Traces of ‘cyber insurance’ or insurance coverage for digital risks within IT infrastructure started to be seen in policies as long ago as the 1980s. One of the first such policies was electronic computer crime insurance. In fact, the author of this article used such a policy to collect a record settlement (at the time) of $45m for a banking customer who suffered a significant hack in 2013.
That loss was made up mostly by traditional crime insurance, with only around 10% classed as cyber insurance.
The Central Bank of Bangladesh was recently left red faced when it was the victim of one of the world’s largest cyber attacks. It appears criminals planted malware in the bank’s computer systems through simple spear phishing attacks, enabling them to clone legitimate transactions. This resulted in the criminals sending 35 fake money transfer orders totaling $1bn to the US Federal Reserve, of which five were executed, resulting in the loss of $101m.
As in the previous example, traditional crime insurance would have covered the majority of the loss, with just 10% accounted for by cyber insurance.
Cyber vs. Crime
There is some confusion among buyers of insurance as to the difference between a crime insurance and cyber insurance policy. In the case of The Central Bank of Bangladesh, they would have needed both insurance policies! The differences between them are subtle but important, and best explained as:
- Crime insurance is a policy that covers the loss of electronic funds through various internal, external and computer-related criminal, dishonest and fraudulent events.
- Cyber insurance is a policy that covers the costs of managing an incident, the loss of income sustained by a firm, and the liability that firm has to third parties arising from an information security event.
The modern day cyber insurance policy means different things to different people. In the US (the largest buyer of cyber insurance globally) coverage is mainly driven by stringent consumer-led data protection regulation, through cover called privacy liability insurance. This phrase was originally coined by insurers in 2003 after the Californian State introduced mandatory notification of consumers following a data breach. US insurers were quick to create a policy which met the costs a firm may incur by complying with these regulations.
Events such as TalkTalk would have caused a significant loss to cyber insurers. This was due to much of the loss arising from investigation, notification to customers, increased costs in working and liability to customers. All of which is cover which a cyber insurance policy is structured to provide.
US and EU Data Protection Regulation
13 years later, it is still privacy liability insurance that is prevalent in the US market. Effectively, this is still cyber insurance, however, it does not provide the same coverage as the cyber insurance typically found in the European market. Principally the differences are:
- US privacy liability insurance focuses on the company’s liability and regulatory obligations, such as notification of individuals, credit monitoring services and liability in the event of breach.
- EU cyber insurance provides the same level of cover as a US policy, but also provides non-physical damage business interruption and is more focused on first-party coverage.
To add further complications, each insurer has their own interpretation of policy coverage, meaning that in many cases policies can differ in structure and definition. There is a degree of disparity in buying patterns between the US and EU markets, which can largely be explained by US buyers opting for liability cover, while EU buyers focus on first-party loss coverage.
This imbalance of cyber insurance purchasing looks like it will even out as the policies available slowly morph into one, and particularly as other regions adopt data protection regulations similar to the US. For example, the EU has just announced stringent regulation which can expose up to 4% of the global turnover of a firm operating in the EU to penalties if it suffers a data protection breach.
That being said, the collective banner of cyber insurance, which includes privacy liability, is the fastest growing insurance product globally, with gross written premiums expected to be in excess of £7bn in 2020. This is partly connected with the continuing frequency of high-profile attacks and the growing belief that cyber insurance is no longer just a nice to have, but forms a critical part of a firm’s corporate governance.
Elmore Insurance Brokers Limited advises its clients to actively manage risk to manage down premiums. Insurance is a partnership between businesses and insurers. This partnership can be significantly enhanced by focused engagement to understand and implement information security risk management best practice, which includes cyber insurance.
Original Author: Simon Gilbert, Managing Director, Elmore Insurance Brokers Limited
Original Links: N/A