Let’s hit cybercrime by cyber-insurance!
Instead of Preface
Ekaterinburg. Freewheeling 1990s. Sometimes they are shooting, but as far as cybercrime, as light years away. Except that viruses are sometimes slightly packed, and the technique is plumming, and the qualifications of the staff leaves more to be desired.
In such a situation, one young, small, but very proud Ural Insurance Company “White Tower” decides that it is time for it to turn into large risks. Well, what insurer does not dream of insure factory, Aircraft Park or satellite start? Notwithstanding the statutory fund does not allow, and the reinsurers around the same … and invites the director nothing more or less than, representatives of the English Lloyd (Lloyd’s of London), and, oddly enough, they come. With their translator. And we pretend that we do not understand anything without it.
After a couple of days, we sign a cooperation agreement. As the curtain fell, the British ask that we have a new, more interesting.
– We recently developed a new type – database insurance.
Meal scene. Then the British among themselves, not for translation:
– Are they crazy?
And we, with a laugh, in pure English:
– We are enough made to be the first.
After that, the conversation went to: how? What? How to calculate a loss … Finally, gave them the rules of insurance.
A quarter of a century passed, now it is called cyber insurance, which covers only 36% of all legal entities in the United States. From all cybercrime, the most common is phishing – theft of personal and identification data (pins, logins and passwords).
Why it is necessary
in the world there is a real cyberwar. Any port in a storm: attacks, hacking, theft, fakes, viruses, phishing, clones of sites, industrial and military espionage and much more.
FRS (Federal Reserve System) of Chicago gives confirmed facts of cyberattacks:
- 2013 – violation of target data;
- 2016 – leakage of emails of the National Committee of the Democratic Party during the elections;
- 2017 – Equifax data violation.
FRS mention the objectives of the main incidents:
- obtaining political dividends;
- theft of intellectual property;
Cyber insurance (in some writings “Cyber Insurance”) covers business risks, politics, economics. Especially important was the provision of cybersecurity after the widespread use of the Internet. The first responsibility policy for the security of the Internet was spelled out by Stephen Haas for AIG in 1997. Lloyd’s of London has developed a similar document in 2000.
Insurance exists in two forms:
- Direct insurance by the insured of own risks;
- Insurance of liability in case, if the insured is inadvertently guilty of harming to other participants in network communication or business partners.
In addition to the forms listed, there is hidden insurance of cyberrsk in the property insurance. For example, during a fire, a server burned down, and in addition to direct property damage, losses related to the restoration of lost information arise. Such damage can also be reimbursed if it was stated at the stage of concluding a contract.
In our interview with Rob Galbriert, the author of bestseller “The end of insurance in the form in which we know it: like millennials, Insurtech and venture capital will destroy the ecosystem”, Rob told what problems insurtech faces and which future is prepared for this insurance area. We highly recommend familiarizing yourself with the interview, the author shared with us extensive knowledge of the industry and forecasts for the next 10 years.
The Cyber Insurance Market
Cross-your-finger mentality prevents widespread coverage of Cyber Insurance of Russian enterprises and individuals, but in the United States this type of insurance covers:
- 66% of educational organizations;
- 62% of health facilities;
- 58% of large companies;
- 51% of communication enterprises;
- 41% of communal services organizations;
- 39% of trade enterprises;
- 27% of financial institutions.
The average damage from the cyber in the United States for 2018 was more than $ 27 million, in the UK – more than 11 million, in Japan and Germany – more than 13. According to forecasts by 2025, the world cyber market will reach more than His annual increase will be about 27%.
The leading foreign companies actively operating in the Cyber Insurance market include:
- International Group of American AIG companies;
- Berkshire Hathaway;
- Allianz Group;
- Lockton companies;
- Munich Re Group;
- Chubb Limited;
- Lloyd’s Group of London;
- Zurich Insurance Group;
- AXA XL SA.
Some of these companies are represented in the Russian market. Since 2013, in the country, the subsidiary of American AIG is engaged in the country. In 2017 and 2018, insurance products have developed domestic insurers:
- Sberbank Insurance.
Insurance brokers actively execute Cyber Insurance certificates.
This type of insurance in Russia has significant prospects, since cybercrime is growing rapidly. For 2018, the number of such crimes increased by 92% compared with the previous year.
