Companies that are hit by a cyber-attack incur costs and losses that can even have liquidation consequences.
Trends and context
Financial losses and unplanned costs arise from the interruption of business activities, incident response costs, and often fines related to data breaches. However, the harm will also be reflected in damage to reputation and the loss of customers. Cyber risk insurance, or “cyber insurance” for short, can protect against such financial losses.
Where cyber insurance is concerned, we currently consider ransomware attacks to be the dominant cyber risk. Manufacturing was identified as the industry with the highest number of insurance claims caused by ransomware.[1] At the same time, cyber risks are constantly increasing due to rapid technological advances such as (generative) artificial intelligence and cloud technologies.
And yet, most operators of essential services perceive cyber insurance as a service that they cannot afford due to the high premiums and disadvantageous coverage.
According to data collected by the European Union Agency for Cybersecurity (ENISA) through a survey of 262 operators of essential services in the European Union, three out of four currently do not have cyber insurance. The survey also reveals that operators often find other risk mitigation strategies more favourable than insurance.[2]
The Slovak reality
In our practical experience, companies in Slovakia have a relatively inconsistent perception of cyber insurance. Factors such as the cost of premiums, the coverage offered and companies’ assessment of their own exposure to risks and potential losses from cyber incidents all play a key role in this perception.
Companies may find cyber insurance expensive, especially if they believe the coverage provided is not fully commensurate with their specific risks or potential losses. Thus, high premiums and perceived coverage gaps can lead to questioning the effectiveness of cyber insurance as part of a company’s overall risk management strategy.
In addition, businesses often prioritize investments in proactive cybersecurity measures, such as advanced security technologies, employee training on cyber threats, and robust data protection practices, over insurance. This approach may include implementing security standards, regular vulnerability assessments, and incident response plans to mitigate the risk of cyber incidents.
Cyber risk management
Cyber insurance typically covers the external costs of IT services, legal services and PR in response to a cyber incident, direct financial loss from business interruption, fines for personal data breaches and the cost of protecting and defending the company’s rights.
There is also broader insurance coverage, such as insurance for harm to the organization’s reputation as well as protection from cybercriminals’ ransom demands. Insurance premiums can also cover the costs associated with identifying and negotiating with cybercriminals, including contending with ransom demands or deadlines.
Most insurance companies have an established loss estimation methodology, or use simplified methods based on risk exposures and risk factors, which in our opinion underestimate the risk. Insurance companies should provide clients with a higher added value that also covers an expanded range of covered risks, such as reputational risks.
The main challenge appears to be to design a common but pragmatic approach to cyber risk management. The problem is not only due to the lack of available data, but also the fact that any model is in danger of quickly becoming obsolete due to the dynamics of the cyber risk environment and advances in cyber threats.
Concept of cyber risk
The European Insurance and Occupational Pensions Authority (EIOPA) understands the concept of cyber risk as a correlation and interdependence of three main areas: Digitization in the insurance industry (InsurTech), Supervision using technologies (SupTech), and the Cyber risk assessment process for determining the insurance premium rate (Cyber Underwriting).[3]
According to the EIOPA, building a strong and reliable cyber insurance market requires several conditions, including ensuring that that insurers apply sound underwriting and risk management tools in the area of cyber underwriting, properly managing both affirmative and non-affirmative cyber risk exposures, making clear and transparent cyber coverage, getting more quantitative information on incidents to make a more proper pricing of risks and estimation of liability exposures, and cyber risk measurement and management for insurers.[4]
Cyber security rating
The cyber risk assessment also includes a rating or index, which objectively assesses the state of an organization’s cyber security based on various factors, including network security, data protection, and the ability to respond to incidents. Cyber risk ratings can also be used to assess the risk of a cyber-attack and determine the price of insurance or coverage.
Legislation mandates cyber risk ratings in France. According to French law no. 2022-309 of March 3, 2022, on the introduction of cyber security certification for digital platforms intended for the general public, operators of online platforms are obliged to conduct a cyber security audit, the results of which they must present to consumers.[5]
The law explicitly specifies that the audit result be presented to consumers in a legible, clear and understandable manner and be supplemented by an additional presentation or statement through a colour information system. This law became effective in France on October 1, 2023.
While banks and other lending institutions use credit ratings to assess potential risk when lending to consumers and to mitigate bad debt losses, cyber risk ratings can similarly provide an objective measure of an organization’s cybersecurity posture. Ultimately, this will help reduce the risk of cyber incidents.
We were happy to be able to contribute our experience and opinions to a supplement to the Hospodárske Noviny newspaper: link.
Court case-law shaping the cyber insurance sector
May 26, 2023, Federal Republic of Germany
The regional court in Tübingen has issued an important court decision regarding cyber insurance in Germany. In its decision, the court dealt with objections regarding coverage for insurance claims, including pre-contractual information obligations, increased risk and gross negligence leading to an insured event.
The court ruled in favour of the insured and rejected the insurer’s arguments. Specifically, the court rejected the insurer’s argument that the insured caused the damage through gross negligence by failing to implement measures to prevent cyber attacks. The court argued that the insurer could have reviewed these specific information security terms during the pre-contractual risk assessment phase.
