Increased cyber threats call for measures: is cyber insurance the answer?

The threat posed by cyber-attacks has increased significantly in recent years. This is reflected in a recently published survey by a Swiss industry association, according to which 70% of the companies surveyed operating in Switzerland have been the target of at least one cyber-attack in the past two years.

These attacks were aided by the digitalisation surge driven by the COVID pandemic. The increase in work performed from employees' homes unmasked hitherto undetected vulnerabilities for cyber-attackers. Their targets were not only large corporations, but also small and medium-sized enterprises.

According to a recent (annual) study by a Swiss insurance company, 31% of the Swiss small and medium-sized enterprises (SMEs) surveyed had been the victim of a cyber-attack. Regardless of this, the survey found no progress in terms of technical and organisational cybersecurity measures implemented by SMEs.

Similar results were found in a recent MunichRe survey, according to which 71% of the respondents had experienced a cyber-attack or been infiltrated by ransomware. Nonetheless, 83% of the respondents indicated they believed that their company was not sufficiently equipped against cyber threats.

On a global level, the survey showed that the reasons for not taking out cyber insurance are manifold. While some respondents viewed the scope of coverage of cyber insurance as insufficient and others did not properly understand the product or viewed the insurance to be too costly, a staggering 25% were unaware that cyber insurance even existed.

In Switzerland, the federal government has taken steps to increase business awareness for cyber threats. For one, it has adopted a "National strategy for the protection of Switzerland against cyber risks (NCS) 2018-2022", in which it identifies almost 30 measures to be taken in a number of areas, including incident and crisis management, prosecution, and cyber defence.

The National Cybersecurity Centre (NCSC) is Switzerland's competence centre for cybersecurity. The NCSC is the first point of contact for companies and individuals with regard to cyber-attack issues.

In addition, a draft amendment to the Federal Act on Information Security has been published with a proposed introduction of a mandatory reporting obligation for cyber-attacks on so-called critical infrastructure such as:

• Universities;

• Federal, cantonal and municipal authorities;

• Energy suppliers;

• Banks and insurance companies; and

• Hospitals.

The proposed regulation also includes a criminal sanction against companies – a fine of up to CHF 100,000 ($106,000) – in the event of non-compliance with the mandatory reporting obligation. To date, only sectors such as the financial services business, telecommunications, aviation, the railway industry, and nuclear power had known such reporting obligations. Reporting duties may result from:

• Data protection law (including the revised Swiss Data Protection Act entering into force in September 2023);

• The EU General Data Protection Regulation;

• Anti-money laundering rules; and

• Applicable foreign regulation.

A cyber-attack is defined as an intentional unauthorised act by an individual or a group in cyberspace to compromise the integrity, confidentiality, or availability of information and data or information processing systems.

Typical cyber-attacks include the introduction of computer viruses and worms or ransomware. The latter are malicious programs that can be used to prevent access to, or the use of, data or entire computer systems, often by encrypting data. The attackers commonly demand a ransom payment in cryptocurrency for decryption.

Other forms of cyber-attacks include phishing (an attempt to obtain passwords or other personal information), CEO fraud (faked urgent requests for payment by the CEO, with the CEO unavailable for queries), and data theft. A distributed denial of service attack on a computer system or a website impairs its availability through a large number of requests.

The financial consequences of such attacks are significant. Own-part losses with costs for crisis management, costs for notifying those affected by data privacy breaches, data privacy fines, losses due to business interruptions, costs for IT service providers, and extortion payments may be incurred. Liability risks can also manifest themselves; for example, in the form of claims for damages by third parties following data theft or data protection breaches.

The impact of a cyber-attack on a company can be massive, involving not only financial damage, but also negative reputational consequences and, potentially, data protection violations.

According to Swiss law, as part of its control function, the board of directors must, by means of directives and regulations, ensure that the company defends itself against cyber-attacks and mitigates their effects. This includes not only identifying potential risks and sensitising and training employees as to their existence, but also setting requirements with regard to insurance coverage against cyber risks. In this respect, taking out cyber insurance may be validly seen as an important component of general risk management.

