Cyber Policy – Fire Insurance of the 21st Century

Until recently, the main sales arguments for cyber insurance were the risks related to the GDPR. Of course, this Sword of Damocles in the form of the President of the Personal Data Protection Office, which absolutely punishes entities carelessly handling personal data, is and will be an effective scarecrow. Everyone will be impressed by the largest fine imposed in Poland on the online store (PLN 2.8 million), or the most recent event of this type – a fine of almost PLN 2 million imposed on Virgin Mobile. Of course, cyber insurance may cover the financial consequences of such incidents, but considering that most business processes have moved to cyberspace these days, such insurance needs to be looked at from a much broader perspective.

Cybercrime continues to grow and has become a global threat to all businesses, regardless of national boundaries, size or industry. According to the Allianz Risk Barometer report, in 2020 cyber incidents became the most important business risk (39% of responses) for companies worldwide for the first time. Until seven years ago, this risk was in a distant fifteenth place and was noticed by only 6% of respondents. Polish experts placed this risk in third place – behind business interruptions, as well as fires and explosions, but with a relatively high result of 38% of responses. The feelings of the respondents are also confirmed by official data. According to the 2019 Annual Report on the activities of CERT Polska, the number of cyber incidents in which this institution was involved increased from 3,738 in 2018 to 6,484 in 2019.

Number of cyber incidents – data from CERT Polska

Also the data from global markets confirm a clear upward trend. The increasing incidence of ransomware-type incidents (malware that encrypts computer data for ransomware purposes) is particularly visible, the number of which, according to various estimates, doubled in 2019 compared to the previous year. The example of the world tycoon in the metallurgical industry, Norsk Hydro, was particularly “spectacular”, which as a result of such a targeted attack lost the ability to execute orders and incurred losses in excess of USD 60 million.

Perpetrators’ professionalism continues to grow, technical IT protection measures such as firewalls no longer provide 100% protection, and employee misconduct is now the main cause of cyber incidents. In this area of ​​conflict, the transfer of cyber threats has become an indispensable part of enterprise risk management. Cyber ​​insurance, like any other, of course also has its own exclusions and limitations, but it is worth looking at the extent to which it can support an entrepreneur in dealing with the consequences of such an event.

In the face of a cyber incident, your insurance policy may turn out to be your first line of defense. Most insurers offer broadly defined claim assistance with a 24/7 call center. The insurer, with the help of specialized companies with which he has a permanent cooperation, may become a manager who will manage a crisis situation for the insured. As part of these services, it can provide IT or legal support. This can be especially valuable for entrepreneurs who do not have their own IT resources, for example. The costs of IT forensics and their availability in the face of a sudden crisis may turn out to be quite a challenge.

The insurer will also cover a number of first party costs related to the IT incident as well as costs and damages due to third parties, including but not limited to:

– costs of legal defense and compensation in the event of loss of personal data, disclosure of commercial information, breach of network security (infection of third party systems),

– costs of data restoration, purchase of new software, unblocking access to data,

– costs of administrative penalties for data breach (sanctions for breach of provisions on the protection of personal data),

– costs of legal services and representation before state authorities in connection with proceedings conducted by a supervisory authority,

– costs of providing IT forensics services by specialists,

– costs of providing services by independent advisers aimed at protecting the company’s reputation,

– costs related to notifying persons whose data has been breached,

– costs of loss of profit due to business disruption (also as a result of a malfunction of the insured’s employees or a system failure; it is also possible to extend to damages resulting from business interruption at an external service provider),

– cost of ransom as a result of an extortion attempt (if justified),

– costs of damage caused as a result of multimedia activities (e.g. defamation, violation of the right to privacy, copyrights, etc.)

It should be noted that this insurance is constantly evolving and new, interesting additional clauses appear to extend the insurer’s liability, such as the theft of funds as a result of illegal access to the IT system (which was usually the scope available only under crime insurance), or even as a result of social engineering – e.g. fake president. It is also possible to cover incidents involving a hack of a telephone exchange (costs of calls made to premium numbers), violation of PCI DSS standards or even payment of a reward to the person who contributed to finding the perpetrator of a cyber incident. While competition is conducive to product development, it should be expected that the growing loss ratio, which is inevitable due to the growing popularity of this insurance and the number of incidents, will, over time, induce insurers to limit their liability.

It is increasingly difficult to imagine industries that are not exposed to this type of events. The experience of recent days shows that even Microsoft cannot feel safe, although in the case of IT companies, the greater burden of exposure is associated with the professional liability risk, which I strongly recommend to them, because in their case cyber insurance will cover only first party costs. Any manager who does not notice these risks, for the sake of the results of the managed company, should deal with the myth “this does not apply to us” and analyze the weaknesses of his organization and consider what risk transfer possibilities the market provides. If fire risk insurance seems to be something obvious to most, why is cyber insurance not perceived in the same way in Poland, since such risks are considered the greatest threat of our times?


Piotr Rudzki

Financial Lines Practice Leader, Insurance and Reinsurance Broker, GrECo Polska

Last Updated on January 5, 2021 by Karolina Ampulska