How to insure cyber risks?

Cyber Insurance

Digital economic espionage, sabotage or data theft over the internet have led to increasingly frequent and large-scale losses. The management of these risks belongs to the core duties of top management. Residual risks that cannot be excluded can be transferred to insurers with the purchase of cyber risk insurance.

Cyber Risks

The EUROPOL Report IOCTA 2015 (The Internet Organised Crime Threat Assessment) shows with frightening clarity how organized crime has shifted to the internet and the frequency and intensity with which companies are being threatened. New forms of blackmail are on the rise (ramsomware attacks, DDoS attacks), but also more familiar attacks (hacking, banking troyans, phishing, data theft, industrial espionage, data damage). The German digital association Bitkom assumes that more than half of all companies in Germany have been victims of digital economic espionage, sabotage or data theft. Pursuant to a conservative calculation by Bitkom, the damage caused for the entire German economy amounts to approximately EUR 51 billion Euro per year.

Digital Risk Management at the board of directors and top management level

The topic of cyber risk pertains to the board of directors and top management. Risk scenarios must be recognized and assessed within the scope of risk management (digital risk management). Not all companies are similarly exposed in case of disruption. Risk scenarios vary depending on whether, for instance, third parties such as business partners or cloud-providers are involved or not. Preventive measures must be implemented at the appropriate level (data security, emergency plans, sensitization and education of the employees). However, cyber risks cannot be fully eliminated.

Here, new insurance models offer the possibility to transfer cyber risks and thus to sensibly complement the existing risk management. The market for cyber security insurance in the U.S. is considerably more mature than the European market. This is primarily due to the fact that there is a notification duty regarding cyber attacks in the U.S.. For EU countries, a notification duty will be introduced with the new Data Protection Directive. Pursuant to surveys, around 30% of the biggest companies and approximately 10% of all US companies have cyber risk insurance. MunichRe, the world's biggest reinsurer, assumes that the worldwide business with cyber risk insurances will more than double from approximately USD 3 billion in the next five years.

What kind of protection does cyber risk insurance offer?

Ordinary business liability insurance covers third party losses that are caused due to the fault of the insured. However, only personal and property losses and the resulting consequential damages are typically insured, but not the financial losses that usually occur in connection with cyber risks. Here, cyber risk insurance solutions apply.

Cyber risk insurance covers both third party losses that are caused by the insured (third party insurance), as well as losses to the insured that are caused by the insured itself. (first-party insurance). First-party losses arise from, for example, criminal activities of third parties when data belonging to the insured is damaged or destroyed, or when business activities are impaired or interrupted. Attempted extortion with so-called Ransom software, by which data can be encrypted and for whose decryption the payment of ransom is requested, may also occur.

Third party claims can arise when, by virtue of security deficiencies in their own system, the insured damages or destroys third party data or when business activities are impaired or interrupted. In addition, the loss of personal data of third parties or their unauthorized publication can lead to claims by third parties against the insured.

In cases of loss, cyber risk insurance covers the compensation of justified, and the defense against, unjustified third-party claims. The restoration costs of IT-systems and data, programs and networks that are damaged, blocked or destroyed by a cyber attack, are also compensated. When operations are disrupted (for example after a Denial-of-Service attack), the loss of earnings as well as further costs that are necessary for the continuation of operational activities are usually covered. The same applies to ransom payments. However, not only compensation of the loss caused directly by the cyber incident but also the costs for retaining professional crisis management, external computer forensic analysts, PR experts and specialized lawyers are regularly covered.

What should be considered prior to the purchase of cyber risk insurance?

The spectre of a cyber attack is so widespread that a hedge against all risks is virtually impossible. Therefore, it is crucial to identify the "family silver" of the company and to in-sure the residual risk. Such residual risks must be defined and quantified within the risk management framework (probability of occurence, scope of loss etc.). Prior to purchasing a policy, one should scrutinize the covered risks, particularly with regard to pre-existing insurance coverage. The policy must be exactly tailored to the needs of the insured. The scope of coverage for each potential loss position must be clarified and stipulated in the contract. In case of loss, the small print is decisive!

* Dr. Lucy Gordon | Dr. Martin Eckert

Your team


In need of legal, tax or compliance advice? We look forward to contacting you.