Cyberattacks are one of the main risks we face. The potential victims are by no means limited to major companies. Insurance companies have long since recognised the problem – and adapted their offers accordingly.
The figures give food for thought. As a survey conducted by the market and social research institute gfs-zürich revealed, one in four SMEs in Switzerland has fallen victim to a cyberattack. So it is no wonder that the insurance industry is also addressing the topic. Mobiliar, for example, has launched a centre of competence for cyber risks. Its mission is to help raise awareness in the corporate sector of the dangers lurking on the internet, ranging from viruses to data theft to deliberately overloading the company network. ‘Attacks are becoming increasingly professional,’ says Andreas Hölzli, head of the Cyber Risk Competence Centre. The fact that SMEs are often the target of cyberattacks is no coincidence, according to Hölzli, ‘Smaller companies tend to have poorer protection than their large counterparts.’ This is either because they are not aware of the risk – or because they simply lack the means to put an efficient cyber defence system in place. For criminals, companies like these are ideal victims: ‘Basically, any company that uses IT and has an internet connection is at risk,’ says Hölzli. ‘This is exactly why we are constantly expanding our products and developing corresponding risk management services.’ For example, Mobiliar offers its customers a service that trains employees to deal with cyber risks and uses simulated phishing campaigns to test them.
Prevention is a crucial factor in the fight against cybercrime. Maya Bundt, head of Cyber & Digital Solutions at reinsurer Swiss Re, agrees. ‘Often, the first thing to be done is to raise awareness of the risk.’ Across the globe, Swiss Re’s cyber experts work to identify the latest threats. ‘Cyber risks are the dark side of digitalisation,’ says Bundt. ‘The greater the technological progress, the faster the rate at which the associated risks grow – and that applies worldwide.’ This development is also being closely monitored at the National Cyber Security Centre (NCSC). ‘Cyber security has become much more of an issue at all levels in recent years,’ emphasises Max Klaus, deputy head of operational cyber security. The fact that some companies still believe that they are not interesting targets is a big mistake. ‘Every company has interesting data. It might be information about employees, financial data or sensitive customer data. From the attackers’ point of view, the data affected is irrelevant. If the data has an economic or emotional value for the victim, they will probably be willing to pay the ransom.’ Cyberattacks, he explains, are often based on blackmail. For example, a crypto-Trojan is smuggled into a company network, which then encrypts all the company’s data and is prepared to release it again only in return for a ransom. The NCSC’s recommendation in such cases is clear: Do not pay the ransom! ‘There is no guarantee that you will be able to restore the data once you have paid the ransom,’ says Klaus. Instead, the attack should be reported to the police
«Basically, any company that uses IT and has an internet connection is at risk.»
If a cyberattack is successful despite the measures taken, most insurance companies now offer good cover. According to Hölzli, these services can be split into three areas: Own damage, third-party damage and legal expenses insurance. For example, insurance companies offer compensation in the event of data loss or a business interruption. In addition, insurers advise their clients on cyber risk assessment and potential vulnerabilities. ‘It is often the case that good basic protection is enough to prevent the attack,’ Hölzli emphasises. One thing is clear – the dynamic development and growing complexity of cyber risks will continue to keep insurance companies busy in the future. ‘We are currently witnessing a real arms race between attackers and defenders,’ says Hölzli.
Note: Cyberattacks can be recorded and reported using the reporting form of the National Cyber Security Centre.
COVID-19 bears impressive testimony to the fact that if an event occurs for which society is not sufficiently prepared, the consequences can be dramatic. The principle also applies to other risks. In June 2020, the SIA decided to create an industry risk matrix for those events to which the industry is exposed over and above the contractually insured risks. The intention is to facilitate early identification and address of these risks. The SIA has defined three categories in which events could occur: Short term (likely to occur within one year), medium term (likely to occur within one and three years) and long term (likely to occur after three years). The loss potential was divided into low, medium and high, taking into account the impact on individual companies and (sub-)sectors. The analysis showed that each category is associated with key risks that will be highly significant to the insurance industry. Pandemics and cyberattacks were identified as the major large-scale risks. Based on the feedback provided by the committees, the SIA will focus even more on contributing to a common understanding through identification and classification of emerging, overarching risks. This also includes development of mitigating measures (exchange of information, increasing resilience) and – if necessary – active coordination of their implementation.