Many in the insurance industry, myself included, expected the introduction of GDPR in May 2018 to drive a boom in demand for cyber insurance products in the UK and Europe, as data protection and privacy became a board-level conversation for companies both big and small. However, whilst it has contributed to the growth of the cyber insurance market, we have seen other significant trends contribute to the real uptick in demand — namely, the exponential rise in size, frequency and sophistication of ransomware attacks and increased understanding of "silent cyber" risks.
GDPR: Cybersecurity in the Spotlight
Data privacy legislation and regulation implemented in the US in the mid-2000s drove demand for cyber insurance in the North American market, as businesses looked to protect their digital assets. We expected much the same trends to translate to Europe with the introduction of GDPR, with the enforcement of the legislation and prohibitive potential fines leading to an increase in cyber insurance uptake.
Undoubtably, we have seen demand increase for cyber insurance products since the introduction of GDPR across Europe in May 2018, as well as following high profile data breaches. The loss of customer data and large resultant fines totalling in the hundreds of millions have demonstrated just how severe the impact of cyber-attacks could be. As a result, data intensive businesses and sectors which handle and transfer large volumes of sensitive personal data such as healthcare and retail banking, have been quick to see the benefits of taking out cyber insurance policies.
However, we have not seen the pick-up we expected in industries which are less data intensive (such as manufacturing) and SMEs who believe they are unlikely to be the target of a cyber-attack due to their low profile and size.
One additional explanation for the muted pick-up of GDPR driven cyber insurance is the lack of clarity from the regulatory authorities over whether the potentially very large fines levied against businesses under the legislation can be recovered under insurance policies. GDPR sets a maximum fine of €20 million (about £17.5 million) or 4% of annual global turnover — whichever is greater. Understandably, if a company is unsure if this potential fine would be covered under their policy, they are less likely to seek cover.
For these reasons, whilst GDPR was certainly an important milestone in Europe’s data privacy landscape, it could be argued that a number of other factors have played a more prominent role in the last two years in driving the growth in the cyber insurance market.
Ransomware on the Rise
When speaking to our clients, the growing frequency, severity and sophistication of the ransomware threat to their businesses has been their biggest concern and the true catalyst for cyber insurance adoption. And the numbers support this; McAfee Labs Threats Report in 2019 recorded an astonishing 118% rise in ransomware attacks in the first quarter of last year.
The threats presented by ransomware are twofold: first, ransomware is designed to encrypt a file system, potentially causing an irreversible damage or loss of data – leading to financial losses from interruption to business operations. Second, an increasing number of cyber criminals are using this ransomware to extort money from their victims in exchange for a release of their systems.
INFOGRAPHIC: Cyber Security Breaches Report 2020
2017 saw the emergence of new and destructive strains of malware and ransomware such as WannaCry and NotPetya. The threat, however, continues to evolve, becoming more sophisticated as new variants emerge, posing significant threats to even the most resilient of companies.
More recent strains include REvil/Sodinokibi, a Ransomware-as-a-Service (RaaS) operation which recently targeted New York law firm Grubman Shire Meiselas & Sacks, leaking personal documents of celebrities such as Lady Gaga.
This year has also seen NetWalker, another RaaS tool, pose an increasing threat, recently announcing a significant recruitment drive to expand its network of affiliates to disseminate its ransomware more widely.
Ransomware attacks have not just impacted those who handle data governed by GDPR, but those for whom business interruption can be catastrophic: logistics, manufacturing and shipping. As a result, cyber insurance demand has rocketed in the face of this growing ransomware threat facing all sectors and sizes of businesses.
Listening out for "Silent Cyber"
The third factor driving the uptake of cyber insurance is the industry and regulatory push to eliminate ambiguity over coverage for cyber incidents in non-specific policies commonly purchased by companies, with the mandate to either explicitly provide such coverage or to exclude it altogether.
Traditional Property and Casualty policies were not created with cyber exposures in mind and customarily neither implicitly include nor exclude cyber risks. This causes obvious concerns as companies may be under the impression they have adequate cover through their traditional policy, but find themselves mistaken depending on how the coverage in their policy is interpreted at the time of loss.
In addition to coverage considerations, with the increase in high profile cyber related losses in recent years, regulators have become increasingly concerned that such exposures are being neither adequately underwritten nor priced for in certain Property and Casualty policies and such “silent cyber" or "non affirmative cyber" coverage should be eliminated.
This has led to less cyber coverage being available under traditional policies, and instead the purchase of standalone and specific cyber products. In doing so, companies benefit from greater certainty and clarity over their coverage in the event of a breach or hack, while regulators can be more confident that cyber exposures are being adequately underwritten, priced and monitored.
The Role of Insurance
It is crucial, therefore, in the face of these three trends driving the awareness of cyber risks, that management teams engage with the insurance industry to better understand the risks that they face — and to ensure that their policies provide cover for it.
And insurance doesn't just provide financial cover if the worst should happen, they can also support companies to mitigate risks before the fact as well as helping the company recover. Insurers such as Brit are able to provide additional "value-add" services, including education, risk management training, access to global cyber experts, including IT and forensic specialists, lawyers and crisis PR advice.
This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things and more.