Is cyber insur­ance the eas­i­est and most com­pre­hen­sive solu­tion to cyberattacks?

I
Ole Sieverd­ing – Pho­to: Roland Schmidt

In the lat­est of her Duet inter­views, Dr Cal­daro­la, edi­tor of Data Ware­house as well as author of Big Data and Law, and Ole Sieverd­ing dis­cuss the pros and cons of cyber secu­ri­ty insurance

Mr Sieverd­ing, you wrote togeth­er with Thomas Kahl a great chap­ter about lia­bil­i­ty and cyber secu­ri­ty insur­ance in the book Data Ware­house. Is cyber insur­ance the eas­i­est and most com­pre­hen­sive solu­tion to cyber­at­tacks? Does it involve pass­ing on secu­ri­ty man­age­ment mea­sures and process­es – such as a CMS (Con­tent Man­age­ment Sys­tem) – to an insurance?

Ole Sieverd­ing: Insur­ance is a risk trans­fer tool. For iden­ti­fied risks that can­not be fur­ther min­imised, it may make sense to cov­er them with a spe­cif­ic insur­ance prod­uct. Insur­ance can be a good instru­ment for pro­tec­tion, but it does not help to imple­ment mea­sures, struc­tures and process­es in a com­pa­ny to ensure com­pli­ance. In this respect, CMS and insur­ance com­pa­nies are fun­da­men­tal­ly dif­fer­ent and not comparable.

Accord­ing to a For­sa sur­vey, 69% of respon­dents gen­er­al­ly rate the risk of cyber­crime as high. For their own com­pa­ny the val­ue is per­ceived at only 28%. How can this dis­crep­an­cy be explained?

This is an excit­ing phe­nom­e­non that I would like to explain by look­ing at an exam­ple from anoth­er indus­try. In the­o­ry, it is easy to get peo­ple excit­ed about more wind tur­bines as an alter­na­tive and clean ener­gy source. When it comes to the ques­tion of loca­tion, how­ev­er, enthu­si­asm quick­ly dies down due to one’s own and imme­di­ate con­cerns because very few peo­ple want to have a wind tur­bine in their own back­yard. It there­fore seems human to recog­nise chal­lenges and prob­lems in the abstract and to accept good sug­ges­tions for solu­tions. How­ev­er, when it direct­ly effects your­self, you might reeval­u­ate from a dif­fer­ent perspective.

We have very sim­i­lar expe­ri­ences in the cyber insur­ance indus­try. The media repeat­ed­ly reports on spec­tac­u­lar hack­ing attacks, such as on local hos­pi­tals or tire man­u­fac­tur­ers, and in movies, entire metrop­o­lis­es are par­a­lyzed with just a click of the mouse. This cre­ates the mis­con­cep­tion that cyber-attacks only affect the “oth­ers” or promi­nent com­pa­nies, but not yourself.

My opin­ion is:

„The pos­si­bil­i­ty of being affect­ed from a cyber-attack is mas­sive­ly underestimated”

Ole Sieverd­ing

There is a whole array of insur­ance types includ­ing cyber insur­ance, finan­cial loss lia­bil­i­ty insur­ance, legal pro­tec­tion insur­ance and direc­tors’ and offi­cers’ insur­ance (D&O). None of these is a com­pul­so­ry statu­to­ry insur­ance. Which one is suit­able for a data ware­house? How do they dif­fer in terms of scope of ser­vices? And what is the trig­ger­ing event for insur­ance coverage?

Admit­ted­ly, all of these insur­ance poli­cies can seem con­fus­ing to peo­ple who are not famil­iar with cor­po­rate risk man­age­ment trans­fer solu­tions. The ques­tion quick­ly aris­es: Which cov­er­age should you buy for a data ware­house and which ones don’t you need?

Unfor­tu­nate­ly, there is no gen­er­al answer to this because it depends on the indi­vid­ual sit­u­a­tion of a data ware­house and the risk affin­i­ty of the deci­sion mak­ers. Nev­er­the­less, all of the insur­ance cov­er­ages list­ed have a direct ref­er­ence point to data ware­hous­es and should be exam­ined in more detail on an indi­vid­ual basis. They have dif­fer­ent start­ing points.

