Not only since “Wannacry” and the successful attacks on numerous well-known companies in 2017 we have learned that cybercrime constitutes a great risk for companies. In light of the constant risks and attacks and the operational importance of the threatened facilities, it is surprising that cyber insurance policies have only been a niche product up to now. This will change permanently in 2018:
Increased perception of danger
Cybercrime and the possibility of hacker attacks have probably existed as long as the internet has existed. However, the frequency of known attacks and thus the awareness of this risk have certainly increased. After even law firms, accounting firms, and big corporations became victims of cybercrime, it is clear that operating IT infrastructure cannot be fully protected.
Cybercrime threatens existential assets
Today, almost every company – whether manufacturers, logistics, research companies, or service providers – is highly dependent on a well-functioning IT infrastructure. Internet portals frequently constitute the decisive trading platform. Business data is the commercial basis of a company. Production control, quality control, purchasing, and logistics are almost inconceivable without IT.
If the means of production and access to resources were decisive for the value and the potential of a company before the digital revolution, now it is often the quality of data collection and its processing capabilities. Frequently, a company's treasure trove of data also includes its essential know-how.
Protection against existential risks is mandatory
The failure or the sustained disruption of the IT infrastructure or even the loss of one's own business data lead directly to the extinction of almost every company’s potential to create value. The consequences of cyberattacks can thus be existential.
Management must provide protection against such significant risks to the continued existence and earnings position of the company. Managers of a manufacturing company would not even come up with the idea of not insuring their factory buildings against fire and damage resulting from interruption of business, because they know that in the event of a fire they will lose their production facilities and thus every potential to create value. Against this background, it is surprising that the protection of IT, which is just as operationally important, has been the exception until now.
Products for protection are now available
While the importance of one's own IT, stored data and the risks arising from cybercrime are not new, the possibility of obtaining protection through insurance has only now become possible. Indeed, the first niche products (with rather limited coverage) have already been on the German market for a number of years, but the cyber insurance market has been strongly set in motion since 2017 at the latest. Numerous suppliers are entering the market with new coverage concepts and rapidly increasing capacities.
For the first time, companies have the realistic chance of receiving protection against not only the more easily manageable ancillary risks (e.g. the cost of IT service providers of restarting the systems and saving the data), but also against liability and business interruption damage due to cyberattacks. The expected strong growth in demand will have an additional impact on the capacities available. Thus, effective protection against existential risks for the company is finally possible.
The arms race continues in 2018
The battle between cybercriminals on the one hand and those responsible for data security on the other hand resembles a race to detect and exploit or close security gaps. Cyber insurers orient premiums and willingness to provide coverage to the security level of the IT infrastructure to be insured. Therefore, it is to be expected that requirements on IT security, which insurers place on the policy-holding businesses, will increase. We firmly expect that certain security certificates recognized by insurers will become the condition for insurability. Therefore, also the certification of one's own IT infrastructure will become mandatory practice for companies.
Heuking Kühn Lüer Wojtek assists companies in optimizing IT security taking into account the legal requirements (in particular also in the area of data protection). We also assist in protecting the company as well as the responsible company executives against damages and claims. Furthermore, we adapt contracts of the company with trading partners and service providers in order to provide full professional legal service.
Additional information is available in the articles of the experts: