Cyber insurance protects companies and their employees against financial losses that can arise from so-called cyber attacks. The term “cyber attack” covers various types of information security breaches, some of which differ significantly in terms of the type and execution of the attack. Cyber insurance thus protects companies against various cyber risks. However, cyber insurance is not an investment in IT security, but rather a preventive investment to minimize the costs of a possible attack.
When considered in isolation, cyber risk does not describe a single risk. Rather, it encompasses many individual risks that result from a potential cyber attack. The focus is on targeted attacks on data or IT systems using information and communications technology. Cyber risks include in particular: – Data loss – Data protection breaches – Hacker attacks – Spying on business secrets – Business interruption – Blackmail – Disruption of IT systems (DoS attack).
Any company that uses electronic systems for data processing and communication is fundamentally at risk from cyber risks.
The objectives of cyber attacks are to disrupt the availability, integrity and confidentiality of the information-processing systems of the affected company. Further, the goals of cyber attacks can generally be divided into two patterns. On the one hand, the covert cyber attack, in which data is stolen unnoticed from the systems of the affected company, and on the other hand, the infiltration of malware that disables parts or the entire IT or production system of the affected company and is often only made available again against payment of a demanded sum.
For the companies affected, damage can be caused, for example, by the loss of their own company-related data – for example, through the targeted theft of product or development information. Companies regularly have extensive third-party data at their disposal, especially customer data. Personal data of third parties is subject to data protection. If third-party data that needs to be protected becomes public, there is a risk of serious fines and also reputational damage.
Small and medium-sized enterprises in particular are often not sufficiently prepared for cyber attacks and often underestimate the threat to their own operations. They often lack the time or resources to protect themselves to the necessary extent. Effective protection is of great importance, especially for smaller companies, as a successful cyber attack can cause serious damage and in some cases even threaten their very existence.
No IT system is completely secure. 100% security is simply not achievable in an increasingly networked environment. A cyber insurance policy helps to cover the consequential damages of a cyber attack, which are difficult to calculate. The consequences of such an attack are often serious and can threaten the existence of a company. Cyber Insurance is therefore an effective component of holistic risk management.
Cyber Insurance cannot replace IT security. Rather, certain IT security precautions must be in place in order to insure a company against cyber risks in the first place. IT security and cyber insurance complement each other. In this context, IT security serves to protect companies against cyber risks. Cyber Insurance cannot provide this protection. It takes effect in the event that a cyber attack damages the company despite IT security precautions.
The various tariffs of the insurers sometimes differ in important points. You should therefore answer the following questions in particular when choosing the right insurance tariff: How comprehensively do I want to cover myself against the various forms of cyber attacks, i.e., which avenues of attack should be covered? What additional services are important to me if a loss event occurs? Up to what level of damage do I want to insure myself? The CyberDirekt market comparison offers you a clear, easy-to-understand comparison of the individual components of the various insurance tariffs. This allows you to interactively find and select the tariff that suits you best.
Cyber insurance covers both own and third-party damage. Own damage includes, for example, damage resulting from a business interruption, the cost of hiring an IT forensic expert to analyze and clean up the IT systems, the recovery of data or the expense of repairing a public image damage suffered. Third-party damages are damages for which a claim is made by a third party on the basis of statutory liability provisions. The type and amount of damages covered, depend on the tariff, the choice of additional options and the desired sum insured. CyberDirekt’s market comparison offers you a clear, easy-to-understand comparison of the individual components of the various tariffs. This allows you to interactively find and select the tariff that suits you best.
