Insurance EuropeInsurance Europe
Cyber insurance

Insurers’ role in increasing cyber resilience

Although increased digitalisation has obvious benefits to society, it also brings a number of risks. The potential for serious economic and commercial repercussions, illustrated by recent attacks such as that by the WannaCry ransomware, means that investing in increasing the cyber resilience of businesses and society is vital.

Insurers have a key role to play, not only in providing cover, but also in helping their clients prevent these risks and mitigate their impact when they materialise. Insurers have a unique perspective that goes beyond their experience of cyber risks thanks to their many years of insuring natural catastrophe and terrorism risks, which can be similarly large and multifaceted events.

 
Development of the cyber insurance market
 

Although the European cyber insurance market is still relatively small, steps are being taken to tackle some of the barriers to being able to offer more cyber insurance products.

These barriers include the lack of available data on cyber incidents and a lack of awareness by the public — both companies and individuals — of the importance of cyber security.

 

   

 
National insurance association initiatives
 

Beyond their core role of risk transfer, insurers are also active in prevention, awareness-raising and mitigating the effects of cyber attacks. Here are just some examples of initiatives by national insurance associations to increase cyber resilience.

 

            

            

 
Data breach notification template
 

To facilitate the development of the EU cyber-insurance market, insurers should have access to anonymised data collected under the EU’s General Data Protection Regulation (GDPR) and Network Information Security Directive.

Insurance Europe has developed a template for breach notifications under the GDPR. The template is easy to use and allows the information to be compared across sectors. The data gathered would be anonymised but sufficiently granular to be of use to insurers.

Insurance Europe would like the Article 29 Working Party to use it as inspiration for its work on guidelines for data breach notification templates.

      

Data breach notification template

 

National insurance association initiatives in Austria

Close

I. Development of non-binding model conditions for cyber insurance

The Austrian insurance association, VVO, is currently developing non-binding model conditions for cyber insurance. Talks are also underway between the VVO and the Swiss and German associations about cooperation in the areas of risk management, prevention work and claims support.

II. Prevention and awareness-raising

In spring 2017, the WKÖ (Austrian Federal Chamber of Commerce) organised a roadshow in all nine Austrian provinces to raise SME awareness of cyber security and cyber insurance. The VVO works closely with the WKÖ on this topic.

The WKÖ’s online platform for cyber security features an online test to give SMEs detailed information on the level of IT security in their company. The questions focus on cyber threats that could disrupt daily business practices of SMEs. On the WKÖ website there is also a checklist and risk analysis for SMEs on the implementation of the EU General Data Protection Regulation.

III. Public-private partnership

The VVO has been working with experts from the Austrian Road Safety Board (Kuratorium für Verkehrssicherheit (KfV)) to map cyber crime in Austria. The VVO and the KfV published the results of a survey of 500 SMEs in Austria in March 2017, which showed that 66% were affected by cyber crime in 2016. The VVO and the KfV also made recommendations on measures individuals can take to protect themselves against cyber attacks.

 

National insurance association initiatives in Belgium

Close

I. Public-private partnership

Assuralia, the Belgian insurance association, is a member of the Cyber Security Coalition. This coalition aims to fight cyber crime and has over 50 members from academia, public authorities and the private sector.

 

National insurance association initiatives in Denmark

Close

I. Public-private partnership

The Danish insurance association is member of a forum created by the Danish police and the national centre for cyber crime. Participants in this group exchange information on a confidential basis on cyber attacks as well as receive information on national and international trends. The forum also organises conferences to raise awareness.

 

National insurance association initiatives in France

Close

I. Public-private partnership

The FFA, the French insurance association, is part of GIP-ACYMA, a public-private partnership led by ANSSI (the French national agency for the security of information systems) and the Ministry of Interior. The aim of the partnership is to create a national system of assistance for cyber-attacks victims. ACYMA targets individuals, companies and local authorities by linking victims of cyber attacks with local providers via a digital platform; launching prevention and awareness campaigns on digital security; and creating a digital risk monitoring centre.

II. Prevention and awareness-raising

In May 2017, the FFA published a brochure that provides tips and information on how SMEs can anticipate and minimise the impact of cyber risks.

III. Work by “Le Club des juristes”

The FFA leads the cyber group of independent thinktank “Le Club des juristes”, created in October 2016. The aim of this group is to formulate concrete proposals on cyber security and cyber insurance.

IV. Standard-setting and certification

CNPP, the independent technical standard-setting and certification body attached to the FFA, published in June 2017 standard Apsad D32 to help prevent cyber attacks. CNPP proposes training on cybersecurity of security/safety installations — application of the APSAD D32, tests to evaluate the robustness to cyber attacks and can provide certification to companies using the standard ([email protected]).

V. A “Digital certificate for insurers”

Following a 2014 agreement signed by the insurance sector, by 2020 all employees will have to gain a “Digital certificate for insurers” in cyber security and data privacy. This seeks to ensure that insurance employees have the necessary digital skills.

 

National insurance association initiatives in Germany

Close

I. Prevention and awareness-raising

Vds, an independent technical standard-setting and certification body of the German insurance association (GDV), has published guidelines for SMEs on cyber security. The free guidelines enable SMEs to audit their own cyber resilience. The Vds also offers a follow-up cyber-security audit for SMEs and cyber-security training courses.

II. Non-binding wording for cyber insurance

In March 2017, the GDV published non-binding wording for cyber insurance for SMEs. The model terms and conditions are designed for cross-sectoral, multi-line policies for cyber-risk insurance. It contains elements from traditional insurance products such as liability, property and employees’ fidelity.

