Cyber Insurance: Exploration of the Dutch Insurance Market

Cyber Insurance Exploration of the Dutch Insurance Market 27-02-2023

2 Cyber Insurance The digitalization of society is increasing ever further. We order our groceries online, hold meetings via video conferencing, and our homes are filled with smart devices (IoT devices). Our data is stored in the cloud, rather than in filing cabinets, and companies offering online platform services are among the most valuable enterprises in the world. This development brings new cyber risks with it. Companies are now fully dependent on a functioning (external) IT infrastructure. If this ceases to function, the entire company comes to a standstill. Our personal data face a high risk of theft, which can have concrete consequences such as credit card fraud or identity theft. War and terrorism also take place digitally, as does the theft of corporate data. These new risks are dynamic, complex, and increasing. The number of ransomware attacks has increased very strongly in recent years. 1 Vulnerabilities in hardware such as Meltdown and Spectre bring new risks for consumers and businesses. 2 It is difficult to predict which cyber risks will be relevant in five years. Consumers and businesses are (still) only partially aware of these risks, as evidenced by the conversations the AFM has had with insurers. There are insurance products on the market to mitigate cyber risk. These cyber insurances cover risks related to liability and own damage for customers, and often also offer services if a cyber incident occurs. This allows consumers and SMEs to cover this risk for themselves or their business. The AFM has conducted an exploration of the cyber insurance market in recent months. The reason for this is that this is a relatively new type of risk and that the volume of cyber attacks has increased strongly in recent years, particularly during the corona period. As a result, the risk to which consumers and businesses are exposed is also increasing. The AFM finds it important to signal potential risks in a timely manner and has therefore conducted an exploration of this product. This also enables the AFM, given the cross-border nature of this subject, to draw international attention to the outcomes of the exploration. Furthermore, it is a cross-border risk in an international field of market participants, which is of particular attention to the AFM. The market for both (small) business and private cyber insurances is still small but is expected to grow.3 The market size was €36 million in 2021, while for a product such as liability insurance it was approximately €850 million. On the business market, the number of Dutch insurers offering their own product is limited. On the private market, there are more Dutch insurers active. The AFM notes that it is still difficult to compare cyber insurances with each other for three reasons. These are: the complexity of the terms, a different interpretation of key concepts, and coverages that are not fully explicitly stated by insurers.

1. The cyber risk and the terms of the insurance are dynamic and complex. Because the cyber risk is primarily an IT risk, the product also requires a certain degree of IT knowledge. This makes it more difficult to understand the terms and also requires advisors to acquire new/additional knowledge to be able to make a good risk assessment. Because the risk is continuously subject to change, the insurance terms also change continuously. It is therefore important that changes are clearly communicated to customers, that PARP guidelines are taken into account during product development, and that policy terms are designed in the most transparent way possible. This allows customers and advisors to continuously assess whether the product still fits their personal situation and to keep the customer interest central.
2. A different interpretation of key concepts makes it difficult to compare coverages. Insurances that provide coverage for business damage after a cyber incident can differ significantly in content, because the definition of a 'cyber incident' differs between insurers. This can range from coverage for human error, programming errors, and hacks to exclusively coverage for malicious attacks. We also see differences in other definitions, such as 'infrastructure' or 'computer network', which can have a strong impact on the coverage the customer receives. Defining these concepts in the same way benefits the understanding and mutual comparability of the products – in the interest of the customer.
3. Finally, the AFM sees that not all terms are explicitly stated. An example of this is the exclusion for damage caused by war. This is no longer a hypothetical risk at the time of the invasion of Ukraine by Russia.4 It is difficult to determine from cyber incidents whether they were acts of war, and many insurers rely on external specialists or governments for this. The AFM notes that not all terms clearly state which sources the insurer relies on to categorize a cyber incident as an act of war. When such an incident occurs, it is not clear in advance whether it falls under the insurance coverage or not, which does not provide certainty to the insured. Contributing to the understanding of the product – and mutual comparability – if information on this is as transparent and complete as possible.

It is important that insurers continuously assess how they can communicate as transparently as possible about the coverage of cyber insurances, and that the sector jointly examines how it – given the growth of this market – can already contribute to the mutual comparability of the product offering. The international character of this market creates an additional challenge in this regard. Given the complexity and variability of both the product structure and the cyber risk, it is especially important with these products that information provision continuously contributes to the customer's understanding of the product. Better mutual comparability of the coverage and functioning of the product can contribute to this. This enables customers and advisors to cover the right risks now and in the future and to prevent foreseeable disappointments. 4 New “Prestige” ransomware impacts organizations in Ukraine and Poland - Microsoft Security Blog

4 Cyber Insurance Follow us: → The AFM is committed to fair and transparent financial markets. As an independent conduct supervisor, we contribute to sustainable financial well-being in the Netherlands. The text of this publication has been compiled with care and is of an informative nature. You cannot derive any rights from it. Due to changing legislation and regulations at national and international levels, it is possible that the text is not up to date at the time you read it. The Authority for the Financial Markets (AFM) is not liable for any possible consequences – for example, incurred loss or lost profit – arising from or in connection with actions taken in response to this text. © Copyright AFM 2023 Authority for the Financial Markets Postbus 11723 | 1001 GS Amsterdam Telephone 020 797 2000 www.afm.nl Data Classification AFM - Public