Edition: International | Greek
MENU

Home » Management

Insurance as a Cyber-Risk Management Tool

The necessity to use specialized insurance coverage for cyber risks

By: EBR - Posted: Monday, April 13, 2020

Current cyber insurance has its origins in errors and omissions insurance. In the late 1990s, errors and omissions insurance has begun to be offered, related with the emerging and ever-changing IT market.
Current cyber insurance has its origins in errors and omissions insurance. In the late 1990s, errors and omissions insurance has begun to be offered, related with the emerging and ever-changing IT market.

by Konstantinos Zopounidis and Efstratios Livanis* 

The necessity to use specialized insurance coverage for cyber risks

Organizations’ investments in information security systems, for enhancing defense against electronic and online risks, can create a false sense of security. In recent years, many infringement cases have shown that no matter how much money an organization has invested in cyber security, even if it has developed a plan to prevent and deal with a case, it is possible that there will be a Cyber Security and Privacy gap. So, when the organization management realizes that some of these risks cannot be controlled, steers them towards the use of a tool to mitigate the financial and non-financial consequences of an infringement case. This tool is the "cyber risk insurance".

Cyber risk insurance is an emerging market, characterized by significant variations in coverage and premiums between companies. This is particularly because of the differences in the way insurers assess the cyber risks of each insured.

Historical Context

Current cyber insurance has its origins in errors and omissions insurance. In the late 1990s, errors and omissions insurance has begun to be offered, related with the emerging and ever-changing IT market. However, errors and omissions insurance were covering only security failures of the insured’s information systems and only third party claims for infringement cases, concerning non-organizational actors. After the mid-1990s, it became a product in the United States. Specifically, the first cyber risk insurance was created by AIG’s Steve Haase in 1997.

In 1999, concerns about the "2000 virus" (Y2K) contributed to the market’s focus on technological risks and the perceived limited protection provided by traditional insurance products. The "dot-com" era was next, and since the early 2000s, the first phase of the development of cyber risk insurance has begun. The same decade, the created insurance products were closer to modern forms of cyber risk insurance, covering both the claims of the insured and the claims against third parties.

The further development of this specific insurance market was facilitated by the adoption of laws, and / or of regulatory decisions on data infringements, and the increase in the number of infringement cases.

Determination Problems of Insurance Premiums

As there is still no commonly accepted assessment methodology for organizations’ cyber risk profile, both insurance companies and organizations themselves may underestimate or overestimate risks. These cases can be devastating for both organizations and insurance companies. If an organization underestimates the cyber risk, it will not be able to get properly prepared, and will either not buy cybersecurity insurance or will not buy the appropriate insurance coverage. If the insurance company underestimates the organization’s cyber risk profile, this could cause significant damage in an infringement case. Additionally, an overvaluation of cyberspace risk -by an organization- would have as a result higher budget costs than the needed (e.g. paying higher rates for insurance coverage). For the insurance company, overestimating the cyber risk profile of an organization will lead to offer higher insurance premiums - leading its potential customers to competing companies - or even to avoid offering insurance coverage.

Having a robust insurance market for cybersecurity risks, is crucial for the effective risk control. However, there are some factors that hinder the acceptance or non-acceptance of cybersecurity risks, the determination of the insurance premium price and the determination of the cases for which the insurance company covers the specific risk. One of these factors is the lack of actuarial data. Actually, in recent years the number of infringement investigations and their costs has been increased, as well as the number of websites that have recorded infringement cases. A problem for the correct pricing of insurance premiums, and in general for the effective cyber risk management, is the nature of risk. The technology used in infringement cases is constantly evolving, so insurance companies, when assessing an organization’s risk profile, cannot rely on existing risk assessment and on cost determination data, if there are no updates. However, it is not only the technological development that changes constantly the risk management environment. In a previous article, it was reported that mistakes, omissions or malicious actions by people who work -or have worked- in the organization, is an additional factor. The human factor cannot always be predicted, especially if the organization has not developed the appropriate procedures to manage cybersecurity risks.

* Professor at the Technical University of Crete, Academician at the Royal Academy of Economics & Finance, Academician at the Royal European Academy of Doctors, Distinguished Research Professor at Audencia Business School (EQUIS, AMBA, AACSB), France and Assistant Professor at the University of Macedonia, Neuronal Systems with Emphasis on Finance, Department of Accounting & Finance

READ ALSO

EU Actually

Is Italy playing on two sides? China and the EU?

N. Peter KramerBy: N. Peter Kramer

‘An Italian poll sees China as the most friendly foreign country, followed by Russia. Germany is considered the least friendly foreign power, followed by France

View 01/2020 2020 Digital edition

Magazine

Current Issue

01/2020 2020

View past issues
Subscribe
Advertise
Digital edition

Europe

EU lawmakers debate 65% climate target proposal

EU lawmakers debate 65% climate target proposal

The European Parliament’s environment committee discussed for the first time on Thursday (28 May) a proposal by Swedish MEP Jytte Guteland to set an EU-wide CO2 reduction target of 65% by 2030

Business

Private Equity’s COVID-19 Recovery Plan

Private Equity’s COVID-19 Recovery Plan

COVID-19 has accelerated many long-brewing developments in the business world, such as the ascent into respectability of working from home

MARKET INDICES

Powered by Investing.com
All contents © Copyright EMG Strategic Consulting Ltd. 1997-2020. All Rights Reserved   |   Home Page  |   Disclaimer  |   Website by Theratron