Cyber insurance: A critical look behind the scenes

Current developments in the cyber insurance market
The threat of cyberattacks continues to increase. The "cyber-crime" business model continues to evolve from year to year. The often hasty digitization of companies during the Corona pandemic led to a sharp increase in the number of claims over the last 20 months. In very few cases, however, the public learns about the extent of the attacks.
Not only the affected companies, but also many insurers suffer from the hacker attacks. The claims burden on insurers is rising steadily. According to a recent IBM study, the average damage of a so-called "ransomware" attack is around 4.6 million US dollars.
In order to gain a better overview and estimate the costs, many insurers are currently resorting to drastic measures. Many are reducing underwriting capacity and increasing risk premiums. Some are even withdrawing from the market altogether.
At the same time, INFO-security requirements are increasing for companies looking to take out cyber insurance. The days when companies could take out cyber insurance without an in-depth risk analysis are long gone. Page-long questionnaires to establish the INFO-security of companies are the norm, sometimes followed by elaborate risk audits by insurers.
Companies that do not keep their IT security up to date are rejected by insurers and cannot cover the ever-remaining residual risk of a cyber incident through cyber insurance. Detailed risk questions and requirements for patch management, network segmentation, employee sensitization, access rights, and data backup concepts have become standard.
Cyber attack prevention is the most important measure to prevent malware infection or at least contain the potential extent of the damage.

Claims management by insurers - CAUTION is advised
Once a cyber incident in a company has been brought back under control and operations have resumed, the critical review of the incident by the insurance company begins as part of the claims settlement process. Individual contract components (including the insurance terms and conditions) are examined and compared with the damage incurred and the course of events leading to the damage.
The market for cyber insurance in Germany is still relatively young. The insurance terms and conditions and the processes for handling a claim are therefore still inconsistent and not sufficiently standardized. Against this background, it is all the more important for companies to look into the individual construction and components of their cyber insurance.
To best avoid a rude awakening after a claim, companies should choose cyber insurance that does not offer the insurer any loopholes in the settlement process.

True to the motto "The insurance concept must fit the company concept - and not the other way around", particular attention should be paid to the following points:
- Pre-contractual duty of disclosure
- Notifiable increases in risk
- Plea of gross negligence
- Obligations before and after damage (including coordination obligations with VR - coverage discussions)

New risks for managed service providers
In Germany, more cyber insurance policies have already been taken out in 2021 through October than in any previous year overall.
Rarely discussed, however, are new liability risks arising for some industries. An example from the IT service industry: If a customer who has cyber insurance becomes the victim of a cyber incident, the associated IT service provider is more likely to be held responsible for the damage by the customer's insurer and to be taken to court. New and rarely considered liability risks arise.

Take advantage of our webinar and learn how you and your company can avoid unpleasant discussions with your cyber insurer in the event of a claim.
We look forward to seeing you!

Translated with www.DeepL.com/Translator (free version)