by Konstantinos Zopounidis and Efstratios Livanis*
The necessity to use specialized insurance coverage for cyber risks
Organizations’ investments in information security systems, for enhancing defense against electronic and online risks, can create a false sense of security. In recent years, many infringement cases have shown that no matter how much money an organization has invested in cyber security, even if it has developed a plan to prevent and deal with a case, it is possible that there will be a Cyber Security and Privacy gap. So, when the organization management realizes that some of these risks cannot be controlled, steers them towards the use of a tool to mitigate the financial and non-financial consequences of an infringement case. This tool is the "cyber risk insurance".
Cyber risk insurance is an emerging market, characterized by significant variations in coverage and premiums between companies. This is particularly because of the differences in the way insurers assess the cyber risks of each insured.
Current cyber insurance has its origins in errors and omissions insurance. In the late 1990s, errors and omissions insurance has begun to be offered, related with the emerging and ever-changing IT market. However, errors and omissions insurance were covering only security failures of the insured’s information systems and only third party claims for infringement cases, concerning non-organizational actors. After the mid-1990s, it became a product in the United States. Specifically, the first cyber risk insurance was created by AIG’s Steve Haase in 1997.
In 1999, concerns about the "2000 virus" (Y2K) contributed to the market’s focus on technological risks and the perceived limited protection provided by traditional insurance products. The "dot-com" era was next, and since the early 2000s, the first phase of the development of cyber risk insurance has begun. The same decade, the created insurance products were closer to modern forms of cyber risk insurance, covering both the claims of the insured and the claims against third parties.
The further development of this specific insurance market was facilitated by the adoption of laws, and / or of regulatory decisions on data infringements, and the increase in the number of infringement cases.
Determination Problems of Insurance Premiums
As there is still no commonly accepted assessment methodology for organizations’ cyber risk profile, both insurance companies and organizations themselves may underestimate or overestimate risks. These cases can be devastating for both organizations and insurance companies. If an organization underestimates the cyber risk, it will not be able to get properly prepared, and will either not buy cybersecurity insurance or will not buy the appropriate insurance coverage. If the insurance company underestimates the organization’s cyber risk profile, this could cause significant damage in an infringement case. Additionally, an overvaluation of cyberspace risk -by an organization- would have as a result higher budget costs than the needed (e.g. paying higher rates for insurance coverage). For the insurance company, overestimating the cyber risk profile of an organization will lead to offer higher insurance premiums - leading its potential customers to competing companies - or even to avoid offering insurance coverage.
Having a robust insurance market for cybersecurity risks, is crucial for the effective risk control. However, there are some factors that hinder the acceptance or non-acceptance of cybersecurity risks, the determination of the insurance premium price and the determination of the cases for which the insurance company covers the specific risk. One of these factors is the lack of actuarial data. Actually, in recent years the number of infringement investigations and their costs has been increased, as well as the number of websites that have recorded infringement cases. A problem for the correct pricing of insurance premiums, and in general for the effective cyber risk management, is the nature of risk. The technology used in infringement cases is constantly evolving, so insurance companies, when assessing an organization’s risk profile, cannot rely on existing risk assessment and on cost determination data, if there are no updates. However, it is not only the technological development that changes constantly the risk management environment. In a previous article, it was reported that mistakes, omissions or malicious actions by people who work -or have worked- in the organization, is an additional factor. The human factor cannot always be predicted, especially if the organization has not developed the appropriate procedures to manage cybersecurity risks.
* Professor at the Technical University of Crete, Academician at the Royal Academy of Economics & Finance, Academician at the Royal European Academy of Doctors, Distinguished Research Professor at Audencia Business School (EQUIS, AMBA, AACSB), France and Assistant Professor at the University of Macedonia, Neuronal Systems with Emphasis on Finance, Department of Accounting & Finance