Data is the lifeblood of the modern organization. Cloud applications, electronic communications and connected devices are now essential to business operations in most companies. Like other assets, therefore, data also need to be insured against breaches and an increasing number of companies are buying cyber insurance.
The global cyber insurance market size was $6.15 billion in 2020. The market is projected to grow from $7.60 billion in 2021 to $36.85 billion in 2028 at a CAGR of 25.3 percent.
Like other assets, data also need to be insured against breaches and an increasing number of companies are buying cyber insurance
Cyber insurance usually comes in two forms— first-party coverage or third-party coverage. First-party coverage safeguards the insured client from possible losses caused by a data security incident. On the other hand, third-party coverage provides liability coverage for companies responsible for a client’s security.
Several industry specialists discussed with TRENDS the important aspects of cyber insurance, developments in 2021 and the outlook for 2022.
Importance of cyber insurance
Ricardo Arroyo, Chief P&C Commercial Lines Officer, AXA Gulf, said that the importance of cyber insurance is “extremely underrated”, especially in the wake of targeted attacks that have taken place over the last 18-24 months on companies and governments alike.
Arroyo added: “This is warfare at a different level and all entities with potential exposures must ensure that they are adequately, if not substantially, protected. Consistently high intrusion rates across email, cloud, URL, spam and malware show that vulnerabilities in organizations’ transactions and endpoints, network, and cloud are more easily exposed now than ever before.”
PV George, Executive Director of Al Sayegh Insurance Brokers, said, “Cyber threats and ransomware have substantially increased over the last few years making it increasingly difficult for government entities to insure themselves from cyber attacks.”
In turn, cyber security measures have increased, leading to higher insurance premiums and deductibles, he added.
“As more and more manual tasks are done online, hackers have an easier time targeting governments and financial institutions. Therefore, insurance companies require extensive information before underwriting cyber risk insurance in their books,” he said.
According to George, insurers also require clients to meet high-security benchmarks to even qualify for the coverage. As a result, cyber insurance is recommended because, in the event of an unforeseen circumstance, businesses are not only protected at the time a claim is made but also receive guidance and advice on security protocols and mitigating business risks from their insurers.
Simon Bell, Cyber Expert and Financial & Professional Lines Leader, Marsh MENA, said that it is very important for companies of all types to consider cyber insurance as a key component of their cyber risk management programs as it can alleviate the financial burden brought about by the costs incurred whilst responding to a cyber-incident, restoring network and data or dealing with their third party liabilities.
Costly premiums
The cyber insurance premiums are costly. Ricardo Arroyo explains why. The inherent expenses for such insurance depend a lot on third-party technical specialists such as forensics, analysts, PR, best-in-class claims handlers, critical infrastructure responders, ransom negotiators, data breach regulators, and so on, he said.
“Given the fact that the remit is generally multi-country for such attacks, insurance companies heavily depend on specialists from different jurisdictions to mitigate all broad repercussions to the insured in particular and the industry in general,” he said.
According to Bell, however, the costliness of cyber insurance is a misconception due to the very broad cover it provides and the difference in the intangible nature of a cyber insurance policy in comparison to traditional property policies.
The costliness of cyber insurance is a misconception due to the very broad cover it provides and the difference in the intangible nature of a cyber insurance policy in comparison to traditional property policies, says Simon Bell, Cyber Expert and Financial & Professional Lines Leader, Marsh MENA
He added, “Cyber underwriters focus on good risk management practices – just like any other traditional lines – and the pricing is influenced by the maturity of an organization’s cyber risk management program.”
The complexity and the nature of data breach risks make cyber insurance premiums costlier than conventional cover, according to George. He said the premium is likely to increase due to the rise in ransomware attacks and ransom payments.
Insurance premiums and coverage are usually determined by a thorough review of the company’s cyber security standards, network security, internal controls and business continuity crisis management and are customized to each company’s specific needs and limits, George said.
“Under cyber insurance, the prospective buyers can purchase various covers such as cyber liability insurance, cyber theft insurance and business interruption insurance,” he added.
Demand surges during the pandemic
During the last 24 months, Arroyo said, digital attacks and incident response notifications have doubled as more and breaches were detected and responded to.
