InsureNXT: What specific risks can be insured against cybercrime and where are the limits? After all, it is often a question of more than just repairing the pure damage.
Currently, various personal and third-party damages in the IT and cyber environment can be insured. An independent cyber insurance, for example, offers an insurance against various personal damages such as business interruption, hardware replacement and data recovery, but also against third-party damages, for example liability due to a data protection violation or from an illegal publication in media. Such insurances take effect if a cyber incident occurs in the computer system of an insured company. They can also be extended to external IT service providers.
In my view, it is also important to add crisis services, so that customers can quickly obtain professional help in the event of a suspicious or damaging event. There are limits, however, when it comes to the protection of pure industrial espionage and the protection of complete supply chains. Usual exclusions are those for known circumstances, contractual claims, confiscation by authorities as well as natural disasters or superior power.
Which of these are already covered by other insurance policies, such as corporate liability or D&O for management and supervisory boards?
Many corporate liability policies already provide at least partial coverage for data protection violations. Other coverages contain in part explicitly limited cyber modules. However, this does not even come close to replacing full coverage – not even in total. This is also because important components such as non-physical business intelligence or IT forensics are not offered in other sectors.
Which companies in which industries are interested in protection against cybercrime? Only large companies or do you see a need for such protection among SMEs and start-ups as well?
What we are definitely noticing is that there has been a significant increase in the number of enquiries and contracts – which is certainly also due to the increased number of claims. The interest among large companies is particularly noticeable, but from our point of view there has also been a noticeable rise in relevance among small and medium-sized companies – and this, incidentally, across all lines of business.
Who can even sell such insurance? The “normal” insurance sales department will soon reach the limits of its know-how. Are you recruiting IT security experts specifically for this kind of business?
When it comes to the technical details, we do indeed have the support of both internal and external IT security experts in order to provide our customers with the best possible advice and suitable security. But since we are all surrounded by a lot of IT nowadays, IT risks are omnipresent. I therefore believe that with a little basic knowledge, it is possible for anyone to identify the risks without having to dive straight into the depths of IT security. The current cases of damage support this clearly. I therefore believe that the often predominant respect for addressing the topic of cyber insurance does not have to be there.
What rules do companies have to follow if they want to take out such an insurance policy and how much insight into the IT infrastructure is the insurer allowed to have in case of emergency?
In the application, the customer must answer questions about the current situation with regard to IT security. These application questions should of course be answered correctly and the status should then be maintained. For example, if it is stated that a certain IT security infrastructure exists, this should not be changed after three months. However, we are not referring to specific versions or a particular state of the art. How much insight companies have to provide in an emergency naturally depends on the customer and the damage. However, our experience is that customers even appreciate the professional support in the event of a crisis, which is then provided by our specialist service provider.
Cyber insurance is now also available for end users. Does that make sense in your experience?
The market for private cyber insurance is even more uneven than for commercial policies and needs to develop and differentiate further. In my opinion, however, such a policy can make sense – depending on the scope of cover and user behaviour. I am thinking, for example, of families with teenagers, where there is often a higher level of Internet use, but the risks of a certain behaviour on the Internet have not yet been fully considered.
Jutta Berger-Knickmeier (Zurich Insurance) has been a Financial Lines expert in various roles since 2002, initially primarily in the area of D&O and since 2013 also in cyber underwriting. Since 2018 she has been working in product management for liability and financial lines as well as cyber underwriting.