Cyber ​​insurance on the Russian market

No, this is not about cybersportsmen who want to insure themselves against bruises with a mouse or spoiled by poor monitor. Let's talk about insurance cyber risks when using IT-technologies.

Amid the rapid development of digital technologies and the increasing complexity of the IT infrastructure of companies, a significant increase in the number of cybercrimes is also noticeable. According to the Ministry of Internal Affairs , in 2018 they were 92% more than in 2017. It is not surprising that the protection against the risks of data loss, downtime, hacker attacks or confidential information leaks become more relevant, and cyber risks insurance looks like a reasonable way to minimize damage.
')
Companies wanted to know what guarantees the protection of the processed data is provided by the service provider, and how it is proposed to minimize the damage in the event that the attack could not be stopped.

The cyber risk insurance procedure is cumbersome and difficult, because apart from the insurance organization, a certain information security (IS) company should also appear in the contract, which will evaluate the risks and prepare conclusions for the insurance company. But in the Russian insurance market there are already proposals for integrated cyber insurance.

What do insurance companies offer?

AlphaInsurance

Alpha offers business AlfaCyber . The contract can be concluded from all or from some types of cyber danger. If desired, the client can choose one of the standard insurance packages or make an individual one, taking into account the peculiarities of the business and individual needs. Basic policy packages cover the risks of loss and corruption of data (including encryption viruses), software, disclosure of personal data and include the investigation and diagnosis of cyber attacks.

Also in the policy can provide protection from risks: loss of information; theft of intellectual property; misuse of computing resources; extortion; embezzlement; breaches of confidentiality and disclosure of personal data; damage to property, life and health of third parties; damage to business reputation; loss, destruction or damage of finished products, raw materials, materials; break in activities.

The cost of insurance depends on the set of risks, the sum insured and the deductible, as well as the type of activity of the insured and the results of risk assessment.

Aig

The company, which was one of the first to apply a broad and unified approach to cyber threats, developed the CyberEdge insurance program to protect personal data at the enterprise from the consequences of their leakage or unlawful use. To help companies protect themselves from identity theft, hacker actions, personnel errors, and more, AIG provides clients with access to services from companies specializing in cybersecurity and cybercrime investigations, legal advice, and anti-crisis PR. In fact, it is a handy tool for preventing losses and overcoming the consequences of data leakage.

Insurance includes mandatory and additional coverage. Required include:

• Losses due to data breaches
• Administrative investigation into the data
• Response costs for data breaches.
• Responsibility for the content of the information.
• Virtual extortion.
• Network outage

Additional coverage includes responsibility for the content of the information, virtual extortion, losses from network failures due to a breach of the security system, compensation for lost profits.

The Russian branch of AIG did not record a single case of contact from customers due to infection with WannaCry or Petya viruses, but these cases also caused an increase in customer interest in the risk insurance service. “After the incidents, we see a growing interest in cyber-risk insurance services and are currently negotiating with a number of companies. However, the larger the business, the more difficult and longer the budget is approved - therefore, it may take a long time to conclude an agreement ”,

- said Vladimir Kremer, Head of AIG Financial Risk Insurance in Russia.

Allianz

Allianz has developed its cyber-risk insurance product Allianz Cyber ​​Protect. The policy provides insurance against the following risk categories:

• Civil liability for the loss of personal and financial customer data;
• Losses incurred by the insured himself due to downtime, cyber tort;
• Covering incident investigation costs and assistance from forsensicos specialists .

"The growth in demand for cyber-insurance in the United States is already in an active stage, as data protection laws allow companies to be guided, and regulatory changes and increasing levels of responsibility provide accelerated growth in other countries," comments Nigel Pearson, responsible for cyber insurance at Allianz Global Corporate & Specialty. (AGCS). “We are witnessing a general trend towards the establishment of more stringent regulatory regimes for data protection, involving the threat of serious fines in the event of information leakage.”

Government regulation

So far, there are no standards in the field of cyber insurance, and the legislation is poorly developed in terms of determining responsibility for violations and crimes in the field of information security.

But in the near future the situation should change. The national project “Digital Economy of the Russian Federation” provides for a number of measures aimed at promoting voluntary insurance of information security risks and enhancing cyberculture. The project also includes a proposal to work out the possibility of using tax incentives when insuring cyber risks.

Cyber ​​Risks Insurance Algorithm

What is the cyber insurance procedure? To answer this question, let's take an information system with an already created data protection system. This may be a personal data storage system, a state system with a certificate for compliance with information security requirements, or another information system with security features selected on the basis of reasonableness and proportionality of costs.

In this case, the company will need to go through the following steps:

• Choosing an insurance company offering a comprehensive cyber risk insurance service;
• Selection of an expert organization to conduct an information security audit (from a number of organizations accredited by an insurance company);
• Audit and risk assessment of information security (conducted by an expert organization);
• Definition of insurance claims;
• Determination of the amount of insurance coverage and insurance premiums;
• Formation of a contract for an integrated cyber insurance service.

If the company has not yet created a protection system or does not comply with the requirements of the Russian legislation on protection, the preliminary stage will be the creation of a protection system or the deployment of an information system with a service provider with the conclusion of an agreement for storing confidential information.

Types of insurance risks

In world practice, there are several risks that can be partially or fully protected by insurance:

• The risk of appropriation and use of confidential information by company employees and its use;
• The risk of a hacker getting information on credit card numbers or company clients ’accounts;
• The risk of embezzlement of funds from bank accounts or securities from an account with a depositary;
• The risk of theft of credit card data and funds from them;
• The risk of loss or disclosure of information due to employee error;
• Break in the enterprise, its computer network, its website;
• Losses associated with the placement on the website of the insured of false information or information that has the character of defamation;
• The risk of loss of tangible media containing confidential information.

Insurance cover

In almost all insurance cases, the most difficult issue is the question of reliable assessment of the value of the lost information.

In addition, when evaluating information as an intangible asset and receiving insurance compensation, problems with our tax legislation are not excluded, which will not fail to designate the entire amount of insurance compensation as profit and tax it. This question is at the level of clarification of the Ministry of Finance is not yet regulated.

Also, not everything is clear with the payment of insurance coverage, calculated as the amount of expenses incurred to restore the violated right. It will be rather difficult to prove the necessity of making one or another expense or its size, therefore it is advisable to prescribe an approximate list of such expenses and their cost in advance in insurance contracts.

Insurance coverage may include:

• Losses due to violations of personal data or corporate information;
• Losses as a result of a long interruption in the functioning of the network;
• Losses and expenses resulting from public disclosure of personal data or corporate information;
• Cash paid to limit or stop a security risk that could otherwise cause a loss;
• Coverage of costs associated with the conduct of investigations by regulatory authorities;
• Response services in case of data leakage, restoration of personal reputation, instruction in case of leakage of personal data, as well as the cost of notification and monitoring associated with information leakage;
• Covering the costs associated with recovering, re-collecting or recreating information after a leak or unauthorized use of data;
• The costs of the policyholder for the defense in court;
• Crisis management costs;
• Damage caused to third parties.

findings

Despite the rather young cyber service insurance market, there are already complex and complex solutions. It is expected that cloud providers will soon provide their liability insurance services. Already, Cloud4Y, in addition to the guarantees offered by the service level agreement, is ready to offer customers a convenient way to insure the risks of placing infrastructure and services in the cloud.