Protection from cyber-risks: at what point are they and what should cyber insurance cover

(To Avv. Andrea Puligheddu)

It is interesting that in a recent article on The Insurance Insider an international insurance broker (AON) has stated that according to data collected by him for the 2019, cyber incidents already exceed the totals of the entire 2015 and 2016 years.
In fact it is almost daily for each of us to have a constant impact on news breaches, computer incidents and attacks against networks and systems of companies and public bodies.

It may sound strange, but it is known that the subjects most affected by these risks are those that represent more than 88% of our national entrepreneurial fabric, or entrepreneurs belonging to the category of MSME.

Often this category ignores or is not sufficiently aware of the potential impacts to which the technological pervasiveness exposes them almost in a continuous cycle. It is enough to cite as an example (somewhat evocative) the unfortunate affair of the cryptolocker - currently still in circulation in an increasingly advanced form - to recall to mind how much damage to productivity can cause the blocking of databases or the damage to corporate or institutional systems. This is a distilled drop of criticality in an ocean of worrying possible examples, yet still little known to those responsible.

Give this information extremely elementary and under the eyes of the community (exponential growth of computer incidents on the one hand and absence of awareness adequate to potential victims, representing the focus of a state's industry) it is quite easy to ask yourself: how to increase IT risk protection?

A first answer, I would say obvious - whose development is not the subject of this brief intervention - is to lend the utmost care in the selection and preparation of adequate technical and organizational security measures, of a progressive and easily adaptable nature with respect to the sudden changes that disruptive technologies entail.

Secondly, it is always good to emphasize theabsolute importance of proper training within the realities of work. It is impossible to foresee the occurrence of the so-called "human error", but the valorisation of this factor constitutes an essential cornerstone in the implementation of a correct risk management, of any nature.

The third point to consider for a correct management of risks, which is the subject of a brief discussion here, is the cyber insurance.
In fact, net of the first two considerations (which do not represent an alternative to the latter), adequate insurance coverage undoubtedly constitutes a valid support for the public or private body that has become aware of the potential risk that actually runs .

What do we talk about when we talk about? cyber insurance?

In a nutshell, we are talking about insurance packages - usually offered by large groups - that aim to protect the subscriber from the consequences of possible damage suffered due to the occurrence of a computer threat.

This is a market perceived as growing strongly. According to a recent Insurance Post survey, the 78% of British brokers believe that the cyber policy market has enormous potential for development, and to date the 72% of them have already sold a policy on cyber risks.

The Italian market, as usual, does not yet have a definition of its own and has not developed a consolidated plan of ceilings or premiums; many brokers seem to have chosen to explore this market very, very cautiously.

The only shared estimates, certainly not encouraging, identify a market of more or less 100 million a year, a low figure but proportionate to the lack of awareness of entrepreneurs and the public sector, as mentioned above.

Without wishing to engage in market analysis, it is clear that this is a portion of insurance business destined for rapid growth. Precisely for this reason the possibility is quite high that a hurried subscriber may resort - in his mad rush towards a palliative effect of the IT risk or for lack of precise information and notions on the subject - to insurance products that do not always reflect his expectations.

From here it is then necessary to ask a last question: what risks must cover (and legal guarantees must provide) a policy on cyber risk, in order to be considered valid?

Given that the cases vary a lot depending on the specificity of the technologies used and the impact they have with respect to the precise activity that is carried out by the Entity or by the company, there are some points that must surely be present in order to assess their suitability. of the insurance product. In particular, the policy must include protection on:

  • Computer intrusion by third parties (based on both network and physical attacks);
  • Theft, disclosure or deletion of data (both negligent and malicious)
  • Reputational, family and image risk (due to disclosure of confidential information concerning both employees and the company itself)
  • Identity theft and usurpation of Social Media
  • Blocking of automated production systems
  • System damage or the correct functioning of the network
  • Digitized intellectual property theft

Finally, an optimal policy could also include specific forecasts related to the business software used (or the removal of licenses), evaluating any certifications, suppliers involved, level of risk and impact of any system integrator agents.
In the absence of one or more of these elements, a legal assessment of the proposed offer booklet could be a valid support for a correct choice, given the scale of the investment.

Although some of these elements may seem obvious to a reader trained on these issues, in reality for many it is difficult to say the least, which will need to be chewed and digested not only by the insurance industry but also by the legal, administrative and institutional that too often chase technology as in one crazy race whose outcome is almost always against the citizen.