Behind almost every digital business model there is a database and, if the scale is large enough, an entire data warehouse. Cyberattacks on this vulnerable data warehouse show that entire companies can be paralyzed. Affected companies then usually feel helpless. Did you know that insurance companies not only pay for the damage, but also support you with professionals in the form of an outsourced crisis department to investigate, limit the damage and safely rebuild the data structure in question?
In the latest of her Duet interviews, Dr Caldarola, editor of Data Warehouse as well as author of Big Data and Law, and Ole Sieverding discuss the pros and cons of cyber security insurance
Mr Sieverding, you wrote together with Thomas Kahl a great chapter about liability and cyber security insurance in the book Data Warehouse. Is cyber insurance the easiest and most comprehensive solution to cyberattacks? Does it involve passing on security management measures and processes – such as a CMS (Content Management System) – to an insurance?
Ole Sieverding: Insurance is a risk transfer tool. For identified risks that cannot be further minimised, it may make sense to cover them with a specific insurance product. Insurance can be a good instrument for protection, but it does not help to implement measures, structures and processes in a company to ensure compliance. In this respect, CMS and insurance companies are fundamentally different and not comparable.
According to a Forsa survey, 69% of respondents generally rate the risk of cybercrime as high. For their own company the value is perceived at only 28%. How can this discrepancy be explained?
This is an exciting phenomenon that I would like to explain by looking at an example from another industry. In theory, it is easy to get people excited about more wind turbines as an alternative and clean energy source. When it comes to the question of location, however, enthusiasm quickly dies down due to one’s own and immediate concerns because very few people want to have a wind turbine in their own backyard. It therefore seems human to recognise challenges and problems in the abstract and to accept good suggestions for solutions. However, when it directly effects yourself, you might reevaluate from a different perspective.
We have very similar experiences in the cyber insurance industry. The media repeatedly reports on spectacular hacking attacks, such as on local hospitals or tire manufacturers, and in movies, entire metropolises are paralyzed with just a click of the mouse. This creates the misconception that cyber-attacks only affect the “others” or prominent companies, but not yourself.
My opinion is:
Ole Sieverding
„The possibility of being affected from a cyber-attack is massively underestimated”
There is a whole array of insurance types including cyber insurance, financial loss liability insurance, legal protection insurance and directors’ and officers’ insurance (D&O). None of these is a compulsory statutory insurance. Which one is suitable for a data warehouse? How do they differ in terms of scope of services? And what is the triggering event for insurance coverage?
Admittedly, all of these insurance policies can seem confusing to people who are not familiar with corporate risk management transfer solutions. The question quickly arises: Which coverage should you buy for a data warehouse and which ones don’t you need?
Unfortunately, there is no general answer to this because it depends on the individual situation of a data warehouse and the risk affinity of the decision makers. Nevertheless, all of the insurance coverages listed have a direct reference point to data warehouses and should be examined in more detail on an individual basis. They have different starting points.
With cyber insurance, the protection focuses on your own IT system and the data stored in it. If attackers gain access and compromise large amounts of data stored in a data warehouse, cyber insurance will support you in dealing with the incident and will cover the costs.
Financial loss liability insurance protects you against damages incurred by a third party – usually your customer – as part of professional activity. An example of this can be errors or omissions that lead to incorrect interpretation of the data in the data warehouse.
Legal protection insurance covers any legal and court costs incurred. This can be especially valuable in legally uncertain territory, when a lot of data from different sources come together in a data warehouse and are reprocessed, in such a case, unforeseen legal disputes can arise.
D&O insurance assumes the personal liability of a company’s legal representatives if claims are made against them due to a breach of duty. In the event of major damage occurring in the operation of a data warehouse, managers could be accused of not having adequate control systems and quality assurance in place to prevent it. Due to their function, high level organizations, such as executive boards, within a company are liable with their private assets for the damage caused.
Decisions concerning the appropriate insurance should thus be made with an insurance broker specialising in this field, who will also help you find the best solution from the vast array of offers.
How much do these types of insurance cost and when does it become worthwhile for a data warehouse operator? What precautions should a company take to reduce insurance premiums? In building insurance, for example, it is the location and statistics for break-ins, the bars on ground floor windows, etc. What factors come into play in insurance for damage in the area of information security and data protection? Could it be a CMS and if so, with what features?
Unfortunately, there is no easy answer to this question, as various factors play a role in determining the premium. Whether the costs of insurance and the resulting benefits of risk transfer end up being advantageous for a company can only be assessed individually.
The costs are based primarily on the turnover of the company. Pricing varies depending on the industry, activity, exposure and size.
In general, the following principles apply: no previous damage is the best prerequisite for a low premium – this applies as a rule of thumb for all types of insurance. Especially in cyber insurance, risk carriers are placing increasing emphasis on the maturity of IT security and reasonable preventive measures. Companies that have neglected IT investments in recent years are often no longer insurable at all, even at high premiums.
When it comes to IT security, in addition to preventative measures such as defence against attacks, patch management, access management, network segmentation and data backup concepts, the focus is increasingly also on being proactive, such as attack detection and business continuity management. When it comes to data protection, the number and type of “sensitive” personal data is particularly important for insurers when assessing risk.
All of this information is queried, checked, evaluated and priced accordingly by underwriters of a risk carrier in usually complex processes using risk dialogues and application forms.
