New cyber risks and insurance products
The global pandemic of the Sars CoV 2 virus has increased the importance of the Internet and remote communication in the operation of businesses, regardless of their size, legal form or industry, forcing employers to organize remote work. Unfortunately, to date, the legislature has not adapted the legislation to the current situation and has not provided legal solutions and mechanisms in this regard. The implementation of remote work has not only been and continues to be a logistical challenge, but has also significantly increased the risk of losing sensitive data and revealing company secrets, e.g. as a result of the inability to ensure their effective protection within properly secured computer networks. When working remotely, the data may also be accessible to unauthorized persons.
While before the pandemic it was possible to identify having a cyber risk policy as recommended for full business security, nowadays supplementing standard insurance (including, in particular, entrepreneur’s liability insurance) with a cyber risk policy seems crucial. Unfortunately, an analysis of the products available on the Polish market, especially in comparison with the scope of protection granted in other countries, leads to the conclusion that still insurers do not adapt their offerings to the real needs of entrepreneurs in terms of cyber risks.
The task of insurance products for business, is to secure the interests of entities in the event of various events and risks, and their spectrum is constantly expanding. By their very nature, but also because of their purpose and their key role in business, insurance should always evolve with the development of the business they protect, in order to best adapt to the market situation. Insurance policies should therefore be designed in such a way that the insurance coverage provided at all times corresponds to the risks encountered in the market. And so, in fact, since the beginning of the insurance market, over the years we have seen its natural evolution with changes in the world.
An example of this is the rise in importance of certain types of insurance in recent years, such as those covering potential business losses resulting from increasingly rapid climate change, which carry significant risks, even though they were previously sporadic. New and violent phenomena, however, are not just atmospheric phenomena. With the advancement of technology, the popularization of the Internet, the development of new technologies, the digitization of all transactions and operations, entrepreneurs wishing to do business in the safest possible conditions increasingly recognize the need to insure against the effects of so-called cyber risks. The answer to this need is a whole range of insurance, popularly known as “cyber risk insurance.” It has gained in importance in the past two years, and has been helped by the popularization of remote work, which, while convenient for most employees, raises certain risks for entrepreneurs.
Cyber risk – what exactly is it?
Recently, not a week goes by that we don’t hear about online scams, hacking attacks, or even elements of cyber warfare. As a result of technological progress and the increasingly widespread use of its achievements in business, the risks associated with the storage, collection, processing and loss of data have increased significantly. Company know-how, technologies, proprietary data, copyrights, often constituting the existence and competition of entrepreneurs in the market… all this can quite easily get to unauthorized persons. Paradoxically, what makes doing business so much more efficient is also sometimes a gateway for various cyber criminals. Not surprisingly, demand for such insurance products is growing.
In addition, the growing importance of insurance covering the cyber risk area is influenced by legislative changes in the area of personal data protection and the introduction of new sanctions for data processors under the GDPR regulation.
Cybersecurity consists of many elements, such as proper IT infrastructure and employee training, but one of them is certainly just the right insurance against cyber risks.
The consequences of a breach in the cyber space can vary, depending on what kind of incident we are dealing with. This could be the theft of intellectual property or commercially sensitive data, a factor of competitive advantage for the company. Certainly, databases of all kinds, whether they contain personal, sales or strategic business data, are now the target of both attacks by hackers and rogue competitors who may seek to seize sensitive data by means of “buying employees.” There may also be a situation of gradual theft of data contained on company equipment or storage by employees and use when appropriate.
In addition to the risks of losing data, leaking it to competitors, exposing it online, etc., there is also a fundamental reputational risk from such actions. Such damage is difficult to assess, due to its intangible nature, but can often be crucial to the future of a given company.
Key elements of cyber risk protection
When selecting insurance for cyber risks, it is important to determine very carefully what is to be covered and whether the concepts of insured event, insured object and insurer’s exclusions of liability, as defined by the policy and general terms and conditions, meet the needs of a particular enterprise.
In order to maintain business continuity, entrepreneurs are forced to organize remote work. Employees perform this work from home, using equipment provided by the employer, or using their own equipment. Regardless of the work model, the employer’s data, can easily be lost.
As a general rule, cyber insurance coverage covers three basic categories of events that make up the cyber risks. These are: civil liability of the entrepreneur, legal protection costs insurance and financial risks arising from the interruption of the insured’s business. Of course, these three basic coverages do not have to be the only ones, but due to the voluntary nature of insurance, they should be established in great detail when concluding the contract. A very important aspect when analyzing insurance products is also the so-called “trigger” used, which is the time factor that determines insurance coverage. This issue is so important precisely with cyber insurance because it is extremely difficult to determine the exact moment of damage. More often, the effects of a violation are more apparent than its cause, which is often only learned through a lengthy investigation with the help of specialized services. However, the insurance coverage does not have to cover only events that occurred during its term, the insurer’s liability may apply to events reported while the insurance is in force.
Exclusions – are they adapted to the real needs of the market?
The insurance market cannot offer absolute insurance and therefore includes a number of insurance liability exclusions in its products. The question may arise whether such exclusions are adapted to the needs of the market, and here one can certainly find votes for and against.
One thing is certain – in order to benefit from Cyber insurance coverage, the entrepreneur themselves must be aware of the insurance and protect the data.
In the event of data loss, policies often do not, for example, cover fines imposed on the business by authorized authorities or reimburse the cost of restoring data or software. In addition, a common exclusion is lost profit, losses incurred due to delay, inefficiency, loss of market….
In the context of data security standards for remote work, it is also worth noting that part of the general terms and conditions of cyber risk policies does not cover damages resulting from the wilful misconduct or gross negligence of the Insured’s representatives. Electronic data protection omissions or wilful violations may also not be protected. Thus, if an entrepreneur knowingly fails to comply with the obligations imposed by laws, including the provisions of the GDPR, they may not be able to take advantage of the concluded insurance.
When considering cyber insurance in the operation of a business, it is necessary to understand that due to the nature of these risks, other insurance products commonly used and accepted in the minds of entrepreneurs as necessary for the smooth and safe conduct of business, such as liability insurance or property insurance, are not sufficient. The scope of a company’s shaped security policy for preventing cyber risks will thus be, as it were, a combination of IT knowledge and technology, knowledge of one’s own company, planning its operations in the era of the ever-popular remote work (which need not end with the end or reduction of the impact of a pandemic on our lives) and insurance techniques.
