the FIREBALL malware
Perhaps the TV series Mr. Robot, which follows the adventures of a computer hacker, is having an impact? For some months now, television stations across the United States have been showing ads for a new type of product – cybersecurity insurance. Insurers are taking advantage of recent events, alerting prime-time TV viewers to the risks of cybercrime and the Dark Web and offering insurance cover for identity theft, data leaks, litigation with online merchants and even one’s e-reputation. In the US, cybersecurity insurance has already been available for a number of years, but recent events have shone a spotlight on such risks. The year 2017 has been marked by a surge in large-scale malware attacks against both companies and private individuals. Chinese malware Fireball infected 250 million computers worldwide, while Copycat wormed its way into 14 million Android smartphones, to which we can add the 10 million victims of HummingBad. This is a seriously worrying trend. Hackers are no longer taking aim only at companies; any household could have its family PC frozen and face a ransom demand. The general public is an easy target for ransomware, as the average person’s computers and other electronic devices are not as well protected as those of a major bank or government ministry.
WannaCry: 200,000 victims
Cybersecurity insurance originated in the United States
The cyber insurance market for companies emerged in the early 2000s and is now well-established on the other side of the Atlantic. This type of cover does exist in Europe but it has been estimated that 90% of all cyber insurance policies have been taken out in the United States. Currently covering fewer than 10% of all firms, the market is today worth only $2 billion, but it could well reach $20 billion over the next ten years. Regulation will play an essential role, especially in the US, where an initiative from the California authorities is now expanding rapidly to other federal states. Meanwhile in Europe, the level of fines to be imposed on companies that experience a data leak, as defined by the General Data Protection Regulation (GDPR) due to come into force in 2018, is likely to encourage companies to purchase cover for this risk. The 2017 annual survey from the Risk Management Society (RIMS), polling its 11,000 members, revealed that the percentage of US companies covered by cyber insurance surged from 51% in 2015 to 80% in 2016 and rose again to 83% in 2017. This shows that US companies are already well aware of the risks associated with cybersecurity. Insurance firms are now looking to expand their market to the general public.
For several years now, insurers have been thinking about offering cyber insurance to private individuals. In 2015 the Wall Street Journal gave an update on this market, which then was still in its infancy. However, insurers have now begun to include options covering identity theft in their general household risks policies. Insurers promise to indemnify a member of the household whose identity has been stolen via a bank or local authority. The insurance company agrees to compensate a policy-holder for between $25,000 and a million for any purchases made by an identity thief, plus also for the time the insured has to spend on the administrative procedures required to re-establish his/her digital identity. At the same time, the insurer offers the client anti-phishing software designed to reduce to some extent the risk of subsequent cyber-attacks.
americans fell victim
to identity theft
This market is potentially profitable for an insurance company: while the cost of cover is only around $25 a year, as many as 41 million Americans actually fell victim to identity theft in 2015. Massive theft of emails, as in the attack on Yahoo, enables thieves to purchase people’s contact details on the Dark Web for a few cents and exploit them. Dublin, Ireland-based credit-reporting agency Experian promises its insurance customers permanent monitoring of the Dark Web and alerts if details of their identity should show up in any files put up for sale by malicious hackers. Insurance companies believe that the general public in the United States is now ready for this type of insurance, given that cover relating to payment methods and e-commerce has already blazed the trail. In the US, people enjoy far less legal protection regarding online purchases than, for example, French citizens do, so many have opted for additional cover relating to digital payments. This in turn has encouraged insurance companies to draw up cover for the consequences of identity theft and, more recently, data loss. A great deal has been written in the media about the recent massive wave of malware attacks and many people have fallen victim to ransomware, which encrypts the contents of their hard disk, enabling the hackers to demand hundreds, if not thousands, of dollars’ worth of bitcoins to unfreeze the files. Accordingly, insurance firms have drawn up policies designed to compensate people who find they are unable to restore their personal data following this type of attack.
French market is highly immature
In France, the situation is very different. Not only is there very little of this type of insurance available to the general public; even companies seem to find it hard to insure against cyber risk. Experts estimate that in France only 10,000 policies of this type have been taken out. Only 60% of the CAC40 (the 40 leading companies by market capitalisation on the French stock market) have purchased this kind of insurance. Moreover, the approaches to, and conditions surrounding, the insurance policies on offer in France are very variable. Some insurers will provide cyber insurance immediately to small and medium-sized companies after they have filled in an online form, while others require the prospective client to go through a full security audit and also insist that they put in place state-of-the-art security measures before agreeing to insure them. Cyber insurance has been around for the last twenty years but Olivier Blandin, the Head of Distribution Studies at French insurance think-tank LAB (Bankinsurance Laboratory), sees the market in France as still very immature. He underlines: “This market is basically a US, and partly UK, market. In continental Europe, it’s still in its infancy. Whenever the media reports on a ransomware attack, small and medium-sized companies start thinking about obtaining cover, but then the impetus deflates just as quickly because the market is still very small and there are very few insurance policies on offer.” Blandin stresses that very few non-specialised insurance agents or brokers are really capable of meeting demand in this field, which makes it even more difficult for a smaller business wishing to insure itself against data loss and cyber-attacks. At the same time, he is somewhat dubious about US contracts being ‘imported’ into Europe. “Insurance policies in continental Europe, which have been developed to meet the needs of large companies, are very often based on US policies and just translated without really taking into account the specifics of other countries, as is the case for example with cover against the risk of incurring criminal charges, which can’t be insured against in France in the same way as it is in the US,” he points out.
