A new report from the European Network and Information Security Agency (ENISA) claims that Europe’s citizens and businesses could benefit from better protection for their computer systems and data if the cyber insurance market can be kick-started.
Though cyber security is an important concern for European and national policy makers, businesses and citizens, there is concern that traditional coverage offered by Europe’s insurance providers may not comprehensively address digital risk, according to the report, “Incentives and Barriers to the Cyber Insurance Market in Europe.”
ENISA has made four recommendations to address this issue:
- Collect empirical data on cyber insurance in Europe, looking at types of risk insured, premiums paid and levels of payouts to determine future trends. The action could be taken by insurance underwriters, firms or regulatory authorities.
- Examine incentives for firms to improve their data security as a way for them to reduce their risk and financial liability if they breach data protection regulations. Fact finding with the European Commission would be a first step to understanding this area.
- Establish agreed frameworks to help firms put a measurable value on their information. The work could be assisted by privacy and information security advisors, underwriters and the European Commission. ENISA could also provide further support.
- Explore the role of governments as an insurer of last resort, following other models where policy intervention is in evidence when catastrophic risk is involved. This could be investigated by EU Member State governments and the European Commission.
Meanwhile, in the U.S., the topic of cyber liability exposures and coverage was of top concern at the Casualty Actuarial Society’s Seminar on Reinsurance, held earlier this month in Boston. There, it was noted that 72% of large U.S. companies do not have cyber liability insurance, while 33% believe they don’t have significant data exposure, since they believe their internal controls are adequate (according to a study by Towers Watson).
The business of cyber insurance is growing, however. Michael L. McCarthy, a vice president of professional liability treaty reinsurance at Axis Capital, estimated the market at about $500 million in premium per year, most of it in the United States, and growing at 10 to 25% per year.
According to a release from the Casualty Actuarial Society, John Merchant, of Freedom Specialty Insurance Company, divided coverage into five broad categories:
- Liability coverage, which covers damages from loss or compromise of sensitive third party data, like patient medical records. It also covers liability arising from damage to a third party’s network because the insured’s network caused a data breach, such as if a virus traceable to the insured’s network infects another network. And it covers e-media issues, like libel or slander or misuse of a company’s trademark.
- Expense coverage, which covers the cost to notify every person whose privacy has been breached. Often that includes providing the victim services like credit monitoring, identification theft monitoring or restoration of a stolen identity.
- Regulatory coverage, which covers the company’s costs if the breach triggers investigation by state or federal authorities.
- Industry group coverage, which handles fines assessed by industry associations for data breaches. For example, Visa, MasterCard and Discover have established a Payment Card Industry-Data Security Standard. If a credit card issuer fails to adhere to the standard, it can be fined. The coverage handles the fine.
- First party coverage, which handles loss of revenue from network interruptions caused by a security breach, or the cost of restoring lost data.
However you divide it or analyze it, the fact remains that there is still an inadequate market for cyber insurance, both in the States and abroad. Though recent statistics have shown growth, we must remember that it is an emerging market and with that comes risks, mistakes and lessons.