Posted May 14, 2014
by Tobias Losch, GLEG
The information age has long outgrown its infancy, and the widespread adoption of new technologies and products mark a stronger developed environment today. Fittingly, this more mature landscape presents more seasoned solutions for challenges along the way. Cyber threats are one of the biggest challenges; they are here to stay, and they come in many different forms: from careless employees leaking information, technical failures, brand reputation issues, and online activism, to deliberate hacking attacks and industrial or state-sponsored espionage.
Not every cyber threat can be eliminated in time, though, and damages can be substantial. The Center for Strategic and International Studies, CSIS, estimated global annual losses between $300bn and $1tn. Insurance products covering cyber-based risks became inevitable for damages in the digital realm and in the physical world of bricks and mortar, for businesses as well as consumers.
The insurance industry is rolling out new products, but their worth and impact remains to be seen. The major advantages are:
- Financial relief: Insurance products could cover a wide range of expenses related to cyber threats. Those costs could either be first party liabilities like costs related to business interruptions, forensic investigations, recovery of data, and the regulatory outfall of a data breach (e.g. costs for consumer notifications, legal defense expenses, and penalties) or third party liabilities based on the performance of services.
- Safety standards. Whether it is home, car, health, or any other insurance, insurance companies are usually involved in defining safety standards and best practices. Their financial exposure motivates insurers to reduce the probability for a covered event to happen.
- Information. Insurance companies could be increasingly able to gather threat information from a large customer base and use this information to mitigate future threats. Their deep pockets could make them formidable foes for online crooks.
But insurance products can only be an additional dimension of dealing with cyber threats. While the insurance industry will know how to protect itself from the moral hazard of the careless insured, there are a few more points to consider:
- Online threats may not only affect monetary aspects. A company might be able to recover expenses to notify customers of a data breach or to provide large-scale credit report monitoring– but that does not necessarily restore consumer confidence. Reputational risks from online activists belong in this category as well.
- While the market place is demanding insurance products, there are considerable barriers in place, such as uncertainty about the extent of risk or to price contracts, the absence of an insurer of last resort to guard against catastrophic risk, and confusion about technical standards and best practices, to name just a few.
- Some industries may be excluded from the insurance markets or specific threats may not be covered. Lloyd’s of London recently refused to accept energy companies, partly because the underwriters were unimpressed with the defenses in place against cyber threats. It is clear that insurance will not be an alternative to prudent awareness and defense.
- It remains true that many cyber attacks are not identified as such and as a consequence, damages will not be compensated.
Insurance provides another dimension within an overreaching strategy to manage risks in cyber space as well as in the physical world. While an insurance policy cannot protect your spine in a car crash, insurance lobbying may have contributed to put a lifesaving safety belt in your car. But it is still the driver’s responsibility to use the car’s safety features – and to stay alert and aware in traffic.
The author received his legal education at the University of Göttingen (GER), practiced law previously as an attorney in Germany, and is GIAC certified for Law of Data Security & Investigations. He serves as a leader of Cyveillance’s Global Intelligence Team. Disclaimer: This blog post is a general reflection of certain topics and is not intended as a comprehensive discussion of the law. It does not constitute legal advice for any particular situation. If you need specific legal advice, please consult your own counsel.