“Having said that, the scale and scope differ from company to company when it comes to the potential value of data, country of operations and potential quantum of ransom, if applicable. Furthermore, spam continues to be the most prominent threat vector across the region,” he said.
During the last 24 months, digital attacks and incident response notifications have doubled as more and breaches were detected and responded to, says Ricardo Arroyo, Chief P&C Commercial Lines Officer, AXA Gulf
Bell said there has been a surge in demand for cyber insurance, brought about by the pandemic and the sudden shift in companies moving to remote work setups.
“At this time, we also started to witness intensified ransomware activity,” he said, citing World Economic Forum and Marsh McLennan Global Risk Report 2022 that said there was a staggering 435 percent increase in ransomware attacks in 2020.
He added: “We expect an increase in demand for both cyber resilience programs and insurance to continue in 2022 and the coming years.”
A profitable proposition for GCC firms
Arroyo said the profitability of cyber insurance depends on many factors related to market and segment positioning.
“For the GCC region, cyber insurance is still a viable and profitable proposition when compared to Europe, Asian and US markets due to several factors such as a low litigation environment, lack of full awareness about the potential domino effect on operations, scope and scale and so on,” he said.
He added: “We expect this to change in the next three years. In terms of claims in 2020-21, a combined 56.87 million email, URL, malware, and banking malware attacks were recorded in the GCC region during the first half of 2020, according to Trend Micro report.”
In terms of claims in 2020-21, a combined 56.87 million email, URL, malware, and banking malware attacks were recorded in the GCC region during the first half of 2020, according to Trend Micro report
The number of cyber claims has increased in 2021 compared to previous years since the global environment has changed and the world is moving towards technology and remote working.
Bell said there has been an increase in the number of claims during the past couple of years, mainly driven by systemic risk events where one incident has an impact on multiple organizations (insureds) leading to catastrophic financial losses, as well as by the notable and notorious increase in ransomware activity.
“This has pushed the cyber markets into a challenging cycle for buyers,” he said.
Cyber insurance buyers in the UAE
Arroyo said there has been an increase in demand from the SME and mid-market client pool as well as financial institutions due to the potential cyber fraud exposures inherent in their particular industries.
He said that in the GCC countries, there have been a never-before-seen increase in virus attacks, particularly targeted towards country domains. In addition to this, data leaks are also on the rise. A few recent examples include the Stealer malware in Bahrain, Dustman & Shamoon data wiping attack in Saudi causing disruption or destruction, crypto-asset and blockchain-related attacks, albeit nascent at this stage.
In the GCC countries, there have been a never-before-seen increase in virus attacks, particularly targeted towards country domains. In addition to this, data leaks are also on the rise
According to Bell, while there is no clear distinction in the type of companies that procure cyber insurance, there has been a surge in demand for cyber insurance in the UAE across industries such as energy and power, critical infrastructure, financial institutions, professional services and healthcare.
George said, “Companies that rely heavily on technology/IT, as well as those who store sensitive data in the cloud or on an electronic device. Cybersecurity insurance protects businesses and financial institutions against losses caused by cyber incidents, including data breaches and theft, system hacking, ransomware extortion payments and denial of service.”
Outlook for cyber insurance demand in UAE
Arroyo said, “We are gearing up accordingly with relevant yet robust coverages, pricing metrics, customer-centric incident response handling, as well as increasing our go-to market capacity. A similar strategy is being adopted by new reinsurers that are considering entering the market on a limited basis with adequate appetite and capacity.”
Bell said the UAE ranks “measure of cybersecurity failure” as a top-3 risk according to the executive opinion survey part of the World Economic Forum’s Global Risk Report 2022, released in partnership with Marsh McLennan.
“This is indicative of maturity of the respondents. There is still more work to be done to prepare and effectively manage cyber risks. Without a doubt, risk transfer via cyber insurance will remain on top of the board agenda in 2022. Also with the announcement of the introduction of privacy laws and the regulatory risks across the GCC and the UAE, we do expect to see an increase in demand – specifically from retail and leisure companies who collect and processes personal data on a large scale.”