Pursuant to the Swiss Code of Obligations, which contains the provisions on company law, the board of directors has the non-transferable and inalienable duty of the overall management of the company and the issuing of all necessary directives. It determines the company’s organisation and the overall supervision of the persons entrusted with day-to-day management of the company. These duties cannot be transferred to the (group) management, which means that the board of directors must have, with regard to cybersecurity, a minimum knowledge level, and if the entire board does not have such knowledge, internal or external experts must be consulted.

The essential decisions to be taken by the board of directors in connection with cyber risks include:

• The company's cyber-risk strategy;

• Basic principles for the identification, assessment, and supervision of cyber risks and the avoidance of cyber-attacks; and

• The taking of measures in case such risk materialises.

Conversely, the operational management of cyber risks lies with the management. In terms of compliance and risk management, a continuous process of risk assessment, adaptation of security measures, and decision making on insurance products is required. This includes several steps:

• An assessment of the risk situation (IT check, security audit, etc.);

• A decision on (additional) security measures;

• A decision on risk transfer (for example, insurance); and

• An annual reassessment.

Conventional insurance products such as property or liability insurance, fidelity insurance, and directors' and officers' (D&O) liability insurance do not fully cover the many forms of cyber losses, or do not cover them sufficiently. For instance, property insurance requires the occurrence of a physical damage; i.e., the destruction or loss of, or damage to, a physical object. Cyber-attacks, however, often do not entail the destruction or loss of, or damage to, a physical object, but, rather, affect digital data.

Liability insurance typically does not cover own-party losses of the insured, but merely provides indemnification for claims for damages of third parties against the insured. Cyber-attacks, however, often lead to an own-party damage such as a business interruption, ransom payments, cyber theft, or the costs of data restoration.

For this purpose, insurance companies offer cyber insurance to large companies and SMEs, but also to private individuals. The scope of coverage of such cyber insurances, and the individual insurance conditions, may vary substantially. Typical coverage components are own-party damage, third-party liability claims, and assistance services.

Covered own-party loss may include:

• Extortion payments (to the extent legally permissible; in contrast, some insurers stipulate a coverage exclusion for extortion payments);

• Loss due to fraud; and

• Loss of revenue due to business interruption, data recovery costs, data protection fines, or costs for notifying authorities and affected parties in the event of data loss.

Covered liability claims are typically specified in the policies because cyber insurance usually does not provide coverage for all types of liability claims, but only for liability in relation to cyber-attacks. Typical liability claims covered are for:

• Financial losses resulting from data breaches;

• Losses resulting from the destruction, alteration, or unavailability of, or damage to, data in the possession of the insured;

• Violation, theft, or loss of confidential data; and

• Losses due to a violation of network security.

Cyber insurance policies are not all-round carefree packages. For one thing, they typically do not provide all-risk coverage, but only protect against specific risks defined in the policy. For another, insured parties are regularly contractually obliged to maintain their data and access security, as well as the technical status of the IT system, and to deploy and keep up-to-date protective systems. The latter includes:

• Anti-virus software;

• Firewalls;

• Regular security updates of operating systems and programs; and

• Data encryption.

These obligations regularly entail substantial costs. If they are not complied with, this can lead to a reduction and, in the worst case, to the loss of the insurance claim.

Finally, the insurance conditions frequently provide for a number of exclusions, such as for acts of war or terrorism. If a company wants to play it safe in view of this complexity, a comprehensive requirements analysis of its insurance coverage is strongly recommended.

Taking out insurance coverage for cyber risks is one of many – in most cases, necessary – answers to cyber threats.

Though it will not immunise a company against all the financial impacts of a cyber incident, not least because of the limited sum insured under the cyber insurance contract and the often considerable deductible/self-insured retention, taking out cyber insurance seems an appropriate and, from a corporate compliance point of view, advisable step to mitigate the risks of cyber-attacks, a phenomenon that will no doubt increase in the coming years.

Failure to do so may result in significant D&O liability risk.