The growing interest in cyber insurance gives rise to an increasing number of questions on the industry: What does the current market for cyber insurance look like? What cyber risks should SMEs insure? In our interview series, we discuss current questions on cyber insurance with industry experts. In the third part of our series, we spoke with Hanno Pingsmann, CEO and founder of CyberDirekt, a German cyber insurance company.
Dear Hanno, how did you get involved in cyber insurance? Some might consider this the worst of both worlds: tedious insurance combined with nerdy computer stuff.
In 2017, after about four and a half years working in fintech, I decided I wanted to drive an innovative business approach in the insurance industry. When I came across cyber insurance, I realized that a completely new market was emerging, in which technology – and that is actually the exciting part – would play a major role.
Over 1,200 brokers in German-speaking countries use your platform for insurance comparisons. How do you think the market for cyber insurance is currently developing?
It always depends on which customer segment you are looking at. In the industry segment, which includes all DAX/MDAX companies, high demand for cyber insurance had already begun to develop at the end of 2018. In the SME segment, this development started somewhat later and we saw a sharp increase as of 2020, for example. That is certainly also because of the Covid 19 pandemic, which forced many companies to quickly move jobs to a work-from-home model. This created new risks, which led to many decision makers having to address insurance coverage against cyber risks more intensively. Since then, the market has developed very dynamically with high double-digit growth rates.
Which cyber risks should you insure because preventative actions do not offer enough protection?
Unfortunately, there is no simple answer to that, because despite prevention some risk always remains – regardless of risk area, attack vector or type of attack. The security gaps in Microsoft Exchange servers that put almost ten thousand German companies at immediate risk in March this year, are one example.
Weighing up whether to take out cyber insurance or invest in greater protection, is not expedient in my view. This is because cyber insurance should supplement existing IT security concepts as an integral part of well thought out, holistic cyber risk management.
In this day and age, all companies have to confront their own particular cyber risks and I believe it is part of the duty of care of every managing director to consider and utilize the possibilities available for transferring risk.
Should companies take out insurance for ransom payments in ransomware attacks? Or simply not pay?
How to handle insurance in case of ransom demands is a complex topic. That of course raises fundamental questions from a legal and moral standpoint. An intensive discussion is currently underway as to whether insurers might even be encouraging organized cybercrime by offering coverage for ransom money. However, I’d like to answer this from the customer’s perspective, as we ultimately represent their interests as insurance broker. In some cases, giving into a ransom demand could be a last resort to avoid serious damage to a company, e.g., production being suspended for several weeks or months. Companies should keep this option open and I can only recommend that all customers also include help on ransom demands in their cyber insurance.
Are there any industries or types of company that are particularly difficult to insure?
Yes, absolutely. For example, companies in the area of critical infrastructure, gambling, crypto assets, e-health, payment transactions, direct marketing, debt collection, or those operating social media and dating platforms. However, insurers do not have a uniform approach here. This means that even companies in so-called high-risk industries can get offers for cyber insurance. Having said this, the search is more complex and requires a great deal of market know-how and expertise in placing cyber risks.
Which preventative actions would you recommend for manufacturing companies in particular?
A frequent problem is a third party gaining unauthorized entry via remote access to communication systems and files or remote maintenance/management of machinery and production processes. Hacker attacks in this area are often highly targeted, for example, spying on login data. Unfortunately, this risk increased exponentially due to the Covid 19 pandemic. Therefore, I recommend that companies enforce complex passwords, deploy multi-factor authentication, and only permit encrypted data connections.
Moreover, employees must adhere to strict codes of conduct: Regular mandatory security updates, no use of third-party software or USB sticks, no mixing of company and private data, and exact specifications for e-mail traffic or data exchange. For most employees, cybersecurity training is just as much part of day-to-day work as safety at work training. These actions should be checked with simulated cyber attacks, e.g., a phishing simulation test.
Can you outline 2-3 aspects that are not patently obvious, but that SMEs should consider in their cyber policies? What are potential tips and tricks?
The total amount insured plays a key role. This should cover a worst-case scenario. Many companies underestimate the severity of a cyber attack, e.g., that can lead to operations having to be suspended from 3 to 4 weeks. These time frames are not uncommon among manufacturing companies. The total amount insured therefore has to include at least the expected loss of earnings, use of IT forensics, and cost of recovering systems and networks.
Beyond this, companies can also get insurance coverage for breakdown of external software services (e.g., cloud services, software as a service, Web-based application) that can directly lead to suspension of their operations. Cyber insurance therefore not only provides coverage in case of hacker attacks on in-house IT systems but can also cover a breakdown in third-party software services used by the company.
Is it true that insurers do not pay out in the event of a claim if, e.g., audits or employee training were not carried out in time?
As a rule, companies have to provide correct data when taking out cyber insurance. When assessing risk, if an insurer asks whether employees receive regular training on IT security, the company insured may have to provide evidence of this in the event of a claim. However, not all insurers define employee training as a minimum requirement. Personally, I believe cybersecurity training and sensitizing employees to cyber attacks are an absolute must and as essential as training on safety at work, data protection or prevention against money laundering.
Are there any other false statements or half-truths that you often hear from experts?
Yes, unfortunately. For example, I often hear that fines relating to breaches in data protection are also covered by insurance. That is of course not the case, as fines imposed by a public authority in the domestic market are uninsurable. This would undermine the steering function of GDPR fines. Customers with cyber insurance can however draw on legal advice and IT forensic services to provide national data protection authorities with facts and arguments as a basis for determining the amount of the fine.
From today’s standpoint: Do you think premiums are likely to rise or fall long-term as security actions become increasingly established in companies – i.e.: adjusted for inflation?
Based on the development in the number and level of claims, I expect premiums to increase further. Since 2018, some insurers have recorded an increase of 300% in claim indicators. Alignment of risk premiums will therefore be an inevitable and logical outcome. Last year, we already started to see an upward trend and this is increasing in every quarter. It won’t be possible to compensate for this impact with security actions. I even expect companies to have to invest more in prevention to even be able to purchase cyber insurance in the first place. As premiums increase, many insurers will also align their underwriting guidelines and require companies to enforce higher security standards.
Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.