Cyber ​​insurance

A cyber insurance is an optional insurance for companies that damage related to hacker attacks or because other records of cybercrime safeguards. Since this is still a very young insurance branch, there has not yet been a uniform name for the tariffs. Comparable offers for cyber insurance can be found at u. a. the terms cyber protection, cyber protect, data protect, data protection insurance, data risk, cyber coverage or hacker insurance. Additional offers are given, for example, with electronics or data carrier insurance.

General

The General Association of the German Insurance Industry (GDV) developed sample conditions and a risk questionnaire in April 2017. The non-binding model conditions are aimed primarily at the target group of small and medium-sized companies with up to 250 employees and an annual turnover of up to 50 million euros. They are used to ensure that companies and brokers have a benchmark for evaluating insurance offers. Insurance companies can develop their own products based on the GDV model conditions. The questionnaire is used to assess the risk before taking out insurance and provides information about the weak points of the company's IT.

Scope of insurance

According to the model conditions of the GDV, cyber insurance is a combination of liability insurance, business failure insurance and data insurance for third-party and personal damage in the form of financial losses. An ordinary liability steps in when a third party, such as a customer or client, through the fault of the insured damage occurs (external damage or other damage called). However, business liability insurance typically only insures personal injury and property damage as well as any consequential damage. On the other hand, if the damage is of a purely financial nature (financial loss ), public liability does not apply. In these cases, financial loss liability insurance applies .

Third-party damage : Data protection and cyber coverage assume this financial loss if the policyholder damages a customer or other third party, for example due to a data breach.

Self-harm : When a hacker attack or espionage of personal data but also the policyholder may even be harmed. In terms of insurance law, this is referred to as personal damage. Therefore, the cyber-insurance offer protection against natural damage caused by a hacker attack, a DoS attack ( English denial of service , denial of service ' ), computer misuse, theft of data carriers or other data infringement arise.

Cyber ​​insurance not only serves to compensate for the direct damage caused by the attack, but above all to cover the costs associated with the complete restoration of business activity. This includes the cost of

• the restoration and repair of IT systems,
• commissioning external computer forensic analysts,
• the appointment of specialized lawyers,
• professional crisis management and PR,
• Credit protection and monitoring services,
• the criminal defense (internet criminal legal protection ),
• the additional costs necessary to continue the business.

A key feature of cyber insurance is the provision of extensive assistance services in the event of damage, such as B. a 24-hour hotline for reporting cyber incidents. Individual providers provide the policyholders with direct technical support from incident response and IT forensics service providers. A quick response in the event of a claim is also in the interests of the insurance company against the background of damage reduction. For the company concerned, direct technical support in averting a threat or analyzing a cyber incident can be of great importance. Cyber ​​attacks also regularly represent a data breach, e.g. when B. a change, loss or unauthorized access to personal data has occurred. According to Section 33 (1) GDPR, these incidents must be reported to the responsible data protection authorities within 72 hours and contain a concrete description of the matter.

For operators of web shops or other e-commerce applications, the scope of insurance can also be supplemented, for example, by business interruption insurance or loss of earnings insurance . In this case, the policyholder receives financial compensation for a significant loss of sales in his shop (for example due to a hacker or DoS attack). As a rule, the insurer's performance is based on the downtime per hour. There is usually a time deductible (e.g. 12 hours). These service extensions are comparable to conventional business interruption insurance (BU for short), which, however, only offers insurance cover for traditional risks such as fire or water damage, etc.

Because cyber insurance so often cover various risks and both equity and third-party damage, it may occasionally the policyholder this overlap with other insurance policies, such as professional indemnity insurance , fidelity insurance or various property insurance. The disadvantage of multiple insurance for the same risk is the double premium payment for the policyholder and possible ambiguities in the insured event about which insurance has priority. However, the complex cyber risks cannot be fully mapped using a combination of the insurance products mentioned.

facts and figures

With cyber insurance, insurance companies are responding to the increase in cyber crime in recent years. In 2012 alone, around 64,000 cybercrime cases were recorded in Germany. A successful hacker attack on a large company causes an average economic damage of 1.8 million euros. For small and medium-sized companies, the average value is 70,000 euros. According to the Federal Criminal Police Office, the total annual damage that results from all hacker attacks on German companies amounted to 70.2 million euros in 2011 . Since the number of unreported cases is very high, it can be assumed that the actual economic damage is many times higher. Nevertheless, it is still rather the exception in Germany that companies have their own insurance against the risks of internet crime. By contrast, these special types of insurance are already relatively widespread among US companies: the premium volume for cyber insurance there is currently around one billion US dollars a year. The increasing number of insurance solutions on the market around the world shows that awareness of the dangers of cybercrime is slowly increasing.

Individual evidence

1. ↑ GDV presents model conditions for cyber insurance. In: gdv.de. April 19, 2017, accessed May 9, 2020 . 
2. ^ Matthias Achenbach: Cyber ​​insurance - overview and analysis . In: Insurance Law . 2017, p. 1493 ff . ( versr.de [accessed on May 9, 2020]). 
3. ↑ Federal Situation Report 2012 Cybercrime. (PDF; 824 kB) In: bka.de. August 14, 2013, accessed May 9, 2020 . 
4. ↑ Global Corporate IT Security Risks: 2013. (PDF; 1.71 MB) In: media.kaspersky.com. May 2013, accessed on May 9, 2020 . 
5. ↑ Damage caused by cybercrime in Germany until 2018. In: de.statista.com. Retrieved May 9, 2020 . 
6. ↑ Uwe Sievers: BSI: "The cyber space is a large shark tank" - ingenieur.de. In: ingenieur.de. August 5, 2013, accessed May 9, 2020 .