More than Meets the Eye

July 31, 2013 | Last updated on October 1, 2024
6 min read
Nils Diekmann, Underwriter, Special Enterprise Risks, Corporate Insurance Partner Munich Re
Nils Diekmann, Underwriter, Special Enterprise Risks, Corporate Insurance Partner Munich Re

All over the world, information technology (IT) has changed the way people live and work. And Canada is no exception: across the country, IT has become a key component in almost every sector. From media, health care and trade to energy, logistics and industry, advances in digital technologies have vastly enhanced speed, convenience and efficiency.

But as IT has been advancing at a breakneck pace and the many benefits and new possibilities are being enjoyed, invisible passengers have been along for the ride. Cyber risks are here – and growing.

It is difficult to imagine a world without computers, electronic data processing, the Internet and smartphones. As these technologies are so widespread, the associated cyber risks affect companies of all sizes, in every sector, and in departments, organizations and agencies that provide basic services to society.

As a society with a high level of digitization – the 2013 World Economic Forum Global Information Technology Report places Canada 12th worldwide in terms of its openness to adopting IT solutions – and great concentrations of assets, Canada is an important market for cyber risk insurance. However, evidence suggests that insurers need to raise awareness of cyber risks and the advantages of managing them adequately. Results of a Decima Research survey completed in 2012 indicate that 35% of respondents believe their computers are very safe against online threats, while 77% are concerned about the security of personal information. That said, 63% of respondents use the Internet for sensitive transactions and 57% keep sensitive information on their computers.

Cyber risks can lead to a wide range of losses. Some of the most important types are as follows:

• costs for recovering lost or corrupted data;

• pure economic loss resulting from physical loss or abuse of data;

• copyright and patent infringements through unlawful use of third-party software, images or text;

• business interruption (BI) from not being able to use software, impaired access to stored data or non-functioning of IT-based production lines;

• violations of privacy or intellectual property rights through the illegal distribution of confidential information or defamatory allegations;

• breach of duties under competition law;

• loss of future revenues because of reputational damage following an incident;

• breach of service agreements of IT providers; and

• legal defence and fees, fines or damages.

In most cyber risk scenarios, potential loss events involve information, property, (contingent) BI and liability. Consequently, there is a growing demand for insurance solutions to cover these risk situations and their potential accumulations, meaning one event or incident can affect a large number of insurance policies. The complex and emerging nature of cyber risks means that highly specialized expertise and experience are needed to develop models for new insurance products to adequately cover these risks.

A MOVING TARGET

As emerging risks, cyber risks are challenging to define. It is quite obvious that a company selling its wares through an online platform is susceptible to hacker attacks from the Internet. Less obvious is how vulnerable modern production systems are. Over the years, production, storage and logistics have become increasingly automated and interconnected.

This development increases efficiency, but leads to a very strong dependence on IT systems, even in industries that traditionally have had low IT dependencies. This became quite obvious when the computer virus Stuxnet was discovered in 2010: the virus targeted the devices that monitor and control technical processes (SCADA system) and sabotaged production systems.

To make matters worse, digital connectivity has gone increasingly mobile in recent years, introducing an array of new potential loss situations.

As data is often among a company’s most valuable assets, preventing its loss and the consequences of that loss can be a key success factor. The risks increase when data is stored and transmitted via the Internet and not in closed systems. Moreover, the growing use of multi-functional smartphones has made it easier to process business outside of the comparatively secure company premises.

A further challenge presented by cyber risks is mastering the related regulatory demands. For example, companies using the Internet as a marketing and sales channel must comply with numerous privacy and supervisory regulations. This becomes even more complex if customers are from different parts of the world governed by different regulations.

Despite all efforts to comply with these different – and perhaps partly contradictory – regulations, some degree of legal uncertainty still remains as to the requirements and standards that companies must meet. The different national regulatory frameworks also affect insurers and their coverage concepts for IT risks. Since a uniform worldwide approach is impossible, products must be individually adapted.

Globally, many governments have introduced more stringent regulations to protect their citizens against the loss and abuse of their personal data as risks and loss potential have increased. A company’s management can be personally liable for compliance with these regulations. This duty can be delegated only to a limited extent and the company must ensure that both its own employees and external staff are trained accordingly. This has a considerable impact on directors and officers (D&O) covers, and especially on insurance of technical executives.

IN THE CLOUDS

Cloud computing, the outsourcing of data processing and storage, is an increasingly popular cost-cutting measure. Depending on the provider’s location, the legal requirements to be met in terms of scope and content not only differ, but are sometimes even contradictory.

One feature common to all cloud services, however, is that the data and software are no longer physically controlled by the companies. As such, it is important to ensure that the providers of cloud computing solutions comply with the security requirements of client companies. Firms should also take note of their provider’s financial soundness (adequate capital base) and how a migration to a different provider would work.

Clearly defined quality requirements and professional interface management are also indispensable. Cloud computing providers often form a value chain where one provider offers services to its customer who use cloud services from other providers. Both the company using cloud computing and the provider are potential customers for insurance against loss of data and the consequences of BI. The cyber policy of the customer might cover losses even if the loss event is to an outsourcing company providing services. The provider can have a Technology Errors and Omissions policy (also known as Professional Liability Insurance) protecting against liability claims from its customers.

A company using outsourced services usually faces the difficulty that, in case of a major incident at the cloud outsourcing provider, the penalty or liability payments received from the provider seldom match the actual sustained BI losses. In this insurance coverage, covering the gap between the money received from the outsourcer and the actual loss might be attractive. The provider could offer this as an insurance-backed Service Level Agreement enhancement to provide a more attractive product to its clients, or a company using cloud services might want to have this included in its cyber policy.

NOT SO SOCIAL SOCIAL NETWORKS

The great popularity of social networks gives strangers and those with dubious intent easy access to information about people’s private and professional lives. The danger is greatest if users do not restrict access sufficiently, are careless with confidential information, or mix private and professional informa tion. The same applies if providers fail to offer suitable means of preventing unauthorized access, or make it easy to enter and save information, but not to delete it.

Demand for insurance to protect users against invasions of personal privacy, such as cyber bullying or identity theft, has risen as the use of social networks has become more widespread. Until now, such insurance was only possible in the form of personal injury cover provided under a personal umbrella policy. Since personal injury claims in personal lines have recently increased, many providers have decided to exclude so-called “electronic aggression” from these lines of business.

TAKE UP THE CYBER CHALLENGE

When it comes to cyber risks, breaches of personal data are just the beginning. Cyber risks are spreading further into most aspects of our everyday lives and through all industries. Even today, they represent a complex group of interconnected potential hazards to both physical and knowledge-based assets.

What they will look like in tomorrow’s digitized world is a matter of speculation, but this much can be said with certainty: cyber risks will increase in number and impact. As they continue to grow and change, the insurance industry will need ever-greater specialized knowledge and innovative drive to develop solutions to master them.

This presents challenges as well as opportunities. Microsoft and Munich Re have entered into a strategic partnership regarding the evaluation and valuing of cyber risks in the field of commercial cloud computing. Since 2012, the two companies have been researching cyber risk management and modelling with the aim of improving underwriting and fostering business innovation.

This type of interdisciplinary project may prove one way for the insurance industry and the organizations it serves to keep pace with this fast-moving and invisible risk.