Blandin suspects that even the toughened-up EU General Data Protection Regulation (GDPR), due to come into force in 2018, will not be enough to encourage French companies to obtain insurance cover. He points out: “Company bosses tend not to make the link between data protection and insurance. And no cybersecurity consultant running information system audits will team up with an insurance company to offer a fully-secure information system, plus insurance to cover any legal risks. This shows that the market in France is still very immature today and we just don’t know how to get it off the ground!” Blandin argues that the only way of getting this sort of insurance policy up and running in France is to introduce regulatory requirements or insert the appropriate clauses into third-party liability policies, as some Anglophone insurers do. He argues that this is “a solution that enables the costs to be spread, given that the cost of cyber insurance today is very unpredictable because insurance companies don’t have enough historical information to be able to calculate an average cost. A cyber-attack on a small or medium-sized company will cost the firm in the order of €600,000 – quite sufficient to drive many French SMEs into bankruptcy.
Head of Distribution Studies
Today we just don’t know how to get this market off the ground!
If we look at the general public insurance market in France, insurers are having to use their imagination to encourage people to take out cover against cyber risk. The high degree of protection guaranteed by French law to anyone making purchases on the Internet limits the scope for payments-related insurance, which has forced insurers to bundle such policies with cover for loss of identity papers, keys or smartphones. Norbert Girard, Secretary-General of France’s Observatory on the Evolution of Insurance Businesses underlines that “in France, the first-ever insurance policies for risks associated with computer security were drawn up for the corporate market, for example indemnifying firms against the cost of reconstituting files following loss or accident. For private individuals, it’s identity theft that’s pushing insurers to offer additional optional guarantees on top of existing multi-risk home policies. This is part of the thinking on how to broaden the range of risks covered by insurers”. This has led a number of insurers to add to their portfolios offers of cover for identity theft and the protection of e-reputation, but question marks remain as to people’s appetite for this kind of cover on the one hand and the cost of providing cover for these niche risks on the other.
“The main question when it comes to providing this type of insurance for private individual is whether they can afford it”, says Olivier Blandin. “This kind of cover can only be provided if the cost can be spread over a large number of clients, for example a large bank holding millions of account agreements signed by its customers would have no difficulty amortising the costs of such insurance.” For a number of years now, BNP Paribas has been offering a policy called BNP Paribas Security Plus, which started out as a policy covering traditional payment methods, i.e. cheques and cash. Since then it has been expanded to include legal assistance in cases where the insured person’s private data is used fraudulently.
“We provide our customers with a special website page giving information and assistance on what they should do if they are ever faced with identity theft,” explains Emmanuelle Fenard, Head of Marketing at BNP Paribas Cardif, the BNP Paribas Group’s insurance arm, adding: “We help our customers analyse the circumstances from a legal point of view and assist them in settling the dispute. If an amicable agreement can be found, we will pay up to €1,000 in compensation. If efforts to reach an amicable agreement fail, we will bear the cost of legal assistance up to €10,000 in lawyers’ fees. If the case still hasn’t been resolved within five months of filing the lawsuit, loss of salary and some other costs may also be reimbursed up to an amount of €5,000.”
Head of Marketing
BNP Paribas Cardif
When it comes to obtaining protection, many French people are in denial.
Emmanuelle Fenard sees a distinct lack of appetite in France for cyber insurance, compared to the United States. “When it comes to obtaining protection, many French people are in denial. They believe they’re already sufficiently protected, that their passwords are good enough, and they often take the view that ‘this only happens to other people’. This is perhaps why Europeans are less keen to take out this kind of cover. It’s also why we’ve included these guarantees in our policies covering payment methods, so as to maximise our policy-holders’ cover.” In France, given the lack of maturity regarding cyber risk, insurers have had to resort to broadening the scope of their policies for private individuals covering payment methods and multi-risk home insurance against fire, accident and diverse risks, rather than trying to sell specific insurance for cyber risk. Meanwhile, it looks as if insurance companies in France, and elsewhere in Europe, will have to wait until people wake up to the dangers of identity theft and personal data theft.