Insurance coverage is provided for the policyholder named in the insurance policy and the co-insured companies and persons named therein. These may include, for example: – All members of the management – Salaried employees – Incorporated employees of temporary employment agencies – Incorporated freelancers, insofar as they work in the name and on behalf of the – policyholder Legally independent subsidiaries within the EEA
An insured event is the first verifiable financial loss caused by an information security breach that triggers the insured event. Triggering events are defined in the respective tariff and may differ between insurers. The following circumstances, among others, may trigger an insured event: – A network security breach – A data breach – An operator error – A denial-of-service attack that has occurred – A cyber-extortion
Denial of Service refers to the unavailability of an Internet service that should be available. The most common type is deliberate server overload. A concentrated attack on the server network results in a larger number of requests being made than the system can process, thus bringing it to a standstill. As a result, normal requests can no longer be answered. As a rule, the server operator is blackmailed into paying money so that his Internet service can be accessed again. Since the attacker does not want to penetrate the computer in a DoS attack, he does not need any passwords or similar from the target computer.
As with any other insurance, the premium amount depends on the risk that is to be covered by it. The following company-specific criteria can play a role in the premium amount: – Industry – Sales amount, number of employees – Existing IT security precautions – Previous incidents
For cyber insurance, the agreed sum in the insurance policy represents the maximum compensation per loss event. It is also referred to as the sum insured. In the event of a loss, the insurer does not pay the full agreed sum, but only the amount of the actual loss incurred. If the sum insured is not sufficient, there is underinsurance.
An excess, also known as a deductible or co-payment, is the portion that the policyholder has to pay himself in the event of an insured event. Only sums in excess of this are paid by the insurance company.
In the case of cyber insurance, overlaps may arise with other insurance areas, such as business contents insurance or even business liability insurance. In the event of priority coverage, claims are processed immediately by the cyber insurance company, regardless of whether other insurance contracts exist. If an insured event or damage is also (partially) covered under another insurance contract, the cyber insurance is then deemed to be a priority insurance.
The costs that are covered in the event of an insured event depend on the respective tariff. You should therefore carefully check which tariff corresponds to your individual risk. The CyberDirekt market comparison gives you a comprehensive overview of the different tariffs. For example, the following costs related to the information security breach that occurred can be reimbursed: – IT forensics to analyze and rectify the damage – Data breach notification and disclosure – Attorney fees – Data owner notification costs – Regulatory notification procedure costs – Call center costs – Reimbursement for loss of revenue in the event of business interruption – Crisis management and PR measures – Assumption of contractual penalties in the event of breach of credit card processing agreements – Restoration of damaged software and/or databases – Security analysis and improvement.
Insurance coverage exists for insured events worldwide. Depending on the tariff, there may be a restriction that claims must be made within and in accordance with existing EU or EEA law.
Depending on the tariff, losses due to information security breaches occurring before the start of the insurance contract are also insured if the policyholder was not aware of the loss or should have been aware of it.
A business interruption occurs when production or the provision of services is completely or even only partially interrupted. The cause of the business interruption must be an event triggering the insured event (see also: What is an insured event?).
A time-based deductible applies within the scope of the business interruption. As a rule, this covers 12 hours per claim. Only after this period has elapsed will the losses resulting from a business interruption be reimbursed.
The task of passive legal protection is to defend against unjustified claims for damages. Passive legal protection under the cyber insurance concept means that the insurer reimburses the policyholder for litigation costs if the policyholder is sued for payment of claims (e.g., damages). In this case, the insurer assumes any procedural and court costs that may be incurred. If it turns out in the often protracted legal dispute that the company is at fault, the damage is also settled to the extent insured. Passive legal protection is generally an integral part of the insurance benefit in every cyber liability insurance policy.
A sublimit is a different upper limit of a coverage amount within the insurance contract. For example, depending on the tariff, compensation limits apply for cyber extortion or contractual penalties as a result of breach of confidentiality obligations. It should be noted that a sublimit does not represent an additional sum insured, but is taken from the agreed total sum insured.
The insurance cover shall continue to apply to pecuniary loss even after termination of the insurance relationship. Provided that the pecuniary loss is based on an information security breach that occurred during the effectiveness of the insurance but has not yet been established. The duration of the subsequent liability depends on the respective tariff.