The Italian insurance supervisor Ivass has launched Cybersecure, its information campaign focused on cybersecurity that is designed to raise awareness about this fast-rising risk.\r\n\r\nAs it launched the campaign, Ivass said that cyberattacks have affected 60% of Italian companies in the last three years.\r\n\r\nThe campaign was announced shortly after the supervisor published its analysis of cyber policies currently on the market. It found way too much ambiguity, inconsistency and a lack of clarity over key terms such as data and war within the cover offered to SMEs and individuals.\r\n\r\nThe supervisor said that insurers, brokers and companies need to create more bespoke cyber policies that properly reflect the nature of actual cyber exposures and deliver more certainty about what is and what is not covered.\r\n\r\nAs it launched its new awareness campaign, Ivass said it is vital that firms are equipped with all the tools and information needed to improve cyber security and, in particular, protect themselves from possible online fraud.\r\n\r\nThe campaign will be online until December, exclusively on digital channels. The idea is inspired by a television game show designed to talk about the risks of fraud and the type of cyberattacks that businesses face.\r\n\r\nThe campaign is carried out by CERTFin, the public-private partnership initiative aimed at increasing cyber risk management at financial institutions, launched with the Bank of Italy, Ivass, the state police and a range of leading Italian financial firms.\r\n\r\nLast month, Ivass published the findings of its recent investigation into the cyber insurance market in Italy for private individuals and SMEs, which showed much work is needed to improve cover.\r\n\r\nThe main findings of the survey suggest a growing diffusion within cyber policies.\r\n\r\nIvass said that coverage for SMEs is \u201cquite complex\u201d, with guarantees that aim to cover companies from damage due to cyberattacks and from damage caused to third parties. The supervisor said that coverages are mostly standardised and could benefit from greater flexibility to customise protection depending on the specific operation and needs of each company.\r\n\r\nIvass added that the personal and business cyber insurance markets are set to grow rapidly, in parallel with stronger cybersecurity at companies and among individuals.\r\n\r\nBrokers will play a key role in this, said the supervisor. \u201cThe assistance of professional insurance intermediaries, adequately updated on cyber risks and the very technical aspects of these policies, is crucial for the further development of the offer,\u201d concluded Ivass.\r\n\r\nThe supervisor also highlighted the recent problem of exclusions being added to cyber policies, not least for war.\r\n\r\n\u201cThere are sometimes exclusions and deductibles that reduce policy scope and applicability\u2026 with margins of ambiguity. For example, the war clause exclusion, present in most contracts examined, does not make it explicit whether the term \u2018war\u2019 also includes \u2018war information technology\u2019. This is of particular relevance given that the current conflicts are also carried out through cyberattacks\u2026 the policies have room for improvement in terms of comprehensiveness and unambiguity of the terms used,\u201d commented IVASS.\r\n\r\nThe supervisor\u2019s analysis of cyber policies currently on offer in Italy also found a worrying level of confusion and uncertainty about key terms, such as data.\r\n\r\n\u201cThe term \u2018data\u2019 is defined in some policies as \u2018any digital information present in the computer system of the insured and stored outside the random access memory (RAM), regardless of the form or manner in which it is used or displayed (eg text, images, videos, software)\u2019; in another policy, for \u2018data\u2019\u2026 instead they generically mean \u2018electronic data and software\u2019,\u201d pointed out IVASS.\r\n\r\nDifferences were also found over the term cyberattack.\r\n\r\nIn one case, for example, cyberattack is briefly identified as a \u201cmalicious act, malware, theft against the insured's IT system\u201d. In another case, it is defined as an \u201cillicit act, committed deliberately by a person using system resources and\/or network of the insured, determine consequences regarding confidentiality and availability of the integrity of the data and the IT system\u201d.\r\n\r\nIvass pointed out that cyber policies do not provide an exhaustive definition of some key terms and need to be more bespoke.\r\n\r\n\u201cPolicies could be more flexible and calibrated to the specific needs of the customer\/end consumer, paying greater attention also to profiling and the degree of exposure to cyber risk. For example, one small business that does not operate via e-commerce will have a cyber risk profile different to one that also sells products online,\u201d said IVASS.\r\n\r\n\u201cThe policies in question could also benefit from a review of exclusions, which should also take into account the granularity and actual needs of the reference target market,\u201d it continued.\r\n\r\n\u201cThe adoption of a single glossary of definitions is appropriate in order to guarantee homogeneity and certainty: in this regard, companies could refer to the Cyber \u200b\u200bLexicon FSB11 [produced by the Financial Stability Board], which offers a series of consolidated and accepted definitions in the digital community,\u201d added the supervisor.\r\n\r\nThe supervisor said it is important that risk and insurance managers evaluate the specific risks facing their organisation and consult with a professional insurance intermediary to determine the appropriate level of IT coverage needed.\r\n\r\n\u201cFactors such as nature of the company, the volume of sensitive data, the dependence on technology and the industry regulations should be taken into consideration when evaluating the need and extent of cyber insurance coverage. It is also important to discuss and verify aspects relating to the conditions and exclusions,\u201d said Ivass.