Subject: Insurance & Reinsurance
Autor: Reto M. Jenny
Paper: NZZ
Reading time: 5 Min

Companies are increasingly exposed to cyberattacks

Insurance against cyber risks is the responsibility of the Board of Directors.

The threat posed by cyberattacks has increased significantly in the last few years. This is shown by a recently published survey by the industry association Swissmem, according to which 70 percent of companies have been the target of at least one cyber attack in the last two years. These attacks were favoured by the digitalisation surge driven by the Corona pandemic.

The increased work in the home office opened up new vulnerabilities for cyber attackers. Not only large corporations are their targets, but also SMEs. According to a recent study by Mobiliar, 31 percent of the SMEs surveyed had been affected by a cyber attack. Regardless of this, no progress was found in the aforementioned survey regarding technical and organisational cyber security measures of SMEs.

The impact of a cyberattack on a company can be massive. Not only financial damage, but also reputational damage or data protection violations are among them. The board of directors bears responsibility here. As part of its control function, it must ensure by means of directives and regulations that the company defends itself against cyber attacks and mitigates their effects.

This includes not only identifying possible risks and sensitising or training employees on them, but also setting requirements with regard to insurance cover against cyber risks. In this respect, taking out cyber insurance is a component of risk management. If the board of directors does not fulfil this task or does so inadequately, it can become liable in the event of a loss.

Serious financial consequences

A cyber attack is an intentional unauthorised act by a person or group in cyber space to compromise the integrity, confidentiality or availability of information and data or information processing systems. A typical hacker attack is the introduction of computer viruses and worms or ransomware. The latter are malicious programmes that can be used to prevent access to or use of data or entire computer systems - often by encrypting data.

The attackers demand a ransom payment in cryptocurrency for decryption. Other forms include phishing (spying on passwords or other personal information), CEO fraud (fictitious urgent requests for payment by the CEO, who is not available for queries) or data theft. Distributed denial of service is an attack on computer systems or websites to impair their availability through a large number of access requests.

The financial consequences of such attacks are great. Self-damage with costs for crisis management, costs for notifying those affected by data protection breaches, data protection fines, losses due to business interruptions, costs for IT service providers and ransom payments can occur. In addition, liability risks can also manifest themselves, for example in the form of third-party claims for damages following data theft or data protection breaches.

Conventional insurance products such as property insurance, liability insurance, fidelity insurance and directors' and officers' liability insurance do not cover the many manifestations of cyber damage, or do not cover them sufficiently. For this purpose, insurance companies offer cyber insurance for large companies and SMEs, but also for private individuals. The scope of coverage of such cyber insurances as well as the individual insurance conditions are quite different.

No all-risk cover

Typical coverage modules are own damage, third-party liability claims and assistance services. Covered self-damage can include, for example, ransom payments, fraud damage, loss of earnings due to business interruption, costs for data recovery, data protection fines or costs for notifying authorities and affected parties in the event of data loss. Covered liability claims usually include compensation payments for financial losses due to data breaches.

However, cyber insurance policies are not all-inclusive packages. For one thing, they typically do not offer all-risk coverage, but only protection against individual risks specifically defined in the contract. On the other hand, the insured are regularly contractually obliged to maintain their data and access security as well as the technical status of the IT system and to use and keep up-to-date protective systems. The latter includes anti-virus software, firewalls, regular security updates of operating systems and programmes, and data encryption.

These obligations entail considerable costs. If they are not complied with, this can lead to a reduction and - in the worst case - to the loss of the insurance claim. Finally, the insurance conditions provide for a number of exclusions, such as for war and terrorism. If a company wants to play it safe in view of this complexity, a comprehensive analysis of the insurance cover is strongly recommended.