With cyber insur­ance, the pro­tec­tion focus­es on your own IT sys­tem and the data stored in it. If attack­ers gain access and com­pro­mise large amounts of data stored in a data ware­house, cyber insur­ance will sup­port you in deal­ing with the inci­dent and will cov­er the costs.

Finan­cial loss lia­bil­i­ty insur­ance pro­tects you against dam­ages incurred by a third par­ty – usu­al­ly your cus­tomer – as part of pro­fes­sion­al activ­i­ty. An exam­ple of this can be errors or omis­sions that lead to incor­rect inter­pre­ta­tion of the data in the data warehouse.

Legal pro­tec­tion insur­ance cov­ers any legal and court costs incurred. This can be espe­cial­ly valu­able in legal­ly uncer­tain ter­ri­to­ry, when a lot of data from dif­fer­ent sources come togeth­er in a data ware­house and are reprocessed, in such a case, unfore­seen legal dis­putes can arise.

D&O insur­ance assumes the per­son­al lia­bil­i­ty of a com­pa­ny’s legal rep­re­sen­ta­tives if claims are made against them due to a breach of duty. In the event of major dam­age occur­ring in the oper­a­tion of a data ware­house, man­agers could be accused of not hav­ing ade­quate con­trol sys­tems and qual­i­ty assur­ance in place to pre­vent it. Due to their func­tion, high lev­el orga­ni­za­tions, such as exec­u­tive boards, with­in a com­pa­ny are liable with their pri­vate assets for the dam­age caused.

Deci­sions con­cern­ing the appro­pri­ate insur­ance should thus be made with an insur­ance bro­ker spe­cial­is­ing in this field, who will also help you find the best solu­tion from the vast array of offers.

How much do these types of insur­ance cost and when does it become worth­while for a data ware­house oper­a­tor? What pre­cau­tions should a com­pa­ny take to reduce insur­ance pre­mi­ums? In build­ing insur­ance, for exam­ple, it is the loca­tion and sta­tis­tics for break-ins, the bars on ground floor win­dows, etc. What fac­tors come into play in insur­ance for dam­age in the area of ​​infor­ma­tion secu­ri­ty and data pro­tec­tion? Could it be a CMS and if so, with what features?

Unfor­tu­nate­ly, there is no easy answer to this ques­tion, as var­i­ous fac­tors play a role in deter­min­ing the pre­mi­um. Whether the costs of insur­ance and the result­ing ben­e­fits of risk trans­fer end up being advan­ta­geous for a com­pa­ny can only be assessed individually.

The costs are based pri­mar­i­ly on the turnover of the com­pa­ny. Pric­ing varies depend­ing on the indus­try, activ­i­ty, expo­sure and size.

In gen­er­al, the fol­low­ing prin­ci­ples apply: no pre­vi­ous dam­age is the best pre­req­ui­site for a low pre­mi­um – this applies as a rule of thumb for all types of insur­ance. Espe­cial­ly in cyber insur­ance, risk car­ri­ers are plac­ing increas­ing empha­sis on the matu­ri­ty of IT secu­ri­ty and rea­son­able pre­ven­tive mea­sures. Com­pa­nies that have neglect­ed IT invest­ments in recent years are often no longer insur­able at all, even at high premiums.

When it comes to IT secu­ri­ty, in addi­tion to pre­ven­ta­tive mea­sures such as defence against attacks, patch man­age­ment, access man­age­ment, net­work seg­men­ta­tion and data back­up con­cepts, the focus is increas­ing­ly also on being proac­tive, such as attack detec­tion and busi­ness con­ti­nu­ity man­age­ment. When it comes to data pro­tec­tion, the num­ber and type of “sen­si­tive” per­son­al data is par­tic­u­lar­ly impor­tant for insur­ers when assess­ing risk.

All of this infor­ma­tion is queried, checked, eval­u­at­ed and priced accord­ing­ly by under­writ­ers of a risk car­ri­er in usu­al­ly com­plex process­es using risk dia­logues and appli­ca­tion forms.

Many data ware­house oper­a­tors feel help­less at the thought of a hack­er attack and their oper­a­tions being shut down as a result of one. Do these insur­ances only offer finan­cial assis­tance like stan­dard insur­ance com­pa­nies? Or do they also offer experts who help to lim­it the dam­age and clar­i­fy the sit­u­a­tion – i.e. does the insur­ance also pro­vide you with an out­sourced cri­sis depart­ment made up of professionals?

