Financial damages related to hacker attacks can total in the millions for some firms. Insurers end up covering the costs — so how do they put together their policies for cybercrime?
Digital Insights: Hardly a day goes by without some sort of news report on a major hacker attack on a business. Sometimes data is stolen, in other cases entire networks are brought to their knees, as happened last summer to the German Bundestag. Mr. Graß, you represent the German Insurance Association – how are German insurance companies reacting to this situation unprecedented in its scope?
Peter Graß: Naturally we're watching both the increase in frequency of attacks as well as the rapid rise in public awareness. On the one hand, insurers face their own challenges as the guardians of a great deal of customer data: we must constantly review the security of our own systems — and we do so. On the other hand, the risk of cyber-threats also represents an opportunity for insurers: we develop products and solutions that help companies protect themselves against this kind of new threat. For industrial firms there are already a number of insurers that have been active for years offering insurance protection in this area.
Digital Insights: In light of the nearly comprehensive networking of systems, experts are warning against rising dangers related to the Internet of Things and Industry 4.0. What is the insurance industry's perspective on this digital future?
Graß: Networked production systems are already a potential attack vector for sabotage or industrial espionage. The same security requirements must be applied here as found in the rest of the company. We continue to explore whether and how a joint technical standard might help in this regard.
Digital Insights: Is cyber-insurance solely something for large-scale industry?
Graß: No, the topic affects everyone. Small and mid-sized firms often find it difficult, however, to maintain their own large IT security departments. But there can be no insurance policies against cybercrime without IT security. SMEs must massively rework their processes if they want to benefit from insurance. To date there's also been a lack of accepted security standards that offer sufficient protection for small companies without overwhelming them. When you're dealing with a large industrial firm, risk can be determined individually and an appropriate policy formulated. For the mass market, standardized insurance solutions are required to ensure many small and mid-sized firms against risks. Within the association, we're developing a set of non-binding template conditions for cyber-insurance. But we still need some more time for this, since it's a thoroughly complex tasks to bring together the insurance-related requirements with the reality of constantly advancing technology — and to delineate the cyber-insurance product cleanly from existing insurance solutions.
Digital Insights: Can you explain to us how insurers calculate potential claim volumes? That's new terrain even for your experts. How do you formulate a realistic basis?
Graß: In principle, from an insurer standpoint cyber-insurance is no different than insuring against flooding: you have to examine the business. What risks are involved? What damages and claim sums could arise? And how likely is a claim? So for cyber-insurance you'd look at what length of IT outage times are considered tolerable and how much customer data the company has stored. And you have to look at how the company is protecting itself against threats; whether for example there are emergency plans and the IT infrastructure is armed against attacks.
Digital Insights: From an insurer's perspective, are commercial enterprises taking this threat seriously enough?
Graß: You can definitely say: the bigger the company or the more it's exposed — I'm thinking here of online retailers — the greater the risk awareness. In many cases companies are still being too casual about these threats. For small and mid-sized companies in particular there are still far too few who have secured themselves sufficiently. And that's a problem for insurers as well. Because without the right preventative measures the insurers can't offer the companies a solid insurance protection against cyber-threats. Accepted security standards could help here in showing small and mid-sized firms which protective measures are economically feasible and acceptable for their company. The VdS, a subsidiary of the GDV, has proposed the "VdS-certified Cyber-Security" guidelines, a standard that could offer SMEs appropriate protection from cyber-hazards, attested through a certificate from an independent institution. We're certain that this seal of approval would be very well received on the market.
Digital Insights: The Bitkom association estimates annual damages of roughly 51 billion euros. Wouldn't the insurance industry overwhelmed by those kinds of damages and claim sums?
Graß: No, that's not something I'm concerned about. When talking about those figures you must always take into account that not all claims that are submitted fall under the insurance protection of a cyber-policy. In some cases, for example, they're included estimated damages from patent right violations. You'd do well to regard those as rough estimates at best.
Beyond this, an insurer would only sign off on risks that it could actually cover in a worst-case scenario. As such, the insurer must keep in view how many policies are currently in the portfolio that could potentially be affected by one single attack, known as the cumulative risk. But naturally new products such as cyber-insurance must be designed carefully, with special attention paid to the claims trends.