Cyber incidents are becoming increasingly frequent and widespread and the losses caused are increasing. All industries and all manner of businesses are susceptible. It is prudent for companies and insurers to view such incidents not so much as ‘if’ they should occur, but rather ‘when’ they will occur. It has been estimated that the global cost of cyber-related crime will rise annually to USD3 trillion by 2021. Although cyber incidents are a worldwide issue, it is fair to say that the Middle East is experiencing higher levels of cyberattacks in relation to the global average.
In our video below, Justin Whelan answers 10 questions relating to cyber security from an insurance perspective:
Within the Middle East, Saudi Arabia is the most targeted country and energy companies appear most at risk. As the region has rapidly digitally transformed, so has the risk, threat and occurrence of cyberattack.
The damage is widespread and includes, inter alia, loss of data, intellectual property, money and reputation. Cyberattacks cause significant business interruption and incident response costs. They can also lead to physical damage and personal injury.
Against this context, an alarming number of businesses continue to question whether specialist cyber insurance cover is necessary. Indeed global organisations continue to spend almost four times as much on property-related risks than they do so on cyber. This is surprising given the physical damage requirements to trigger a property policy. Cyberattacks can result in significant losses without any physical damage. An absence of physical damage under a property product, and an absence of specialist cyber cover, may well leave a business facing uninsured losses.
There are challenges to businesses in securing adequate cyber risk cover. Specialist cyber policies generally do not cover physical damage, and physical damage policies generally do not cover cyber losses. In the absence of having both specialist cyber and physical damage policies the result is a gap in coverage. Such challenges are furthered by an absence of standard terms and perceived onerous disclosure and notification requirements under specialist cyber policies.
From the insurers’ perspective, a challenge is presented by the uncertainty that arises from silent cyber cover, i.e. where cover is not specifically included or excluded and thereby implied. As cyberattacks continue to rise and become more embedded in societal awareness, it is becoming more difficult to argue, in the absence of specific exclusion, that cyber incidents are not covered in certain traditional policies.
Also, when cyber is expressly excluded via standard CL380 wording it is often overlooked that the exclusion only bites when the attack occurred as a means for inflicting harm. In other words, cyber losses caused by human error or computer glitch are not excluded and the policy may well respond despite the insertion of CL380.
Given the above, there is clear scope for market initiatives with new clauses and policies, improved risk management and prevention, and education and training for both businesses and their insurers. This will progress alongside increased regulation and legislation.
Time will tell just how economically impacting cyberattacks will become, and just how fundamental will be the role of governments in cyber insurance. In the meantime, cyberattacks are occurring daily on a global scale and only going to increase with the inter-connectivity of society and the Internet of Things. Whilst many businesses are concerned but unsure exactly how to respond and manage cyber risks, there are opportunities for insurers notwithstanding uncertainties as to potential exposures.