- Cybersecurity insurance has been around for a few years, but take-up in Europe has been very limited so far.
- Rather than just try to sell customers insurance policies, network and cloud providers should share the cost of mitigating risk from use of their services.
Businesses routinely take out insurance in order to protect against a myriad of risks. In many industries and professions, of course, it is even a regulatory requirement. The risks from fraud and other cybercrime have not gone uncounted by insurance underwriters and brokers, leading to a spate of new product development over the last couple of years. In the U.S., the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) took a proactive role in bringing together a diverse group of stakeholders ranging from insurance carriers, risk managers, and IT/cyber experts to critical infrastructure owners and even social scientists, to encourage cybersecurity insurance adoption and improve cyber risk management. In Europe, the European Network and Information Security Agency (ENISA) studied incentives and barriers for the cyber insurance market and made a number of recommendations. Both of these efforts began back in 2012, so what is the state of play now?
Insurance products have been rolled out in various jurisdictions, in some cases, with network or IT security service providers playing a direct role. Last year, Allianz and Deutsche Telekom joined forces in Germany to launch services for both retail and corporate customers that combine smart building solutions with cyber security services and insurance cover. AIG, a global provider, offers a comprehensive cybersecurity insurance plan designed to help clients prevent and safeguard against sensitive data breaches, computer hacking, employee error, and more.
There’s just one problem: despite the availability of products, hardly anyone is buying them – at least in Europe. One reason is the stubborn, but entirely reasonable, expectation on the part of customers that IT and network providers should take responsibility for selling safe products and services and not expect users to insure against what they see as the provider’s faults. Another, more nuanced reason is the reluctance of businesses to provide information to their insurance company scrutinizing their internal infrastructure and procedures while cataloguing their own security weaknesses. Citing published industry estimates, The Wall Street Journal recently reported that cyber liability insurance accounts for just 0.01% of non-life premiums in the UK. Barriers to adoption outlined in the ENISA study include the lack of data and the lack of information sharing within industry, continuing uncertainty about cybersecurity risks and impacts, and a perception that existing insurance already covers cyber risks.
For all the lack of aggregate risk data, the one industry that does have relevant visibility across a large population of business users is the telco space. Businesses should question their network and cloud service providers on what they are doing to minimize and insure against risks, and what efforts they can also extend to their customers. Maybe it is time for ICT providers to share the financial risks that customers take when using their systems and networks, perhaps through subsidized or group insurance policies (rather than simply selling insurance on top of communications and computing services).