In each company, the rules stipulate their set of risks covered. In general, protection is carried out in case:
- hacker attacks;
- theft or destruction of data as a result of certain events in the field of IT;
- expertise expenses to assess the event and losses incurred;
- costs of investigating extortion (threat of attack);
- expenses incurred due to business breaks; • loss of profits;
- damages due to reputational risks;
- restore lost data;
- responsibility related to confidentiality violation.
Company offers AlfaCyber product, which can be protected from individual risks or from all in the complex. The insured can choose one of the proposed packages or make your own. The basic package includes risks:
- distortion and loss of data (including from encryption viruses);
- diagnostics and investigation of cyberattacks; •
loss or software distortions;
- public disclosure of personal data.
In addition to these, you can insure the risks of the embezzlement of intellectual property and cash and almost a dozen unforeseen events in the field of IT. The insurance rate depends on the selected risk set.
The Insurer offers the insurance product Allianz Cyber Protect, within which you can insure:
- Civil liability for leakage of financial and personal data;
- losses due to cyber wiseness or due to downtime for reasons of violations or loss of data or software;
- Forwarding costs (computer criminalistics).
The company entered the Russian CyberSrack Market with CyberEdge, which not only offers protection against cyberattacks, but also provides security assistance, in investigating crimes in the field of IT, advisory and legal assistance. These services provide its partner companies.
AIG offers a mandatory minimum of risks, with the implementation of which reimbursement:
- losses caused by data disorders;
- expenses for their recovery;
- costs of an administrative investigation;
- expenses due to virtual extortion;
- losses caused by a break in the network;
- Costs incurred due to responsibility for the content of information.
Additionally, you can insure compensation for lost profits and a number of risks.
Individuals can prevent or soften their cyber risks with a mobile app developed by AIG for smartphones and iPhones. You can download it with Applestore.
Cyber Insurance problems
This type of insurance is one of the most difficult. Not only because it requires a large amount of knowledge from the insurer, but also due to a number of problems that have not yet been resolved in the methodological terms.
Among the continued difficulties, it is possible to distinguish:
- the lack of a sufficient basis of concluded contracts and paid insurance certificates, which does not allow you to fully actuarial calculations, that is, whether the tariff is less accurately determined;
- Emerging penetration and hacker attack methods prevent accurately determine the likelihood of hacking a database or by the insured;
- simultaneous damage to thousands of companies as a result of a cyberatic network, which can cause a flurry of interrelated losses of insurers;
- Cascade failures that can cause cyberactics (for example, an attack on the power system with the destruction of the infrastructure part leads to additional failures of the rest of the network);
- Malicious programs that can be distributed over the network, covering at the same time a large number of insurers;
- difficulties in determining the amount of insurance coverage;
- Legal uncertainty in the field of IT.
The difficulties associated with the calculation of the tariff led to the insolvency of Penn Treaty, which reacted to the forecast is too optimistic, based on its assumptions on experience in other types of insurance.
Simultaneous damage to the set of insurers can attack on large cloud service, which enjoys a significant part of customers. In this case, the amount of payments and their value may be alone for the insurance company.
Mass attack deleterious viral code occurred in 2017. The NotPetya virus attributed to Russian hackers using the Windows system vulnerability, gained access to unprotected computers, through them to other computers and then around the world. The estimated damage amounted to about 10 billion dollars.
The unknownness for new factors and threats does not allow insurers to accurately predict the amount of losses, so the insurance amount is determined by eyeball, that is, the insured and the insurer simply agree on the maximum damage to the damage.
When concluding the contract, the Insured it is important to understand the risks covered and for the reasons for their occurrence. Many managers who concluded Cyber Insurance agreements believe that they will commemorate damages due to the reduction of the price of stocks on the market or due to the depreciation of the brand, while there are no such risks in most insurance programs.
The absence of a clear legislation in the field of IT has led to the growth of lawsuits to insurers. It is still not clear whether the actual losses or those that may arise in the future. Responsibility for theft of personal data occurs after this fact is opened, or after such a leak causes real harm to the client?
American judicial practice, based on case law, is sinking. In 2019, the Supreme Court refused the appeal, in which the insured was trying to challenge the court decision on the suit to Zappos.com. The insurer refused to pay the insured, which expects to receive compensation on the basis that “losses are inevitable.”
