Italian supervisor focuses on cyber awareness among SMEs and individuals

The Italian insurance supervisor Ivass has launched Cybersecure, its information campaign focused on cybersecurity that is designed to raise awareness about this fast-rising risk. As it launched the campaign, Ivass said that cyberattacks have affected 60% of Italian companies in the last three years. The campaign was announced shortly after the supervisor published its analysis of cyber policies currently on the market. It found way too much ambiguity, inconsistency and a lack of clarity over key terms such as data and war within the cover offered to SMEs and individuals. The supervisor said that insurers, brokers and companies need to create more bespoke cyber policies that properly reflect the nature of actual cyber exposures and deliver more certainty about what is and what is not covered. As it launched its new awareness campaign, Ivass said it is vital that firms are equipped with all the tools and information needed to improve cyber security and, in particular, protect themselves from possible online fraud. The campaign will be online until December, exclusively on digital channels. The idea is inspired by a television game show designed to talk about the risks of fraud and the type of cyberattacks that businesses face. The campaign is carried out by CERTFin, the public-private partnership initiative aimed at increasing cyber risk management at financial institutions, launched with the Bank of Italy, Ivass, the state police and a range of leading Italian financial firms. Last month, Ivass published the findings of its recent investigation into the cyber insurance market in Italy for private individuals and SMEs, which showed much work is needed to improve cover. The main findings of the survey suggest a growing diffusion within cyber policies. Ivass said that coverage for SMEs is “quite complex”, with guarantees that aim to cover companies from damage due to cyberattacks and from damage caused to third parties. The supervisor said that coverages are mostly standardised and could benefit from greater flexibility to customise protection depending on the specific operation and needs of each company. Ivass added that the personal and business cyber insurance markets are set to grow rapidly, in parallel with stronger cybersecurity at companies and among individuals. Brokers will play a key role in this, said the supervisor. “The assistance of professional insurance intermediaries, adequately updated on cyber risks and the very technical aspects of these policies, is crucial for the further development of the offer,” concluded Ivass. The supervisor also highlighted the recent problem of exclusions being added to cyber policies, not least for war. “There are sometimes exclusions and deductibles that reduce policy scope and applicability… with margins of ambiguity. For example, the war clause exclusion, present in most contracts examined, does not make it explicit whether the term ‘war’ also includes ‘war information technology’. This is of particular relevance given that the current conflicts are also carried out through cyberattacks… the policies have room for improvement in terms of comprehensiveness and unambiguity of the terms used,” commented IVASS. The supervisor’s analysis of cyber policies currently on offer in Italy also found a worrying level of confusion and uncertainty about key terms, such as data. “The term ‘data’ is defined in some policies as ‘any digital information present in the computer system of the insured and stored outside the random access memory (RAM), regardless of the form or manner in which it is used or displayed (eg text, images, videos, software)’; in another policy, for ‘data’… instead they generically mean ‘electronic data and software’,” pointed out IVASS. Differences were also found over the term cyberattack. In one case, for example, cyberattack is briefly identified as a “malicious act, malware, theft against the insured's IT system”. In another case, it is defined as an “illicit act, committed deliberately by a person using system resources and/or network of the insured, determine consequences regarding confidentiality and availability of the integrity of the data and the IT system”. Ivass pointed out that cyber policies do not provide an exhaustive definition of some key terms and need to be more bespoke. “Policies could be more flexible and calibrated to the specific needs of the customer/end consumer, paying greater attention also to profiling and the degree of exposure to cyber risk. For example, one small business that does not operate via e-commerce will have a cyber risk profile different to one that also sells products online,” said IVASS. “The policies in question could also benefit from a review of exclusions, which should also take into account the granularity and actual needs of the reference target market,” it continued. “The adoption of a single glossary of definitions is appropriate in order to guarantee homogeneity and certainty: in this regard, companies could refer to the Cyber Lexicon FSB11 [produced by the Financial Stability Board], which offers a series of consolidated and accepted definitions in the digital community,” added the supervisor. The supervisor said it is important that risk and insurance managers evaluate the specific risks facing their organisation and consult with a professional insurance intermediary to determine the appropriate level of IT coverage needed. “Factors such as nature of the company, the volume of sensitive data, the dependence on technology and the industry regulations should be taken into consideration when evaluating the need and extent of cyber insurance coverage. It is also important to discuss and verify aspects relating to the conditions and exclusions,” said Ivass.

Italian supervisor focuses on cyber awareness among SMEs and individuals

Ivass finds serious work needed on insurance policy consistency and clarity

Want to read this article?

Read Next

Healthcare and flexible/hybrid working most valued benefits

Global data breaches double in 2023 driven by extortion and third-party software attacks

Social inflation set to continue driving US liability rates: AM Best

Zurich appoints Adriana Scherzinger group head of captives

Marsh McLennan achieves ‘Autism Confidence’ status

Healthcare and flexible/hybrid working most valued benefits

Global data breaches double in 2023 driven by extortion and third-party software attacks

Social inflation set to continue driving US liability rates: AM Best

Zurich appoints Adriana Scherzinger group head of captives

Marsh McLennan achieves ‘Autism Confidence’ status

Want to read this article?

Read Next

Healthcare and flexible/hybrid working most valued benefits

Global data breaches double in 2023 driven by extortion and third-party software attacks

Social inflation set to continue driving US liability rates: AM Best

Zurich appoints Adriana Scherzinger group head of captives

Marsh McLennan achieves ‘Autism Confidence’ status

Related Articles