News

Cyber Insurance

July 26, 2021

The adoption of teleworking has been a game-changer for tech companies and a goldmine for cyberattackers. The market has reacted quickly, boosting the popularity of insurers specializing in cybersecurity; cyber insurance is booming.

Companies offering more conventional insurance propose the following paradigm: If you protect your home, your car, and your company’s physical assets, why not protect your IT infrastructure to mitigate the risk of cyberattacks?

It is no secret that cybercrime is the prevailing market trend; for this reason, in addition to traditional insurance offerings such as liability, business, or property damage coverage, cyber risk insurance is now available, with premiums totaling 75 million euros nationwide—a 35% increase compared to 2019 according to Red Seguridad.

So, what is cyber risk insurance?

It is an insurance policy that helps companies protect themselves from the consequences of cyberattacks and reduce the risks IT companies face on a daily basis.

“A company is more likely to suffer a cyberattack than a fire or theft these days,” says Cátedra Pérez-Lloca / IE

How does it work?

First, the client’s actual needs are assessed, and then a solution is offered based on the analysis.

Second, once the action plan is decided, the insurer takes a passive role, waiting for an attack to occur so it can take the necessary measures. It not only covers the technical aspects, but in the event of data theft and extortion, it also intervenes in the ransom negotiations.

It will be vital to define two plans: one for action and another for contingency.

“The insurer’s role is not only to assess the damage that has occurred and set a compensation amount, but also to address the potential disruption of business operations caused by the cyberattack. Technical support and data recovery are essential“, states Cátedra Pérez-Lloca / IE

What requirements must a company meet to purchase cyber insurance?

We must start from the premise that cyber insurance is the last line of defense; for this reason, in order for a company to purchase a policy it must meet certain minimum requirements regarding IT security.

These measures are not only necessary for the procurement of these types of services, but they are also essential from a legal standpoint, since violations can result in fines of up to 20 billion euros or 4% of annual revenue according to Ayudaley.

As mentioned earlier, the company purchasing the insurance must have the necessary preventive measures in place to avoid or mitigate cyberattacks as much as possible, complying with the requirements of the GDPR (General Data Protection Regulation) and following the regulations set forth by the LOPD (Organic Law on the Protection of Personal Data).

Other necessary measures to implement include developing a security policy that incorporates key preventive measures, ensuring all devices are optimally protected; and having an effective backup plan so that, in the event of an attack or hijacking, everything is not lost.

Cybersecurity in SMEs

Although cyber insurance is vital for all businesses, many insurers focus primarily on SMEs. For these types of companies, purchasing these services does not definitively solve IT protection issues but does provide some relief in the event of an attack.

Despite the importance of the peace of mind that comes with being properly protected against cybercriminals, many small and medium-sized businesses are reluctant to purchase insurance.

Looking at last year’s figures (120,000 cyberattacks on SMEs with an average cost of €102,000) it remains difficult to understand the reluctance to purchase cyber insurance.

According to a report by AON in 2020, only 32% of SMEs purchased this type of service in contrast, companies with turnover exceeding €250 million increased their insurance purchases by 24% (from 2019 to 2020).

It is clear that awareness plays an important role when deciding where to invest money and what the priority is.

What do the policies cover?

Each insurer operates independently, covering different aspects; it is up to organizations to assess their needs and determine what is in their best interest. A large company will not purchase the same policies as an SME.

Generic package:

Third-party liability whether due to a breach of network privacy and security, or due to the website’s digital content or an attack
First-party damages caused by cyber extortion

Specific package:

Loss of profits caused by system interruption due to a malicious cyber act
Data and system recovery
Incident response services and expenses: technological containment, legal advice, notification to regulators and affected parties, information monitoring, among others
Emergency response to incidents within the first 48 hours
Cybercrime resulting from the theft of money or company assets
Guarantees
Costs of data recovery, notification, and benefits

It is essential to be aware that there are certain aspects that an insurer cannot cover, some of which are:

- phishing

attacks

Medium- and long-term losses (in terms of image, perception, etc./span>…)/span>
Reputation restoration
Expenses (in the event that previously stipulated security measures are not complied with)
Any damages resulting from unlawful acts committed by the insured intentionally
Violation of regulations regarding trade secrets and patents