The insured’s IT infrastructure was seriously disrupted when ransomware penetrated the system. An employee unknowingly initiated the attack by opening a phishing email on a work laptop. The e-mail attachment looked like a regular invoice, and by clicking on it, malicious software was downloaded to the insured’s network. The cyber incident knocked out a large part of the servers, the attackers demanded a ransom in Bitcoin and threatened to release sensitive company data. The incident resulted in significant operational losses.
During the liquidation of the insurance claim, it became clear that the insured did not implement relatively common security measures, did not install the necessary updates and provided inaccurate answers to the insurer’s questions regarding the pre-contractual risk assessment.
The insurer withdrew from the insurance contract on the grounds that the insured violated his pre-contractual information obligation by incorrectly answering several questions. As another argument, the insured did not install security updates, for years available for multiple servers, even though it knew about the updates. At the same time, the insurer pointed to insufficient security measures against a cyber-attack, for example, the lack of two-factor authentication and adequate monitoring, which resulted in an increase in risk and gross negligence on the part of the insured.
The court was interested in whether the insurer could theoretically inquire about these specific risk circumstances. In the case, since there was no change in the status of the servers between the conclusion of the policy and the occurrence of the insurance event, the insurer, according to the court, implicitly accepted the existing situation regarding the risks, as it did not request additional information.
Court of Justice of the EU (CJEU)
According to Art. 82 par. 1 of the GDPR[6], any person who has suffered material or non-material damage as a result of an infringement of the Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
In three recent judgments (C-687/21, C-340/21, and C-456/22) the CJEU has clarified its authority regarding the responsibility of companies for the security of their own information systems and data protection, as well as the conditions for the rewarding of non-pecuniary damages under Article 82 of the GDPR. The court further clarifies when affected persons can demand compensation for non-pecuniary damage against companies in the event of data loss.
This continues the CJEU’s trend of expanding corporate liability, and increasing the likelihood of litigation in the future. This will also have an impact on cyber insurance, as situations where customers sue companies for damages under Article 82 of the GDPR will generally be covered by the scope of the company’s cyber insurance.
At the point of sale, the electronic appliance was mistakenly handed over to another customer together with the purchase documents and credit agreement.
The CJEU rejected the claim for damages under Article 82 of the GDPR. According to the court, non-pecuniary harm does not arise only because a person whose personal data has been made available to an unauthorized third party who did not actually have access to it, nevertheless fears that the data has been copied and could be published or even misused.
The court therefore concluded that if a document containing personal data was transferred to an unauthorized third party who was demonstrably unaware of this data, the very fact that the data subject fears that his/her data may be disseminated or even misused in the future as a result of this transfer, which allowed making a copy of the document before returning it, does not constitute “non-material damage”.
Due to a hacker attack the internet tax and social data security of more than six million people were exfiltrated and published.
One of the people asserted a claim for compensation for non-material damage for fear that his data would be misused by third parties. In this case, the CJEU confirmed the liability of the operator for the damage. According to the court, a reasonable fear of future misuse of data is sufficient to create a right to compensation for damages.
Disclosure of personal data on the Internet.
This resulted in a temporary loss of control over the data, which could cause non-material damage to the data subjects in accordance with Article 82 of the GDPR. The persons concerned only have to prove that they actually suffered such harm, even minimal. According to the CJEU, there is no minimum threshold for damage (threshold value “de minimis”) based on Article 82 of the GDPR, and the judgment strengthens the rights of data subjects to compensation for non-material damage.
May 2023, United States of America
Pharmaceutical giant Merck was damaged in one of the most devastating ransomware attacks, the NotPetya attack, in June 2017. Merck asserted an insurance claim from its property insurance policy.
The insurer, Ace American Insurance Company (Ace) refused to pay out the policy even though Merck’s policy covered “all risks”. Ace argued that because it was an “act of war” on the part of Russia, the event was therefore excluded from coverage for damages related to such acts of war.
However, the Appellate Division of the Superior Court of New Jersey ruled in May 2023 that the NotPetya attack did not fall under policy exclusion for “hostile or warlike” acts.[7]
Since the NotPetya attacks, some measures have been taken to clarify which types of attacks are subject to insurance exclusions. Insurance giant Lloyd’s of London in 2022 announced that underwriters would have to exclude coverage for state-sponsored cyberattacks associated with war and incidents that significantly impair the ability of a state to function or that adversely affect a state’s security capabilities.[8]
__________________________________________________________________________________________________________________________
[1] Munich Re: Cyber Insurance Risks and Trends 2024. available online at: https://www.munichre.com/en/insights/cyber/cyber-insurance-risks-and-trends-2024.html
[2] ENISA: Demand Side of Cyber Insurance in the EU. Analysis of Challenges and Perspectives of OESs. February 2023. available online at: https://www.enisa.europa.eu/publications/demand-side-of-cyber-insurance-in-the-eu
[3] EIOPA: EIOPA Strategy on Cyber Underwriting. 2020. available online at: https://www.eiopa.europa.eu/publications/cyber-underwriting-strategy_en
[4] Ibid.
[5] Official text in French, available online at: https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045294275
[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
[7] ABI: Cyber Threats: Landmark Ruling Signals Importance of Clear Policy Language. July 12, 2023. available online at: https://www.abi.org.uk/news/blog-articles/2023/7/cyber-threats-ruling/
[8] The Record: Lloyd’s to forbid insurers from covering losses due to state-backed hacks – April 22, 2022. available online at: https://therecord.media/lloyds-to-forbid-insurers-from-covering-losses-due-to-state-backed-hacks
