Cyber risks: Are you ready for an attack?

Espionage, sabotage, data theft – losses from cyber attacks cost companies millions and are increasing all the time. As emergency response systems alone are not enough to keep pace with new and ever more complex threat situations, the market for cyber insurance is expected to continue its rapid development.

In spring 2017, we once again witnessed how vulnerable companies across the world have become as a result of digital networking: on 12 May, within the space of twelve hours, the WannaCry ransomware infected hundreds of thousands of computers and encrypted their hard drives. The attackers demanded a ransom of US$ 300, to be paid in the bitcoin internet currency, from victims in more than 150 countries. Some weeks later, the Petya malware struck, affecting thousands of systems in over 60 countries.

The ransomware aimed at data destruction, deleting sectors on the hard disk. Companies were forced to shut down their systems, which in some cases resulted in huge-scale business interruption. For example, a British manufacturer of consumer goods estimated its loss in production and sales as a result of the shutdown at over £100m. A Danish shipping company quoted a figure of US$ 200–300m.

Networked home electronics bring new risks

Back in October 2016, a DDoS (distributed denial of service) attack caused turmoil. Unknown attackers succeeded in paralysing a number of popular web services. The attack was unusual in that the perpetrators hijacked millions of internet-enabled household appliances for their scheme. They exploited weaknesses in the software of the different devices to form what are known as botnets. The hackers used the concentrated computing capacity of these networks for their cyber attacks. The opportunities for hacker attacks are increasing with the spread of networked home electronics. Billions of these devices are in use every day, and the figure will run into the tens of billions as the Internet of Things expands. A further problem is that many providers of devices – especially inexpensive ones – fail to take adequate protective measures.

Another reason the cyber attacks of October 2016 were so devastating was that the attackers targeted a critical network node – the domain name system (DNS) controlled by the American service provider Dyn. This translates web addresses like into the actual IP addresses for the different websites. If DNS services are paralysed, a large number of websites can be cut off in one fell swoop, even if their own infrastructure is functioning perfectly.
Visualisiation of a DDoS attack
Visualisiation of a DDoS attack
A hacker infects bots with malicious software. The bots are linked up in a botnet and all “work” for the hacker. Together, the bots attack a server by flooding it with requests. The server crashes under the volume of traffic. The website is no longer accessible.

Wake-up call for the insurance industry

Recent incidents illustrate how important it is to have protection against the consequences of cyber attacks. IT security and the protection of data (both a company’s own and that of third parties) are becoming a central element of this strategy. Not surprisingly, cyber attacks are directed against companies assumed to have a lot of money. The more online interaction a company has with customers and suppliers, the more disruptive the attacks can be. Cyber insurance not only provides cover for business interruption and ransom payments, but also helps companies recover lost data records.

Companies can protect themselves against cyber risks, with different risks covered by different policy designs. Cover can be summarised as follows:

  • Ransom payments are insurable as far as is legally permissible. Costs for external consultants are also covered. There is usually a deductible in place, which would have applied in most instances in the WannaCry attack.
  • Business interruption as a result of a cyber attack can be covered, even without prior property damage. In this case, there is generally also a deductible or sub-limit, along with a time deductible (waiting period). The waiting period can be up to 12 hours, during which time many attacks can be neutralised.
  • The protection against loss of data and data corruption includes the costs needed to determine the causes and effects of a cyber attack. The costs for recovering data and removing the malware are also covered.
  • Cyber insurance can also cover the loss of personal data or liability claims from third parties.

At the same time, the events were a wake-up call for the insurance industry to focus more strongly on the accumulation risk in the field of cyber risks. The industry is already using data-based methods to model cyber events. These models are based on scenarios that focus mainly on the frequency and severity of incidents. Possible scenarios include the spread of malware or spyware across systemically relevant operating systems, the disabling of a large cloud service provider, or an attack on the infrastructure of the internet. The aim of the models is to determine the financial impact of cyber mass-attack scenarios like WannaCry or Petya.

Traditional exclusions do not always apply

Recently, it has become increasingly difficult to categorise and distinguish between different types of cyber attackers (see summary on the left). This further complicates matters for the insurance industry. Traditional exclusions in a policy, such as for terrorism or war, may not apply, since governments and secret services are unlikely to admit to participating in a cyber attack. Even in the case of cyber terrorists – who are certainly interested in publicising their cyber skills in the media – it is difficult to prove who the perpetrators are and thus obtain evidence for a contractual exclusion.

A good example of this was the cyber attack on the French television channel TV5 Monde in April 2015. Programmes were interrupted for several hours and the channel’s web pages were filled with Islamist logos and slogans from the so-called “Cyber Caliphate”. Despite the fact that every internet user who visited the TV5 Monde homepage saw the flag of the Islamic State on there, computer forensic investigators believe that Russian hackers were actually behind the attack. The channel estimated the cost of recovering and securing its systems at just under €5m.

Insurance increasingly in demand

Entire industrial sectors and therefore economies, governments and society itself, are dependent, more than ever before, on a functioning IT and telecommunications landscape. In order to counter these increasingly complex threats, the market for cyber insurance is likely to experience dynamic development as technical advances and increasing digital networking drive demand. Widely publicised cyber attacks coupled with new rules from regulatory authorities and governments (especially the EU General Data Protection Regulation with new rules on data protection and reporting requirements, due to come into effect in all EU member states on 25 May 2018) and a growing awareness of cyber risks will also promote the spread of cyber policies. In the USA, the largest market for cyber insurance, the volume of stand-alone covers increased by 30% per year between 2011 and 2015 to US$ 1.5bn.

On the claims side, we can expect that sophisticated ransomware or DDoS attacks will lead to an increased number of business interruption cases. One of the tasks of an insurance company in this context will be to guarantee prompt assistance to minimise cyber-related losses. Irrespective of demand, insurers that have not offered cyber products up to now should estimate their own cyber exposure in traditional property or casualty lines, and address the topic of “silent cyber” in their internal risk and portfolio analysis. Munich Re’s response in terms of its own portfolio is to actively manage such risks, to pursue a clearly defined cyber strategy and to make further investments in cyber underwriting and risk expertise.