GVNW-Referent Holger Tittko speaks to StrategicRISK about managing cyber risk and the reasons behind the low take up of cyber insurance
What are the main cyber risks corporates are facing at the moment?
It depends on the kind of company how these risks are being assed. An industrial company will set other priorities as a financial service provider would. But in general we can assume that a complete breakdown of the IT is one of the main risks for most of the companies, especially when it results in business interruption. Also such an incident often results in reputational or brand damage for the company.
For risk managers CBI losses are another key point. There is no reason why a business interruption through an IT breakdown should be deemphasised in comparison to a supply chain interruption coming from a physical damage.
Another risk is the infringement of patent or copyrights due to loss of data. Unfortunately, coverage available for these types of exposure is still very limited.
Companies should not only consider first party damages but third party damages as well.
Is there any best practice companies can follow to improve their cyber security?
To be able to prevent these damages it is necessary to first recognise that these risks exist. Cyber risks should get the same attention as all other risks threatening the company’s success. But the complexity of cyber risk is tremendous. The vulnerability for cyber risk increases more than proportionally in relation to the increasing density of interconnected business processes. Risk managers are aware of this and carry out special risk analysis and validation processes, sometimes also using an external consultancy.
Many companies see cyber as one of their main risks, yet the majority of firms has bought no or very little cyber insurance. What do you think are the main reasons for this?
There are various reasons for this, but in particular it depends on the company’s risk analysis but also on the providers’ flexibility.
In addition, the awareness of a potential cyber risk must not automatically lead to transfer this special risk via a standalone cyber insurance. Liability or fidelity insurances can already obtain special coverage for certain cyber risks. Without doubt it is important to check from case to case if the sums insured and sublimits are adequate.
Another reason might be that risk managers and IT managers have a different point of view. Risk managers are analysing and rating risk to be able to decide how they should be handled. IT managers are focused on the greatest possible security; they try to avoid risks.
What can risk managers, brokers and insurers do to improve (take up of) cyber insurance?
The German market for cyber insurance is still a young one. We observe indecisions similar to the introduction of D&O insurance. Insurers carry out a cautious approach to cover these risks. I think this is a normal development as long-term experience is still missing.
Insurers seem to foresee that market growth will not only come in time. The redesign of products and conditions in the last two years show this. Cyber insurance will only be successful as long as it covers the requirements of the insurance buyers in order to protect their company’s profits. In my opinion the terms and conditions still contain a lot of financial cushions which lower the commercial appeal to buy, as mentioned before.
It is important to stay in steady contact with the insurers which also applies to our association. We support our members not only face to face concerning their insurance matters but also through lobbying to be able to represent their interests. We are in regular exchange with GDV (the German associations of insurers) and talk about the planned standard policy conditions for cyber insurance.