Insure Cyber Risks: Better Safe Than Sorry
What is a cyber insurance and who should have such an insurance? These are exactly the questions we recently asked ourselves in our team. And what better way to find out than to ask the experts in our neighborhood. exali AG, which was founded in 2008 and has its headquarters in Augsburg, offers professional liability insurance for self-employed persons, freelancers, and companies in the areas of IT, ransomware, e-commerce, telecommunications, media, and consulting.
In an interview with Ralph Günther, Founder & CEO of exali, he answered our questions regarding insurances against cyber risks. As one of the pioneers in the online insurance business, the expert has actively contributed to the improvement of insurance coverage for self-employed such as freelancers and introduced new service enhancements to the market. He regularly passes on his knowledge as a specialist author; thus, we are delighted that he shares it with us and our readers today.
Boxcryptor: For Whom or for Which Company Is a Cyber Insurance Useful?
Ralph Günther: From my point of view, cyber-risk insurance makes sense for every self-employed person as well as every company. Our experience at exali shows that __ companies of all sizes and from all industries become victims of hacker attacks and malware__. While large companies may still be able to cushion the financial consequences of a system failure lasting several days, small companies or self-employed persons quickly put their entire business at risk. Cyber insurance __ protects against this financial risk and also covers the costs__ of keeping business running and restoring systems in the event of a cyber-attack.
Insurance Grouches or Insurance Friends — What Percentage of Companies Have Already Taken Out Cyber Insurance?
Ralph Günther: Of course, I can’t speak for the entire insurance market, but at exali, about 26 percent of our policyholders have added the additional module for cyber own damage to their professional liability.
In general, I can say from my experience that unfortunately many companies still underestimate the danger of cybercrime and think “it’s not my fault”. In addition, many think that a good insurance against cybercrime is too expensive. Apart from the fact that this is not true, a hacker attack and the associated damage is much more costly.
What Benefits Should the Insurance Cover?
Ralph Günther: A good cyber insurance should cover the cost of cleaning and restoring your systems after a hacker attack. This also includes the cost of using third-party IT systems so that you can continue your business. As more and more cybercriminals are demanding a ransom to release encrypted data, good insurance should cover this if all other options fail. Since a hacker attack can also damage a company’s image if, for example, customer data is lost, the cost of crisis PR should also be paid by the insurance company.
*Source: exali AG
Which Services Are Already Covered by Other Insurances Like Legal Protection or Liability?
Ralph Günther: At exali, every professional liability insurance includes as a fixed component the coverage for so-called data and cyber third-party damages. This means that the professional liability insurance automatically covers you if someone else is harmed by a hacker attack in your company. This can happen, for example, if your customers’ data is lost and misused by cybercriminals for fraudulent purposes. Then the injured party, in this case, your customer, will demand compensation from you and the insurance company will pay for it.
A legal expenses insurance policy does not cover any compensation payments, but only the costs of legal proceedings, for example, attorney’s fees and court costs. However, since the risk is much higher that you as a self-employed person cause damage to another person or that you yourself suffer damage, a legal expenses insurance can cover at most parts of cyber damage and is therefore in my opinion not sufficient protection against cyber risks and their financial consequences.
What Are Potential Security Risks?
Ralph Günther: On the one hand, the danger of catching malware is increasing. Cybercrime cases are increasing every year, and cybercriminals are increasingly targeting small businesses — and they become more and more creative. Detecting a phishing email is much more difficult today than it was a few years ago. On the other hand, both in our private lives and as a company, we are increasingly networked, internally and with external service providers or clients. This makes it even harder to keep an overview of IT security.
The amount of data we store is also becoming more confusing and thus a risk; keyword: Big Data. Because the data that is processed must also be adequately secured. This is only possible with a comprehensive security concept. Clouds can also become a security risk, from access and transmission to data storage. And ultimately, the human factor is also a risk. Without every self-employed person and all employees in a company being sensitized to IT security, it is not possible. Because social engineering attacks, such as phishing mails, rely on people making a mistake and opening the door to malware, so to speak. The same applies to password security or the handling of data media or private devices connected to the company network.