 

National insurance association initiatives in the Netherlands

Close

I. Prevention and awareness-raising

In 2015, the Dutch Association of Insurers (VVN) co-funded a campaign with the Dutch Ministry of Security and Justice and MKB-Nederland (the Dutch SME association) to raise entrepreneurs’ awareness of the potential impact of cyber crime on their businesses. The project consisted of five roadshows in different regions, at which SMEs received information about cyber crime. Entrepreneurs were also offered a free ethical hack to provide them with an insight into their vulnerabilities and the measures they can take to improve their cybersecurity. One of the results of the campaign was that half of the “hacked” companies indicated that they would be willing to implement additional cyber-security measures.

As a follow-up, the Dutch government, MKB-Nederland and a range of other stakeholders developed the web portal “safe internet for businesses” (www.veiligzakelijkinternetten.nl). The portal provides consumers and businesses with information about cyber threats, safety and prevention. It also offers a free “risk scan” and a “internet for business academy”. The VVN is a member of the platform.

II. Emergency response team for the insurance sector

The VVN has created a computer emergency response team for the insurance sector (i-CERT),), a central service that informs all affiliated insurers and advises on cyber threats and incidents. i-CERT aims to improve the digital resilience of insurers, collect data on cyber incidents, limit the damage from cyber-security breaches, improve the provision of information on cyber security in the sector and increase the confidence of clients and stakeholders.

III. Public-private partnership

“Alert Online” is an annual awareness campaign by stakeholders from the public, academic and private sectors to make the Netherlands safer online. The Dutch Association of Insurers is a partner in the campaign. From 2-13 October 2017 over 170 stakeholders promoted cyber-secure behaviour among Dutch consumers, the national and regional governments, companies (including SMEs), institutions and NGOs. Stakeholders organise events throughout the year, but the main activities of the campaign take place in October during European Cyber Security Month. “Alert Online” also published the results of its yearly cyber-security awareness survey in October.

 

National insurance association initiatives in Spain

Close

I. Prevention and awareness-raising

Publication of a “self-assessment questionnaire”, developed by Cepreven (an independent technical standard-setting and certification body attached to the Spanish insurance association, UNESPA), for SMEs to use to ascertain the security level of their business information and raise their awareness of cyber-security risks.

 

National insurance association initiatives in Sweden

Close

I. Public-private partnership

A cooperation between the public and private sectors (including insurers) and led by the Bank of Sweden is developing scenarios for cyber incidents to increase the resilience of the financial sector.

 

National insurance association initiatives in Switzerland

Close

I. Public-private partnership

The cyber working group of the Swiss Insurance Association (SIA) focuses on the role of the state and data exchange, as well as on disaster scenarios and their impact. In parallel the SIA has a number of workstreams that will have an impact on best practices in the medium term. For example, the SIA is part of the Swiss National Cyber Strategy (NCS2) to which it brings insurance-related topics. NCS2 is carrying out a survey to determine the willingness of the SME sector in Switzerland to support minimum cyber-security standards and the exchange of data.

 

National insurance association initiatives in the UK

Close

I. Prevention and awareness-raising

In May 2016, the Association of British Insurers (ABI) published a “guide” for SMEs “Making sense of cyber insurance: A guide for SMEs” to explain what cyber insurance is and how it works.

II. Public-private partnerships

The National Cyber Security Centre operates a “Cyber Security Information Sharing Partnership” that allows the government and the private sector to exchange cyber-threat information in real time. The partnership was established in 2013 and the insurance industry is one of the largest participating sectors.

Insurance representatives, including the ABI, Lloyd’s, the International Underwriting Association and the British Insurance Brokers’ Association also meet regularly with government officials through the Cyber Insurance Forum to discuss challenges facing cyber insurance. The CRIF is also dedicated to raising cyber-security awareness and developing best practice guidelines.

III. Development of cyber scenarios

Lloyd’s has led the development of cyber scenarios with the aim to quantify cyber risk aggregation. In 2017, Lloyd’s and Cyence produced a report, “Counting the cost – Cyber exposure decoded”, to provide insurers that write cyber coverage with two realistic and plausible scenarios. In 2015, Lloyd’s and the Cambridge Centre for Risk Studies published a report, “Business blackout”, which depicts a scenario in which hackers shut down parts of the US power grid, plunging 15 US states and Washington DC into darkness and leaving 93 million people without power.

 

Lack of available data on cyber incidents

Close

One of the barriers to being able to offer more cyber insurance products is the lack of available data on cyber incidents.

With the data-breach and cyber-incident reporting requirements in the EU’s soon-to-be-enforced General Data Protection Regulation and Network Information Security Directive, information will be collected by national authorities that could greatly help insurers better understand and quantify cyber risks. Sharing this data with insurers could therefore be a very positive step in the right direction.

 

Lack of awareness of the importance of cyber security

Close

The insurance sector and its national insurance associations are involved in a variety of activities to raise awareness of the importance of taking adequate cybersecurity measures, especially among SMEs. The associations work with governments to support the dissemination of information on cyber threats and implement strategies that raise awareness and support loss prevention and mitigation.

Action at EU level is also welcome, such as the September 2017 Cybersecurity Strategy, which encourages member states to raise awareness among businesses and individuals.

 
Related items
Positions
Data processing is key for insurers and consumers Insurers recognise the importance of data pr...
.dialog{...
Contacts
Nicolas Jeanmart
Nicolas Jeanmart
Head of personal insurance, general insurance & macroeconomics
Sara MacArthur
Sara MacArthur
Policy advisor, general insurance