The global and local elements of cyber risk
For multinational programmes, the need for global coverage combined with local policies and servicing is a constant thread, and nowhere is this more true than with cyber insurance. Cyber risks always have a global and a local dimension at the same time, hence the need for insurance to provide global coverage that can respond locally.
Global risk
Cyber risk is undoubtedly global in nature. There is true, man-made interconnectivity of risk: one single malware can affect customers from Canada to Colombia and Norway to New Zealand. So we have a risk that has no geographic boundaries.
Cyber risks are evolving faster than any natural peril, accelerating rapidly due to advances in technology and new applications, creating continuously new vulnerabilities. This also applies to loss scenarios where you face the same kind of threat from hacking. The threat to your business and your operational capabilities become truly global when we look at cloud infrastructure; an artificial dimension that no other insurance line has to deal with.
This global side of the risk is largely concerned with first-party losses such as damage to the own IT computer system and data, together with potential losses stemming from business interruption and increased cost of working.
Local risk
But there is also a local side to cyber risk, which is more about third-party claims arising from data breaches or other data privacy violations. Here it is about laws and regulations, not just nationwide, but often down to state-level regulations. On top of that, there may be regional regulations such as the General Data Protection Regulation (GDPR) or the European Directive on Security of Network and Information Systems (NIS Directive), which may be implemented locally in different ways. For example, the French regulator takes a more proactive stance on GDPR, while in Germany, it depends on the state – like in the US – so you may be dealing with the regulator in Bavaria, Hamburg or Berlin, and they may take slightly different approaches.
It also means that organisations need to be aware of how the risks are evolving not just technically, but on the regulatory side as well. For example, Brazil is due to implement a much tighter data privacy regime, although the law has been postponed until next year. In Asia, at the beginning of the year, China, Hong Kong and Japan updated their local privacy laws and notification requirements. Singapore recently started a consultation on tightening its privacy laws, Malaysia has also done the same, and in Thailand, the new revised privacy laws have just come into effect, with not just fines and penalties, but also prison sentences for up to one year for data privacy violations.
So it can be a complex, layered picture and that means from a global insurance programme perspective, you need to have local coverage, local knowledge and local services in place to respond to that.
Claims handling
One of the concerns with cyber is that it can sometimes be perceived as a global risk, so companies may simply look to buy a single policy, say in Switzerland, that does not have local coverage for other jurisdictions. But if there is an incident in Brazil, you will need to have that local coverage in place so that you can handle claims on an admitted basis, properly engage with the customer locally, and have the ability to pay local claims, retain local counsel and work locally with IT forensics.
It can be difficult to handle claims from outside the country or region, not only because of the compliance issue but also language issues. And just as important is knowing the relevant people to deal with at the regulator and how to engage with them. Having a local policy and service support on the ground shows the regulator that you are serious about the issue. And being proactive can make a huge difference for the customer. The quicker that you engage on a claim, especially if you are a foreign company the better, or losses can quickly increase. The same applies to potential reputational implications for the brand.
Risk engineering and innovation
As well as the claims handling side, there is the risk engineering element of cyber insurance. Working with the customer, going through their processes, looking at not just the technology aspect such as having the right firewalls and patching systems, but also looking at how the organisation ‘lives’ cybersecurity, for example ensuring that employees are cyber aware. Insurers can provide cyber risk assessment reports for customers through tie-ups with innovators in the cybertech space, for example assessing and highlighting vulnerabilities. This needs to be done at the global, central and local levels.
Cyber pandemic
Threats of ransomware and cyber extortion are reaching pandemic proportions – it does not matter where an organisation is based, or which industry it is in, it is essential that organisations check their digital health and cyber hygiene both globally and locally. Cyber risks can be hugely expensive and costs fall into three main areas. The first is costs related to the IT response, the forensics, establishing the extent of the damage, and the data restoration.
The second is business interruption, for example on the manufacturing side where you have digitalisation of factories, there can be huge claims for loss of business income and increased cost of working. The third is around liability and the management of legal expenses, such as defence costs and dealing with the regulator, as well as expenses for notifications and dealing with the public.
Ultimately, cyber risk has both global and local elements. Globally, interconnected systems can lead to substantial business interruption losses, while violating data privacy regulation can lead to local lawsuits and penalties. Cyber insurance must, therefore, be globally consistent in scope and able to respond locally. Local response and global coordination is crucial and this requires a global insurer with local expertise.
Contributed by Oliver Delvos, global cyber underwriting manager, Zurich Insurance Group