In addi­tion to clas­sic risk trans­fer involv­ing the reim­burse­ment of costs, cyber insur­ance offers an addi­tion­al assis­tance cov­er­age. Sim­i­lar to ADACroad­side assis­tance, cyber insur­ers usu­al­ly offer a 247 cri­sis hot­line that pro­vides imme­di­ate help and sup­port from expe­ri­enced experts – a sort of per­son­al fire depart­ment ‑should there real­ly be a fire.

As far as I’m con­cerned, what appeals to me about cyber insur­ance is the idea of ​​part­ner­ship. Because, unlike oth­er insur­ance poli­cies, the insured com­pa­ny and the insur­er are in the same boat. Both have an immense inter­est in mit­i­gat­ing the risk and solv­ing it quick­ly so that the claim stays as low as pos­si­ble. This is pos­si­ble, espe­cial­ly through coura­geous inter­ven­tion and sup­port from IT experts in an emer­gency. Cyber ​​insur­ance can there­fore be seen as an out­sourced IT cri­sis depart­ment, espe­cial­ly for small and medi­um-sized com­pa­nies. This usu­al­ly includes IT foren­sics, recov­ery, legal assis­tance and PR advice. Espe­cial­ly in the excep­tion­al sit­u­a­tion of a hack­ing attack, which for many com­pa­nies also has a high­ly emo­tion­al com­po­nent due to their own help­less­ness, it is reas­sur­ing to know that not only the finan­cial aspect of any dam­age is cov­ered, but that experts are also avail­able to give you advice and sup­port dur­ing the process and help you get through the crisis.

Accord­ing to a Gart­ner study, glob­al IT secu­ri­ty spend­ing in 2019 was US$124.12 bil­lion. Fur­ther­more, accord­ing to an IBM study, the aver­age total annu­al cost per data breach is US$3.92 mil­lion, i.e. US$150 per lost piece of data at an aver­age of 25,575 pieces of data. It takes an aver­age of 206 days of iden­ti­fi­ca­tion time alone and an aver­age of 73 days of con­tain­ment time. Around 36% of the costs incurred are attrib­ut­able to lost prof­its. All oth­ers are pure­ly inter­nal costs. Does this data sug­gest that insur­ance com­pa­nies main­ly finance a com­pa­ny’s short­com­ings – i.e. lack of infor­ma­tion secu­ri­ty, lack of data pro­tec­tion, lack of organ­i­sa­tion, lack of audit­ing, lack of foren­sics, etc.?

I pre­fer to speak less about inad­e­qua­cies here, but rather about a learn­ing process that we are all tak­ing part of as part of the dig­i­tal­i­sa­tion of our indus­try and soci­ety. It is strik­ing that there is still a wide gap between the the­o­ry and prac­tice of infor­ma­tion secu­ri­ty. In a hack­ing attack, a com­pa­ny’s vul­ner­a­bil­i­ties are specif­i­cal­ly exploit­ed and attacked. The­o­ret­i­cal­ly, all IT secu­ri­ty prob­lems have been solved and there is an “anti­dote” for every attack vec­tor. How­ev­er, we don’t live in a per­fect world and mis­takes hap­pen or appro­pri­ate pro­tec­tive mea­sures are not (yet) imple­ment­ed. That’s why this form of insur­ance exists.

Insur­ance com­pa­nies try to learn from these mis­takes and try to bet­ter select risks by ask­ing rel­e­vant ques­tions. In this respect, com­pa­nies with a struc­tur­al lack of infor­ma­tion secu­ri­ty, data pro­tec­tion, etc. will no longer be insur­able and will be elim­i­nat­ed from the mar­ket. At first glance, this sounds unfair for com­pa­nies inter­est­ed in insur­ance cov­er­age, but the require­ments of insur­ance com­pa­nies mean that com­pa­nies have to pre­pare bet­ter and cor­rect their defi­cien­cies so that we can achieve a high­er lev­el of secu­ri­ty as a whole.

When does an insur­ance refuse to cov­er the dam­age or even to pro­vide insurance?

In the spir­it of part­ner­ship between the insured com­pa­ny and the risk car­ri­er, dam­age claims are usu­al­ly denied or can be reduced if the pol­i­cy­hold­er was not hon­est with the insur­er. A clas­sic exam­ple is incor­rect risk infor­ma­tion before the con­tract was concluded.

