Cyber ​​security: Risk of hackers – Cyber ​​policies are becoming more and more expensive

It is no longer an isolated case. Cyber ​​attacks have increased significantly in the pandemic. The liability insurance company from the vicinity of Darmstadt and the Sparkassenverband Baden-Württemberg are further examples in which attacks were recently made public. It is not uncommon for hackers to sneak into company networks via poorly secured computers in the home office. There they steal confidential information, encrypt the data, demand a ransom and paralyze operations. The result: The demand for cyber insurance is also increasing – despite price increases of sometimes more than 100 percent.

That sounds like a lucrative business for the insurance industry, but it’s not that simple. “Cyber ​​attacks are increasing in scope, frequency and intensity,” says Renaud Guidée, chief risk officer of the insurance giant Axa, the Handelsblatt. However, the experience from previous claims is not yet sufficient to adequately understand this new risk from the insurers’ point of view – and to price it.

Guidée warns: “Cyber ​​security is one of the risks that a systemically important dimension can assume. That means that the extent can be so great that private insurance companies can no longer cover the risks. ”Then, in the final analysis, the state would come into play, but when exactly?

The fear of cyber wars

Cyberattacks that hit many companies at the same time make things particularly complicated. These extreme events can overwhelm individual insurers, comparable to a natural disaster. Stefan Golling, board member of the reinsurer Munich Re, said in the run-up to the reinsurance meeting in Monte Carlo that there are systemic risks that can only be managed by the state and the insurance industry together. This includes terrorist as well as politically motivated attacks or a cyber war.

The problem is: In the shadowy world of hackers, it is difficult to distinguish who is acting purely criminally and who is acting on behalf of or at least with the backing of a state. “The state and para-state organizations are a major challenge,” says Axa Chief Risk Officer Guidée. It is actually the task of the state to compensate its citizens and companies for the consequences of acts of war. In suspected cases of this type, Axa uses investigative authorities to check possible connections between the hackers and government agencies.

A clear answer is not always possible. The insurance industry therefore wants clear criteria as to when hacker attacks can be classified as a hostile act by a state. There is also a great need for international coordination when dealing with ransom payments. “We need a global response to cybercrime and extortion,” demands Guidée.

In the current Future Risk Report from Axa, which deals with the biggest risk factors for the next five to ten years, cyber attacks landed in second place, right after climate change. That alone speaks for a systemic risk. Experts from the insurance industry, financial sector and other large companies were interviewed. Their greatest concern is therefore attacks on critical infrastructure, such as the supply of water or electricity.

This could cripple an entire country in the end. There are already examples pointing in this direction: In May, the American pipeline operator Colonial was targeted by hackers, as a result of which gasoline became scarce in some areas of the USA. The company reportedly paid 75 Bitcoin as ransom, almost five million dollars.

Many attacks are ransomware attacks

Ransomware attacks, in which hijacked data have to be bought free, are typical cyber damage cases for insurance companies. This digital blackmail accounts for “around 60 to 70 percent of all damage that companies report to cyber insurers,” reports Johannes Behrends, head of the Cyris unit at the insurance broker Marsh Germany.

According to Rüdiger Kirsch, fraud expert at Euler Hermes, payment fraud is also on the rise. Accordingly, companies repeatedly make larger payments due to emails with fake account details. Last year, the number of cases increased by 35 percent.

According to its own information, the industrial insurer Allianz Global Corporate & Specialty (AGCS) was involved in more than 1000 cyber claims in 2020, compared to around 80 in 2016. In the first half of the current year, a further 566 cases were added. There was a significant increase in blackmail attempts.

The ransom is only part of the financial risk. According to an analysis by AGCS, the biggest drivers of cyber damage are business interruptions and recovery costs. These items represent more than half of the damage value – a total of around 750 million euros – in the almost 3,000 cyber cases in which the insurer has been involved in the past six years.

According to a study by the digital association Bitkom, theft, espionage, sabotage and other attacks alone caused damage of 223 billion euros annually to the German economy. Nine out of ten companies surveyed said they had been hit by hacker attacks in the past twelve months. “When a risk takes shape, the need for insurance becomes more concrete,” says Axa manager Guidée. With the increase in the number of cyber attacks, the demand for appropriate insurance is growing, including among private individuals.

When the price multiplies

That is why the prices are rising. According to a survey by the Association of the Insurance Industry (GVNW), 23 percent of the companies surveyed had to accept premium increases of between 20 and 50 percent in the contract renewals last year. At nine percent, the prices for cyber protection even doubled. Many companies also complained about additional clauses, reduced insurance sums or higher deductibles. There were price increases in other insurance lines as well, but not to the same extent as for cyber policies.

Many companies do not expect an improvement this year, at most a stabilization of the situation. Behrends von Marsh says: “The premiums for cyber policies in this country have recently increased by around 40 percent compared to the previous year. In extreme cases, insurers even demand increases of 300 to 400 percent from their customers. ”Some companies would have to be happy if they could still get insurance coverage at all.

“We observe that companies from sectors that are particularly affected are having a hard time getting insurance cover at all,” says Ralph Rockel, member of the board of directors at industrial insurance broker MRH Trowe. According to him, this includes municipal utilities or financial institutions – with reference to the critical infrastructure.

On the other side of the negotiating table, criticism is loud: a spokeswoman for Stadtwerke München reports that cyber policies are currently “being marketed extremely aggressively by insurance brokers”. Not only the costs are problematic, but also the high implementation effort, because all security-relevant IT processes have to be analyzed and documented in detail.

“Only briefly inattentive”

Not without reason, Behrends argues. “From our point of view, many companies also have problems with the fact that they cannot precisely assess their cyber risks.” It is therefore important first to gain an understanding of your own risk, to close weak points and to take countermeasures, such as employee training or emergency plans .

It is particularly important to keep employees aware of the danger situation, says Kirsch from Euler Hermes: “Cases of fraud are often not an issue of weak IT structures, but of people who are inattentive for a brief moment.”

At Axa it is said that the relocation of many activities to the cloud has increased the attack surface again. Companies have to set up their IT systems and processes in such a way that a cyber attack can be cushioned. In particular, this also means that hackers cannot bring the entire business to a standstill via a digital gateway.

More: Hacker attacks and Corona: New challenges are changing the insurance business.