Many data warehouse operators feel helpless at the thought of a hacker attack and their operations being shut down as a result of one. Do these insurances only offer financial assistance like standard insurance companies? Or do they also offer experts who help to limit the damage and clarify the situation – i.e. does the insurance also provide you with an outsourced crisis department made up of professionals?
In addition to classic risk transfer involving the reimbursement of costs, cyber insurance offers an additional assistance coverage. Similar to ADACroadside assistance, cyber insurers usually offer a 24⁄7 crisis hotline that provides immediate help and support from experienced experts – a sort of personal fire department ‑should there really be a fire.
As far as I’m concerned, what appeals to me about cyber insurance is the idea of partnership. Because, unlike other insurance policies, the insured company and the insurer are in the same boat. Both have an immense interest in mitigating the risk and solving it quickly so that the claim stays as low as possible. This is possible, especially through courageous intervention and support from IT experts in an emergency. Cyber insurance can therefore be seen as an outsourced IT crisis department, especially for small and medium-sized companies. This usually includes IT forensics, recovery, legal assistance and PR advice. Especially in the exceptional situation of a hacking attack, which for many companies also has a highly emotional component due to their own helplessness, it is reassuring to know that not only the financial aspect of any damage is covered, but that experts are also available to give you advice and support during the process and help you get through the crisis.
According to a Gartner study, global IT security spending in 2019 was US$124.12 billion. Furthermore, according to an IBM study, the average total annual cost per data breach is US$3.92 million, i.e. US$150 per lost piece of data at an average of 25,575 pieces of data. It takes an average of 206 days of identification time alone and an average of 73 days of containment time. Around 36% of the costs incurred are attributable to lost profits. All others are purely internal costs. Does this data suggest that insurance companies mainly finance a company’s shortcomings – i.e. lack of information security, lack of data protection, lack of organisation, lack of auditing, lack of forensics, etc.?
I prefer to speak less about inadequacies here, but rather about a learning process that we are all taking part of as part of the digitalisation of our industry and society. It is striking that there is still a wide gap between the theory and practice of information security. In a hacking attack, a company’s vulnerabilities are specifically exploited and attacked. Theoretically, all IT security problems have been solved and there is an “antidote” for every attack vector. However, we don’t live in a perfect world and mistakes happen or appropriate protective measures are not (yet) implemented. That’s why this form of insurance exists.
Insurance companies try to learn from these mistakes and try to better select risks by asking relevant questions. In this respect, companies with a structural lack of information security, data protection, etc. will no longer be insurable and will be eliminated from the market. At first glance, this sounds unfair for companies interested in insurance coverage, but the requirements of insurance companies mean that companies have to prepare better and correct their deficiencies so that we can achieve a higher level of security as a whole.
When does an insurance refuse to cover the damage or even to provide insurance?
In the spirit of partnership between the insured company and the risk carrier, damage claims are usually denied or can be reduced if the policyholder was not honest with the insurer. A classic example is incorrect risk information before the contract was concluded.
Insurance coverage is withheld if the insurer’s minimum requirements have not been met. This is exactly where most coverage disputes arise in the event of a claim. If companies do not have to provide accurate information in order to obtain the necessary insurance coverage, disputes are inevitable in the event of a claim.
It is all the more important to be accompanied by an experienced insurance broker when taking out insurance in order to be properly informed about the risks and consequences and, if in doubt, to look for alternative solutions together.
How discreetly can such an insurance claim be handled when there are reporting obligations under data protection law and those affected must be informed?
Based on our own experience, we recommend dealing with an incident transparently and openly. In such cases you can even emerge stronger from such a crisis. Nevertheless, many companies decide against this route and a surprising number are successful in letting their incident, including notification requirements, get lost in the constant noise of other major media events happenings.
In summary, it can be said that there are only different individual insurance policies and therefore only partial solutions for the digital market. The insurance industry, like all other industries, seems to be lagging behind in digital innovation. Can we find more comprehensive solutions abroad?
You call them partial solutions, but I personally prefer to talk about individual options that companies have and can therefore decide for themselves which insurance coverage suits them best. The “one size fits all” approach no longer helps in our diversified industry. With these options, needs, costs and benefits can be precisely determined and weighed against each other in each individual case. Admittedly, this is not an easy or quick process. In my opinion it doesn’t have to be because a solid and sustainable solution takes time. With cyber insurance, the insurance industry has created a new way to insure against digital risks in recent years, many of which are still uncertain today and are changing rapidly over time. Above all, the assistance approach, i.e. the IT crisis department mentioned above, brings real added value for the insured companies in addition to the pure payment of claims. At the same time, the minimum requirements of the risk carriers define IT security standards that raise the general information security maturity of our industry to a higher level, thereby driving forward protective measures and contributing to continuous improvement.
To date the last product innovations in the industry have actually come from the US although with the same divisional definition as in Germany. Cyber insurance is a comparatively young line of business in which we still have a lot to learn. That’s what makes it so innovative because new ideas and solutions are constantly being introduced.
Mr Sieverding, thank you for sharing your insights on risk management and the factors involved in insuring information security incidents.
Thank you, Dr Caldarola, and I look forward to reading your upcoming interviews with recognised experts, delving even deeper into this fascinating topic.