Insurers are looking forward to expected than the trials between the Mondelēz International Food Company and the Zurich Insurance Group insurance company due to the damage to $ 100 million, I The risk of physical loss or damage was insured, but had an exception – “except for the act of war.” The basis for refusal was the statement of the White House that the virus was as a result of a cyber-attacks from the Kremlin and the Russian military. This was enough to classify the attack as a hostility.
Fortunately, Russian courts do not use case law, but deal with each specific case and usually fall on the side of the insured. In addition, we have no time for cyber insurance.
Difficulties in wide distribution of this type of insurance are added by the necessity of formation of contracts with companies in the field of information security and with expert’s organizations that are capable of setting the size of damages.
Horizons of Russian insurance market
Perspectives of the Russian CyberStrica market in the opinion of the market experts, business does not yet understand the importance of Cyber risks. Insurance premium costs, at the beginning of 2020 in Russia did not exceed several million dollars. However by the projections of experts, it may increase severalfold in the coming years. This opinion was expressed by the surveyed TASS experts. It is expected that the digitalization of the economy will be brought to a multiple market increase, business automation and production processes. Based on expert estimates, compared with several million dollars in Russia, in the world, this type of insurance exceeds $ 5 billion.
The situation with the lack of standards, methodology and legal regulation should soon be resolved. The national project on digital economy stipulates:
- the need to increase cyberculture;
- promoting insurance of information security risks;
- It is even possible to use tax benefits for insurers;
- For industries important in the strategic plan, it was assumed to make this type of insurance required.
It is predicted that the cyber hosting market in Russia by 2025 may amount to 10 billion rubles. The Working Group under the All-Russian Union of Insurers in collaboration with the Chamber of Commerce and Industry of Russia (CCI) is engaged in working out methodological issues.
It is assumed that the cloud providers will begin to insure their responsibility. Already, Cloud4y is ready to provide customers with services for insurance of risks of accommodation in the cloud of services and information.
The Head of the All-Russian Union of Insurers Igor Yurgens also noted the market’s prospects and stated the need for work on the formation of legislative regulation and law enforcement practice.
As one of the market problems, experts note the fact that companies often prefer to invest not in insurance, but in IT infrastructure.
“A more conscious attitude towards Сyber risks comes in companies along with their growth. However, many of those customers who wondered by the acquisition of the policy, as a result, prefer to spend the budget not for insurance, but to invest in improving their IT infrastructure, “said Igor Chichkan, head of the financial risk insurance department. Dmitry Georgians agrees with him. According to him, companies continue to invest in IT security, while realizing that this approach is not 100% solving the problem of cyber throat.
Currently, there are about 30 Cyber insurance contracts in Russia. Among those who have entered into such contracts are financial institutions, IT companies, and large production.
It is important to note that in 2017 the bill of compulsory insurance against cyber risks was developed, in the framework of the Government of the Russian Federation “Digital Economics”. It was planned that this law would take effect in 2020. The main fears of developers of the bill were associated with existing threats for the strategic directions of the economy. At that time, Sberbank headed this workgroup.
It was assumed that in the 2020 year, a new standard for compulsory audit of information security will be introduced, with the obligatory requirement to ensure the cyber scholar enterprises of some areas of the economy (such as banks, train stations and airports, as well as strategic objects and industries) It was assumed that Russia could become a leader in this direction in the next 3-5 years. Experts noted, Cyber insurance will be in demand by credit institutions, service providers and companies related to the processing of personal data.
But so far it did not happen. On the one hand, it is difficult for a mandatory species to get into the correct tariff at the existing small base of contracts, and on the other – any mandatory look will increase the load on business again, especially in the case of the use of high tariffs and excessive coating.
Back in 2017, the President of WCS Igor Yurgence paid attention to the foreign experience in the insurance of cyber risks, primarily the United States, which, in fact, is the main world market in this area. In the United States, cyber insurance is carried out on a semi-mandatory imputed basis (that is, the policy is needed as a mandatory requirement, but tariffs, risks and coverage, and therefore, the price of the policy is established between the parties to the contract).
The insurance market of Russia as a whole is ready to resist all the new and new threats arising in the application of IT technologies, but so far everyone understands the intentions and potential of the market, but to actually working products from insurers and the desire to buy them from the side of the business –
Thus, taking into account the general IT transformation of the Russian market and the real growth of cyber threats, the involvement in the process of all sides, starting from the insurance community and government and business.
Stay with us, innovation and trends on our informational and analytical portal – considered insurance!
Article approved by expert of Insurance Market Lebedev Denis