating the business on a cost coverage basis and to prevent the comparatively young cyber insurance product from collapsing just a few years after its introduction, insurers have been emphatically introducing coverage restrictions from 2021 while at the same time time by massively increasing premiums. Especially for companies that do not yet have a cyber policy, the stringent security requirements imposed by insurers are at the same time creating considerable challenges in being able to obtain the desired insurance coverage.
Therefore, the contract initiation process is often tedious and often drags on for months. When getting deals, it quickly becomes clear that today’s insurers only want to selectively offer insurance coverage. Rejections are usually based on the fact that the required level of security is not achieved. However, what exactly needs to be improved in order to receive an offer from the respective insurer is rarely disclosed in a differentiated way. Another difficulty in collecting the risk information required by the insurer is that it is not clear to what extent additional information should be provided, especially if the requested security criteria are not fully met, while the mere denial of the security requirements in question gives too much negative a picture draws. In view of these many pitfalls, in practice, especially for groups with a turnover of more than 100 million euros, it is really only possible with the advice of an insurance broker who specializes in cyber policies and has experience in the field. information security, to obtain coverage according to your interests. This advice should also include conducting preparatory scans for external pain points, especially as most insurers also conduct such checks when reviewing the offer. This is not known to all applicant companies. Therefore, it may happen that the real reasons for the rejection are externally visible security breaches that the company in question did not think about during the initiation process. However, insurers rarely point this out in the event of a rejection of an offer.
Before carrying out a market study on cyber insurance, it is therefore advisable to clarify what minimum requirements insurers have in each case in terms of computer security. These requirements increase with the increase in group sales. While today it is still occasionally possible to insure companies with a turnover of up to €100 million using a rather simplified application process, the complexity of the requirements and their presumed degree of compliance increase enormously above this limit. According to the current state, it is necessary to guarantee the following security measures throughout the group of companies to be insured:
- Regular safety training for employees (awareness training),
- meticulous patch management,
- a functional backup system to effectively isolate data backup from the rest of the IT infrastructure,
- multi-factor authentication for external access and administrators,
- a management concept that provides a separation into different independent management roles and
- tested crisis management plans.
The requirements of different insurers differ and often provide additional criteria. If there are then different offers available, a differentiated analysis is required to determine if the coverage offered is really worth anything. Because for a long time, some insurers have been requiring fairly comprehensive exclusions in relation to ransomware attacks, even for minor security flaws, limiting insurance coverage in case of ransomware attacks to only partial amounts and at At the same time, the insured companies are expected to cover part of the damages.
However, if the demand profile of cyberinsurers is accepted and their security specifications are oriented, in the current insurance market it is still possible to obtain valuable protection against cyber risk, tailored to the needs of the insurance group of companies. with sufficient coverage.
About the Author: Bernd Eriksen has been in charge of the Professional Lines unit at SÜDVERS since 2013 and as such he and his team are responsible for the sales and support of cyber protection, D&O and criminal law insurance throughout Germany. After four years as a lawyer at a well-known Celle Higher Regional Court, Bernd Eriksen switched to the insurance industry in 2001 and initially established the Hamburg branch for the specialist broker at D & O Hendricks GmbH, where he moved into management at 2011.