Cyber ​​insurance in the Russian market

No, it’s not about e-sportsmen who want to insure themselves against bruises with the mouse or spoiled vision by a bad monitor. Let's talk about cyber risk insurance using IT technology.

Against the backdrop of the rapid development of digital technologies and the increasing complexity of companies' IT infrastructure, a significant increase in the number of cybercrimes is also noticeable. According to the Ministry of Internal Affairs , in 2018 there were 92% more than in 2017. It is not surprising that issues of protection against the risks of data loss, downtime, hacker attacks or leakage of confidential information become more relevant, and cyber risk insurance looks like a reasonable way to minimize damage.

Companies wanted to know what kind of guarantees the protection of the processed data is provided by the service provider, and how it is proposed to minimize the damage if the attack could not be stopped.

The procedure for insuring cyber risks looks cumbersome and complicated, because in addition to the insurance organization, a certain information security auditor company should also be included in the contract, which will assess risks and prepare conclusions for the insurance company. But in the Russian insurance market there are already offers for comprehensive cyber insurance.

What insurance companies offer

Alpha Insurance

"Alpha" offers business product AlfaCyber . The contract can be concluded from all or from certain types of cyber danger. If desired, the client can choose one of the standard insurance packages or make an individual, taking into account the characteristics of the business and individual needs. The basic packages of the policy cover the risks of loss and distortion of data (including cryptographic viruses), software, the disclosure of personal data and includes the investigation and diagnosis of cyber attacks.

Also, the policy can provide for protection against risks: loss of information; theft of intellectual property; misuse of computing resources; extortion; embezzlement of funds; breach of confidentiality and disclosure of personal data; damage to property, life and health of third parties; damage to business reputation; loss, death or damage to finished products, raw materials, materials; interruption in activity.

The cost of insurance depends on the set of risks, the insured amount and the deductible, as well as the type of activity of the insured and the results of the risk assessment.

AIG

The company, which was one of the first to apply a broad and unified approach to cyber threats, has developed the CyberEdge insurance programto protect personal data at the enterprise from the consequences of their leakage or illegal use. To help companies protect themselves from identity theft, hackers, human errors and much more, AIG provides customers with access to services of companies specializing in cyber security and cybercrime investigations, legal advice and anti-crisis PR. In fact, it is a convenient tool to prevent losses and overcome the consequences of data leakage.

Insurance includes mandatory and additional coverage. Mandatory includes:

• Data Violation Losses
• Administrative investigation regarding data
• Response costs for data breach.
• Responsibility for the content of information.
• Virtual extortion.
• Network outage

Additional coverage includes liability for the content of information, virtual extortion, losses from network failures as a result of a malfunction in the security system, and compensation for lost profits.

AIG did not record a single case of customer contact due to infection with the WannaCry or Petya viruses, but these cases also caused a growing interest of clients in the risk insurance service. “After the incidents, we see a growing interest in cyber risk insurance services and are currently negotiating with a number of companies. However, the larger the business, the more complicated and longer the budget is approved - therefore, it may take a lot of time to conclude an agreement, ”

- said the head of the financial risk insurance department at AIG Russia Vladimir Kremer .

Allianz

Allianz developed its cyber risk insurance product Allianz Cyber ​​Protect. The policy provides insurance against the following risk categories:

• Civil liability for the loss of personal and financial data of customers;
• Losses incurred by the insured himself due to downtime, cyber-extortion;
• Covering the costs of incident investigation and assistance from forensic specialists .

“The growing demand for cyber insurance in the USA is already in an active stage, as data protection laws help guide companies, and regulatory changes and increasing levels of responsibility provide accelerated growth in other countries,” comments Nigel Pearson, responsible for cyber insurance at Allianz Global Corporate & Specialty (AGCS). “We are witnessing a general trend towards the establishment of more stringent data protection regulatory regimes, which are fraught with the threat of serious fines in case of information leakage.”

State regulation

So far, there are no standards in the field of cyber insurance, and the legislation is poorly developed in terms of determining liability for violations and crimes in the field of information security.

But in the near future the situation should change. The national project “Digital Economy of the Russian Federation” provides for a number of measures aimed at popularizing voluntary insurance of information security risks and enhancing cyber culture. Also, the project includes a proposal to study the possibility of using tax benefits for cyber risk insurance.

Cyber ​​Risk Insurance Algorithm

What does the cyber insurance procedure look like? To answer this question, we take an information system with an already created data protection system. This may be a personal data storage system, a state system with a certificate for compliance with information security requirements or another information system with security features selected on the basis of reasonableness and proportionality of costs.

In this case, the company will need to go through the following steps:

• Choosing an insurance company offering a comprehensive cyber risk insurance service;
• Selection of an expert organization for conducting an audit of information security (from among organizations accredited by an insurance company);
• IS audit and risk assessment (conducted by an expert organization);
• Definition of insurance cases;
• Determination of the size of insurance coverage and insurance premiums;
• Formation of a contract for a comprehensive cyber insurance service.

If the company has not yet created a protection system or does not meet the requirements of the legislation of the Russian Federation on protection, the preliminary step will be to create a protection system or to place an information system with a service provider with the conclusion of an agreement for the storage of confidential information.

Types of Insurance Risks

In world practice, there are several risks that can partially or fully receive insurance coverage:

• The risk of misappropriation and use of confidential information by company employees and its use;
• The risk of a hacker getting information about credit card numbers or company customer accounts;
• The risk of theft of funds from bank accounts or securities from an account with a depository;
• The risk of theft of credit card data and funds from them;
• The risk of loss or disclosure of information due to employee error;
• A break in the work of the enterprise, its computer network, its website;
• Losses associated with posting false information or information defamatory on the insured’s website;
• The risk of losing a tangible medium containing confidential information.

Insurance cover

In almost all insurance cases, the most difficult question is the question of reliable estimation of the cost of lost information.

In addition, when evaluating information as an intangible asset and receiving insurance compensation, problems with our tax legislation are not ruled out, which will not fail to designate the entire amount of insurance compensation as profit and tax it. This question has not yet been settled at the level of clarifications of the Ministry of Finance.

Also, not everything is clear with the payment of insurance coverage, calculated as the amount of expenses incurred to restore the violated right. It will be quite difficult to prove the necessity of making one or another expense or its size, therefore it is advisable to prescribe an approximate list of such expenses and the limits of their cost in insurance contracts.

Insurance coverage may include:

• Losses due to violations of personal data or corporate information;
• Losses as a result of a long interruption in the functioning of the network;
• Losses and expenses resulting from public disclosure of personal data or corporate information;
• Cash paid to limit or terminate a security risk that could otherwise cause a loss;
• Coverage of investigative costs by regulatory authorities;
• Response services in case of data leakage, restoration of personal reputation, briefing in case of leakage of personal data, as well as expenses for notifications and monitoring related to information leakage;
• Covering the costs associated with the restoration, re-collection or reconstruction of information after a leak or unauthorized use of data;
• The costs of the insured in court;
• Crisis management expenses;
• Damage to third parties.

conclusions

Despite the relatively young cyber services insurance market, complex integrated solutions already exist. It is expected that cloud providers will soon provide liability insurance services. Already, Cloud4Y, in addition to the guarantees offered by the service level agreement, is ready to offer customers a convenient way to insure the risks of placing infrastructure and services in the cloud.