Insur­ance cov­er­age is with­held if the insur­er’s min­i­mum require­ments have not been met. This is exact­ly where most cov­er­age dis­putes arise in the event of a claim. If com­pa­nies do not have to pro­vide accu­rate infor­ma­tion in order to obtain the nec­es­sary insur­ance cov­er­age, dis­putes are inevitable in the event of a claim.

It is all the more impor­tant to be accom­pa­nied by an expe­ri­enced insur­ance bro­ker when tak­ing out insur­ance in order to be prop­er­ly informed about the risks and con­se­quences and, if in doubt, to look for alter­na­tive solu­tions together.

How dis­creet­ly can such an insur­ance claim be han­dled when there are report­ing oblig­a­tions under data pro­tec­tion law and those affect­ed must be informed?

Based on our own expe­ri­ence, we rec­om­mend deal­ing with an inci­dent trans­par­ent­ly and open­ly. In such cas­es you can even emerge stronger from such a cri­sis. Nev­er­the­less, many com­pa­nies decide against this route and a sur­pris­ing num­ber are suc­cess­ful in let­ting their inci­dent, includ­ing noti­fi­ca­tion require­ments, get lost in the con­stant noise of oth­er major media events happenings.

In sum­ma­ry, it can be said that there are only dif­fer­ent indi­vid­ual insur­ance poli­cies and there­fore only par­tial solu­tions for the dig­i­tal mar­ket. The insur­ance indus­try, like all oth­er indus­tries, seems to be lag­ging behind in dig­i­tal inno­va­tion. Can we find more com­pre­hen­sive solu­tions abroad?

You  call them par­tial solu­tions, but I per­son­al­ly pre­fer to talk about indi­vid­ual options that com­pa­nies have and can there­fore decide for them­selves which insur­ance cov­er­age suits them best. The “one size fits all” approach no longer helps in our diver­si­fied indus­try. With these options, needs, costs and ben­e­fits can be pre­cise­ly deter­mined and weighed against each oth­er in each indi­vid­ual case. Admit­ted­ly, this is not an easy or quick process. In my opin­ion it does­n’t have to be because a sol­id and sus­tain­able solu­tion takes time. With cyber insur­ance, the insur­ance indus­try has cre­at­ed a new way to insure against dig­i­tal risks in recent years, many of which are still uncer­tain today and are chang­ing rapid­ly over time. Above all, the assis­tance approach, i.e. the IT cri­sis depart­ment men­tioned above, brings real added val­ue for the insured com­pa­nies in addi­tion to the pure pay­ment of claims. At the same time, the min­i­mum require­ments of the risk car­ri­ers define IT secu­ri­ty stan­dards that raise the gen­er­al infor­ma­tion secu­ri­ty matu­ri­ty of our indus­try to a high­er lev­el, there­by dri­ving for­ward pro­tec­tive mea­sures and con­tribut­ing to con­tin­u­ous improvement.

To date the last prod­uct inno­va­tions in the indus­try have actu­al­ly come from the US although with the same divi­sion­al def­i­n­i­tion as in Ger­many. Cyber ​​insur­ance is a com­par­a­tive­ly young line of busi­ness in which we still have a lot to learn. That’s what makes it so inno­v­a­tive because new ideas and solu­tions are con­stant­ly being introduced.

Mr Sieverd­ing, thank you for shar­ing your insights on risk man­age­ment and the fac­tors involved in insur­ing infor­ma­tion secu­ri­ty incidents.

Thank you, Dr Cal­daro­la, and I look for­ward to read­ing your upcom­ing inter­views with recog­nised experts, delv­ing even deep­er into this fas­ci­nat­ing topic.

About me and my guest

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.

Ole Sieverding

Ole Sieverding is Co-Founder of CyberDirekt GmbH, a Berlin-based Insurtech committed to fighting cyber threats in order to enable the progress of digitalisation. In addition to digital prevention services, the start-up company provides small and medium-sized companies with insurance for cyber risks via tailor-made insurance solutions on an innovative technology platform. As a guest lecturer at the Baden-Württemberg Cooperative State University in Heidenheim, Mr. Sieverding passes on his practical experience on the topic of “digitalisation in the insurance industry” to students in a course on Business Administration Insurance.

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.

FOL­LOW ME