The area of cyber security is as promising for insurers as it is challenging. “We anticipate exponential growth in this segment, as no company will be able to ignore this risk in the future”, says Wolfgang Weiler, President of the German Insurance Association (GDV). A minimum standard of IT security is a precondition to granting insurance cover, though. “A good IT security strategy is an integral part of cyber cover.”
The German insurance industry advocates the following points in combating and defending against cybercrime:
1. A new risk culture for cyberspace
Digitization has enabled the business sector in Germany to speed up processes, offer new services and be more flexible in responding to clients’ wishes. However, cyber criminals are also looking for ways to profit from the digital revolution. The threat of cybercrime will grow and companies need to improve their defences: at least a quarter of the German Mittelstand has already incurred financial or material losses from cyber-attacks according to a representative Forsa survey commissioned by the GDV. Nonetheless, the risk of cyber-attack is still underestimated. German insurers are drawing attention to the issue, for example through the magazine “Cyber Security – IT-Risiken für den Mittelstand erkennen, vorbeugen, versichern” (Cyber security – identify, preempt and insure IT risks for the Mittelstand). VdS Schadenverhütung GmbH, a GDV subsidiary, has developed a quick cyber security check whereby small and medium-sized companies can access an automated assessment of their IT security level. There is also a content initiative being planned this year, which will feature web-based hazards on a regular basis.
2. Insure cyber risks
The insurance industry has developed non-binding model terms and conditions for cyber insurance policies. They are designed to assist insurers in putting offers together. The model terms and conditions mainly target companies with up to EUR 50 million in revenues and up to 250 employees. Cover is not restricted to data theft and business interruption, it extends to IT forensics and crisis communication. Private clients can also choose from a selection of policies to protect themselves from cyber risks, for example liability or legal expenses cover.
3. Prevention is a prerequisite for insurance cover
Insurers ensure prevention by asking their clients about their cyber-security processes, pointing out vulnerable areas and – where necessary – demanding technical and organisational changes in the corporate cybersecurity system. Only then is it time to start thinking about insurance cover. Clients have to meet certain conditions, which will make them less susceptible to cyber risks and help ensure any losses remain manageable and calculable. This benefits the client in two ways: IT security is always kept up to date so systems are more resilient – at the same time the company remains insurable as insurers can calculate the cost of a major loss event.
4. Staying silent about cyber-attacks does more harm than good
The decision whether to go public about a cyber-attack always depends on the merits of each individual case. However, as a general rule we advocate more openness on the danger of cyber-attacks and stronger cooperation between companies, associations, investigators and prosecutors. That includes informing external experts and the authorities in the event of an attack. Staying silent just helps the perpetrators. The only way to restrict the flood of cyber-attacks over the medium term is to quickly identify and prosecute the culprits.
5. Electronic communication needs special protection
Secure communication channels are indispensable to the security of digital data. Electronic communication must be very well protected, especially when sensitive data are involved. More emphasis on secure web-based authentication procedures is required. Moreover, solutions should fit in well with the everyday routine and practice of the users and businesses. Insurers have already developed an option whereby they can conduct secure, web-based communication, the Trusted German Insurance Cloud (TGIC). By certifying the TGIC, the insurance sector and the Federal Office for Information Security (BSI) have already made a contribution to establishing security standards for Cloud solutions. Minimum standards for the protection of electronic business processes should be in place for all sectors.
6. Improving hardware security standards, such as smart home products
Hardware is susceptible to cyber-attack as well as software, the threat of Meltdown and Spectre is a timely reminder of that. There are still no binding security standards for smart home products, for example. The same goes for devices users carry around with them, for example connected cameras. Any vulnerabilities in these appliances can be exploited by criminals to watch people at home via the internet so they know when the time is right to break in. That is why clear and binding rules incumbent on all providers are needed. That is how to minimise the cyber risks for users. Producers must offer support and security updates for as long as possible – particularly with smart home products. The fundamental requirements are for security updates to be automatically downloaded to devices and for producers to guarantee the security of their products, including after-sales support and security updates. The device should also clearly display the duration of the support.
7. Insurers are also potential targets and they must protect their systems
As the guardian of sensitive client data, the insurance sector itself is a target for hackers and it must make adequate provision for that. This goes well beyond firewalls and scanning for viruses. It includes, for example, informing external experts and the authorities in the event of an attack and closing any security gaps. In cooperation with the public prosecutor’s office in Cologne and the NRW Department of Justice the GDV has developed a crisis response plan for a major cyber-related event. Our member companies undertake to shorten their reaction time in the event of a cyber-attack and to ensure the protection of the insurance industry as a mainstay of the economy.