Cybersecurity risk insurance

[Father]

Insurance has long been a common practice in global cybersecurity practices. Cyber risk insurance services are provided by both specialized companies and large international insurance organizations.

At the same time, the practice of cyber insurance in Russia is quite rare, despite the presence of a large selection of companies that are ready to provide such services. This is largely due to the low level of awareness of the target audience about the cybersecurity risk insurance service itself.

This article examines the main aspects of cyber insurance, the leading providers of this service, and the mechanism of interaction between insurers and customers.

What is cyber insurance?​

The main differences between cyber insurance and other types of insurance are based on two factors::

1. Insurance object. It acts as data (usually personal data of customers or employees), and not as a storage medium – a server or cloud.
2. Requirements for the client. To get a cyber insurance policy, a company must meet a certain level of protection.

The main advantage of cybersecurity insurance is the ability to receive compensation in the event of data compromise, rather than damage to the infrastructure.

Depending on the specific insurer or tariff, the insurance policy covers the cost of:

• cyber extortion;
• expenses for personal data security requirements;
• costs of dealing with the consequences of a data leak;
• coverage of costs incurred by the company during forced downtime (for example, during a DDoS attack);
• costs of consulting specialists when dealing with the consequences of hacking (investigation, legal costs, costs for lawyers, PR specialists, etc.).

It is important to understand that not all cyber incidents fall into the category of insured events. For example, this does not include the activities of insiders within the company, when an employee of the company is consciously involved in compromising data. This creates discrepancies between the company and the insurer in cases where an insider is only one of the links in a cyber attack, and such disputes have to be resolved in court.

Insurance allows you to minimize the damage of a cyberattack to an organization, cover part of the costs and avoid bankruptcy of the company. However, all of these factors and benefits are of varying relevance depending on the country in which the company operates.

Features of the company's cyber insurance in Russia​

The Russian market for security risk insurance is quite saturated. There are major domestic players, such as Sberbank Insurance or Alfa-Cyber, as well as representative offices of foreign companies, such as Allianz Cyber Protect.

However, the most popular is the integrated model, where insurance goes together with the security software provided by the information security company. In this model, everyone gets their advantages. The client receives an additional security guarantee, the vendor receives a profit from the delivery of their software, and the insurance company receives confidence that the client is sufficiently protected from the point of view of information security.

However, demand in the market remains quite low, primarily due to the lack of the main driver of development relevant for other markets – penalties for allowing data leaks.

There is simply no point in insuring cybersecurity risks if the costs of an incident are cheaper than paying for a policy. This is clearly shown in the Yandex case.A trial in which customer claims against the company were satisfied with a fairly modest amount (5,000 rubles each for 13 customers).

At the same time, there are also prerequisites for the growing relevance of cyber insurance in Russia. This includes a discussion of tougher penalties for data leaks, an increase in the number of cyber attacks on Russian companies, and an increase in the overall level of awareness of cybersecurity risks in the business environment.

Conclusion​

The global cyber insurance market is growing thanks to states that are following the path of stricter legislation in the field of working with data. In this way, regulators motivate businesses to be aware of the risks of data loss.

Nikolay Zhuravlev
General Director of Business Planning Experts

Today, cyber insurance has become a popular way to protect against information risks, which is used by thousands of companies around the world. Since today large companies are constantly exposed to hacking, small businesses have also realized that the question is no longer "whether there will be an attack", but "when" it will happen. Thanks to this, according to the latest estimates of industry experts, the global cyber insurance market will reach a turnover of $ 20.6 billion by 2025. Such growth rates are a reaction to the explosion of cyber attacks over the past few years. The volume of losses from cybercrime also continues to grow. Microsoft claims that cybercrime costs the global economy about $ 500 billion annually, and 20 percent of small and medium-sized enterprises are exposed to hacker attacks.

As a result, cybercrime loss insurance is actively developing, and demand is outstripping the industry's capacity: the health care system, the service sector, and the manufacturing sector need adequate risk coverage. To reduce their own risks, insurance companies tighten their cybersecurity requirements before providing a customer with insurance coverage. The applicant must provide proof of the availability of backups, regular troubleshooting of vulnerabilities, and control over employee access levels to information. Practice shows that not everyone meets these conditions.

As a result, by 2022, the cyber insurance market has evolved from a niche risk management tool to a critical insurance sector. Moreover, companies that do not use this type of insurance may face a drop in revenue, as partners and customers increasingly make cyber insurance a prerequisite for doing business.

A similar trend is likely to become relevant for the Russian market, if regulators still follow the path of tougher liability for information leaks. Cyber insurance is most relevant for companies that are data operators, primarily from the e-commerce sector.

At the same time, the Russian market already has a sufficient number of companies that can provide this service in a variety of formats, from pure insurance of information security risks to a comprehensive product that includes insurance, software, and expert support in the framework of eliminating the consequences of leaks.