As interest in cyber insurance grows, people are asking more questions about the industry: How does the cyber insurance market look like right now? What kind of risks should SMEs insure against? Is it actually a good idea to insure against making payment after a ransomware attack? Or is it better to just not pay? In this interview serie, we will talk to industry experts about what’s happening in cyber insurance. Alexander Schudra, our first interview partner, is Head of Cyber Insurance at ERGO.
Mr Schudra, can you tell us something about your background?
Sure. So actually, I don’t have a technical background, but an economic one. I spent nearly 13 years working in various roles at ERGO: Nine of them in Sales and three in central functions. In late 2019, an opportunity came up to take on a new challenge in cyber – and this I have gladly accepted.
How do you see the market for cyber insurance – looking back and currently?
I have now been getting to know the market intensively for 2 years. Still, this objectively manageable time feels like a small eternity, because the cyber market is in tremendous motion. It seems like every week there are new clauses, new players, extremely fast-moving threats, capacities. Not only that, but you blink and capacities and prices might easily fluctuate by more than 50 percent. It’s exciting, of course, but planning is a real challenge. A lot of that uncertainty is caused by a lack of technical expertise in most companies – large and small. And they often have very little awareness – or none at all – of their own threat situation. Here, insurers, customers and their brokers are all in the same boat. Of course, when there is great uncertainty, the justified wish is for the insurance industry to offer suitable solutions for risk transfer. However, this is only possible in the long term and sustainable when the risks are transparent and actually insurable.
As a medium-sized company, what should be covered by organisational measures and what by technical measures, and which cyber risks should be insured against?
That’s a good way of phrasing the question, since all of those issues build on each other. Without a certain level of technical and organizational cybersecurity in place, it’s likely going to be difficult to get insurance coverage in future. Same as if you don’t lock your car, then that briefcase on the passenger seat also isn’t insured against theft. All in all, and here the sectors certainly differ from one another, it definitely makes sense to obtain protection for the exceptional situations through insurance. Only a few companies will be able to afford to recruit their own permanent crisis managers, PR advisors and IT forensics experts. Insurers can provide access to that expert network and also pay the costs of the work. The same can be said of preventive measures: it is entirely possible to implement these in cooperation with your insurer. Otherwise, the effort required to install measures can be too much for smaller SMEs.
What preventive measures would you advise that manufacturing companies in particular take?
Definitely training for all employees on cyber fraud and phishing, as well as regular reviews of the current situation based on objective criteria – a sort of stock-take once or twice a year, depending on complexity.
Is it actually a good idea to insure against payment in the event of a ransomware attack? Or is it better to just not pay?
Generally speaking, we have solid evidence that even if the costs are not going to be reimbursed by your insurer, paying a ransom can be a solid option in certain circumstances, to prevent longer-term business disruption or where there is a threat to release sensitive data. It really depends on the situation, there’s no one-size-fits-all solution. But what is true in all cases is that in the end, it is always worth reaching out to the attackers through specialists! Very often we can reduce the ransom amount significantly and obtain information about the timing of an attack or its origins. And that itself is an enormous help in recovering data and restoring operations, regardless of whether a ransom is paid.
What technical innovations in cybersecurity have you found especially interesting?
I think people really underestimate the issue of outside-in scans. These are scans that give an external perspective on a company’s publicly visible interfaces – like a website or mail server. This simple test can help detect easily identifiable vulnerabilities. It’s similar to the approach an attacker would take. Personally, I think these types of tools can help at least get some control over the moving parts in a threat situation and quickly identify obvious gaps in security. However, there is still a lot of work to do in this area; right now the different providers are producing very mixed results.
Are there industries or types of business that are especially challenging to insure?
Of course. There’s evidence that companies with revenues in the double-digit millions are slowly becoming more complex, and that there is a growing dependency on functioning IT infrastructure. If acquisitions of companies or subsidiaries increase the complexity of that infrastructure, that’s where it gets challenging.
Specifically in terms of industries: logistic companies and the manufacturing industry are usually much more vulnerable than, for example, the ancillary construction industry. In addition, trades with a large amount of sensitive data are generally more exposed, e.g. doctors or tax consultants and lawyers.
Are there 2-3 aspects that are not completely obvious but that SMEs should look out for in cyber policies? Can you share any tips or tricks?
There’s no blanket answer to that question. In general, in addition to the obligatory check of the conditions and obligations, one should always ask which service provider is available in the event of a claim and whether the insurer prescribes a specific provider with no alternatives. It’s also important to understand each party’s obligations and ask questions during the initial stages of the process, and make sure to follow up if anything is unclear. A common understanding of what exactly the insurer wants to know or requires is enormously important.
Is it true that cyber insurances do not pay in the event of a breach if, for example, certain measures were not carried out in time or false information about IT was provided during the application process?
We can tack this on to the answer to the previous question. Like in other insurance segments, such as health, insurer queries about facts must be answered truthfully and upfront. In the event of a breach, it very quickly becomes clear how the attack happened, and whether the security mechanisms reported to have been put in place actually exist. Another example would be P&C insurance in the event of a fire: if a fire breaks out and there are no extinguishers in the location where the loss occurs, then that’s a conversation that’s going to happen regardless. Insurance firms often mandate a set of basic security measures. If those are not fulfilled, then in certain situations the insurance may not even come into effect.
Are there other types of common false statements or half-truths that you hear from experts?
Let’s come back to the issue of outside-in scanning. Does that type of activity alone tell us anything about the state of cybersecurity? Obviously not. Is it pointless for companies to regularly evaluate their own infrastructure to detect any vulnerabilities? No, I don’t think so.
From today’s perspective, do you think premiums are likely to keep rising, or will they start to fall (adjusted for inflation etc.) as security measures become more widespread in companies?
I wish I had a crystal ball that let me make those kinds of predictions. But I’m going to assume that the trend of rising premiums will continue. The tangible hardening in the market correlates directly with the massive rise in cyber claims in recent months. As such, we can assume that customers will not be able to keep buying cyber coverage at the same cost and under the same conditions. Everything will revolve around using active risk management to make existing risks transparent and insurable.
Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.