Cyber risks: Are you ready for an attack?
Espionage, sabotage, data theft – losses from cyber attacks cost companies millions and are increasing all the time. As emergency response systems alone are not enough to keep pace with new and ever more complex threat situations, the market for cyber insurance is expected to continue its rapid development.
The ransomware aimed at data destruction, deleting sectors on the hard disk. Companies were forced to shut down their systems, which in some cases resulted in huge-scale business interruption. For example, a British manufacturer of consumer goods estimated its loss in production and sales as a result of the shutdown at over £100m. A Danish shipping company quoted a figure of US$ 200–300m.
Networked home electronics bring new risks
Another reason the cyber attacks of October 2016 were so devastating was that the attackers targeted a critical network node – the domain name system (DNS) controlled by the American service provider Dyn. This translates web addresses like www.munichre.com into the actual IP addresses for the different websites. If DNS services are paralysed, a large number of websites can be cut off in one fell swoop, even if their own infrastructure is functioning perfectly.
Wake-up call for the insurance industry
Recent incidents illustrate how important it is to have protection against the consequences of cyber attacks. IT security and the protection of data (both a company’s own and that of third parties) are becoming a central element of this strategy. Not surprisingly, cyber attacks are directed against companies assumed to have a lot of money. The more online interaction a company has with customers and suppliers, the more disruptive the attacks can be. Cyber insurance not only provides cover for business interruption and ransom payments, but also helps companies recover lost data records.
Companies can protect themselves against cyber risks, with different risks covered by different policy designs. Cover can be summarised as follows:
- Ransom payments are insurable as far as is legally permissible. Costs for external consultants are also covered. There is usually a deductible in place, which would have applied in most instances in the WannaCry attack.
- Business interruption as a result of a cyber attack can be covered, even without prior property damage. In this case, there is generally also a deductible or sub-limit, along with a time deductible (waiting period). The waiting period can be up to 12 hours, during which time many attacks can be neutralised.
- The protection against loss of data and data corruption includes the costs needed to determine the causes and effects of a cyber attack. The costs for recovering data and removing the malware are also covered.
- Cyber insurance can also cover the loss of personal data or liability claims from third parties.
At the same time, the events were a wake-up call for the insurance industry to focus more strongly on the accumulation risk in the field of cyber risks. The industry is already using data-based methods to model cyber events. These models are based on scenarios that focus mainly on the frequency and severity of incidents. Possible scenarios include the spread of malware or spyware across systemically relevant operating systems, the disabling of a large cloud service provider, or an attack on the infrastructure of the internet. The aim of the models is to determine the financial impact of cyber mass-attack scenarios like WannaCry or Petya.
Traditional exclusions do not always apply
A good example of this was the cyber attack on the French television channel TV5 Monde in April 2015. Programmes were interrupted for several hours and the channel’s web pages were filled with Islamist logos and slogans from the so-called “Cyber Caliphate”. Despite the fact that every internet user who visited the TV5 Monde homepage saw the flag of the Islamic State on there, computer forensic investigators believe that Russian hackers were actually behind the attack. The channel estimated the cost of recovering and securing its systems at just under €5m.
Insurance increasingly in demand
On the claims side, we can expect that sophisticated ransomware or DDoS attacks will lead to an increased number of business interruption cases. One of the tasks of an insurance company in this context will be to guarantee prompt assistance to minimise cyber-related losses. Irrespective of demand, insurers that have not offered cyber products up to now should estimate their own cyber exposure in traditional property or casualty lines, and address the topic of “silent cyber” in their internal risk and portfolio analysis. Munich Re’s response in terms of its own portfolio is to actively manage such risks, to pursue a clearly defined cyber strategy and to make further investments in cyber underwriting and risk expertise.