Ever since the Millennium Bug debacle at the end of the 1990s, cyber risk insurance has been largely ignored. But companies’ increased reliance on IT, and proposed EU legislation, has highlighted the need for protection

Cyber risk

Cyber risk insurance has taken some years to get established as a cover worth considering by most European companies. Recent trends have pushed it up the risk management agenda.

Cyber risk insurance received a boost at the end of the 1990s because of fears around the ‘millennium bug’. After this didn’t happen, cyber risk insurance took a back seat. However, recent changes have highlighted the importance of the cover.

ACE UK cyber risk underwriter Iain Ainslie says: “In the last 10 or 11 years, companies have come to rely more heavily on IT than before. As a consequence, an IT problem can be a major issue, affecting their revenues and balance sheets.”

However, it is not just the growth in importance of IT that has alerted companies of the need for protection. Ainslie says that some European jurisdictions such as the UK are becoming far more litigious over data protection. Criminals too are becoming more aware of the value of data and, with so much held online, it can be easier to get to. “Hackers sell it on to other criminals who know what to do with it and commit the actual fraud,” Ainslie warns.

Targeted attacks remain a serious issue for some companies - and ACE’s IT underwriting manager for Continental Europe, Patrick Pouillot, says that in some cases there is a change in motivation. “Attacks on data security now are not just coming from criminal or political organisations, but also from aggrieved individuals who consider that a particular company has done something wrong and want to punish it. This could mean that we will see some new viruses that specifically target one company, which would be difficult for traditional techniques to combat.”

Pouillot cites Stuxnet, a worm that initially infects Windows PCs and goes on to seek out industrial control software made by Siemens. It reprograms the software to give machinery new instructions.

There is likely to be even more attention on security and protection when proposed EU legislation comes to fruition. In an effort to harmonise approaches across member states, the European Commission looks set to impose mandatory notification of a data breach to potentially affected customers of all companies - not just those in high-risk categories. Notifications can be expensive if large numbers are involved, and companies often have to pay legal advisers to ensure they phrase their message in the right way.

However, even today when notification may not be mandatory in many European countries, Pouillot considers that, after a major data breach, most insurers will respect the views of clients’ risk managers on whether to notify. “The notification costs may be huge, but quick notification could prevent liability claims. It’s a question of trying to prevent the impact of the incident on the customers in both the company’s and the insurer’s interests,” he says.