Based on Your Experience as an Insurer: What Are the Most Frequent Causes of Damage? Where Do Frequent Incidents Occur?
Ralph Günther: Frequently, it happens that policyholders catch malware, for example, because they open contaminated e-mail attachments. IT systems are often hacked and paralyzed. But DDoS attacks also occur more frequently. In these attacks, a particular service is bombarded with requests until it no longer works. At some point, the IT infrastructure becomes so overloaded that nothing works anymore. Then a ransom is demanded from the affected company so that the blocked systems are released again. Recently, we have also had several cases of illegal crypto-mining, i.e. the computing power of our policyholders was hijacked in order to generate crypto-currency.
Can Cyber Insurance Help With Data Breaches? And if So, How?
Ralph Günther: Absolutely. There are two scenarios and (at least with exali) two solutions.
Scenario 1: Customer data is stolen during a hacker attack. Hence, the customer will demand compensation from you, for example, if the loss of data results in a GDPR fine. In this case, your insurance company will pay compensation.
Scenario 2: Your own data is lost. This is a so-called personal injury. You can protect this with an additional module. In this case, the insurer will cover, for example, the costs for IT specialists to clean up your systems, but also costs incurred to keep your business running in the meantime, such as the use of third-party IT systems. But also costs for crisis PR or specialized lawyers are covered, if necessary.
Are There Any Odd Insurance Incidents You Can Report?
Ralph Günther: Two cases come to my mind spontaneously. The first concerned a law firm that is insured with us. One day early in the morning, they noticed their accounting software was no longer working, and that print jobs were taking an unusually long time. It then turned out that the day before hackers had installed a Bitcoin Miner on the firm’s server and used the computing power of the firm’s computers for illegal crypto mining. It took several days before the lawyers could work as usual again.
The other is about the so-called Fake-President Trick, in which cybercriminals pretend to be the chairman of a company, for example, and then query data from employees. In this case, an alleged company board member contacted an employee and asked him to buy gift cards for the Google Play Store. In the end, the employee bought cards worth 1,500 euros and sent the alleged CEO the codes. I don’t have to say that it was not the real CEO of the company...
What Is the Average Amount of Damage?
Ralph Günther: In general, I can say that damages caused by cybercrime can quickly cost several 10,000 euros. One reason for this is that IT forensics are expensive, and it costs a lot of money to get affected IT systems up and running again or to set them up completely new. On the other hand, cybercriminals naturally demand large sums of ransom money.
Who takes care of the insurance? Employee or employer?
Of course, first and foremost, every employer as an entrepreneur should take care of the coverage of occupational risks such as cyber risks for his company within the framework of good risk management.
As an employee, you do not need your own professional liability or special cyber insurance, because you are privileged in terms of liability, i.e. if you make a mistake, the company is liable externally. However, this does not apply to employees in special functions within the company, for example, data protection or compliance officers, and of course not to the organs of a company such as board members or managing directors. They may then have to take action themselves and take care of suitable insurance cover for your personal risks. Even in particularly serious cases, especially in cases of intent, the liability privilege no longer applies, and the company can take recourse against the employee. In the case of intent, i.e. the deliberate causing of damage, insurance will no longer help.
If you are self-employed, you must, of course, take care of your professional liability and cyber insurance yourself. This is urgently necessary because you are always personally liable for mistakes and with your private assets.
What Does Cyber Insurance Cost?
Ralph Günther: The cyber insurance as an independent solution starts at exali at 176 Euro per year, plus insurance tax with an annual turnover of up to 100,000 Euro and an insured sum of 100,000 Euro.
The additional module which you can optionally add to your professional liability insurance starts at around 58 Euro per year plus insurance tax.
A big thank you to Ralph Günther and the exali editorial team for the information and the exciting insights.
Further information about the different insurances can be found on the (German) website.