In 2011, the global entertainment network of a major Japanese technology enterprise was compromised and hackers managed to steal 77 million user accounts. 

The estimated total financial loss was up to $2 billion. Surprisingly, the Japanese enterprise did not receive any compensation from its insurers, as the court decided that its insurance plan did not cover losses from cyber attacks.

As a result, the company decided to take out a cyber insurance plan. This decision paid off in 2014, when hackers struck again and the company was compensated for most of the financial losses.

Cyber defense alone not enough


{keywords}



Not many companies can properly evaluate the importance of having a cyber insurance plan, particularly small and medium-sized enterprises (SMEs). 

Yet 62 per cent of victims of cyber attacks in the US are SMEs, according to Verizon’s latest report. IBM also noted recently that, globally, the average financial loss of each successful cyber attack is $3.79 million. 

In Vietnam, figures from the Vietnam Computer Emergency Response Team (VNCERT) reveal that in 2015 local enterprises were cyber attacked 31,500 times. 

The cyber incident involving Vietnam Airlines last year was another warning and a reminder that any organization or enterprise can fall victim to cyber criminals, regardless of the scale of the business.

Attacks have led to the development of the cyber insurance segment over the last ten years. PwC expects that this market will reach a value of $7.5 billion by 2020. 

It also noted that as at 2016, 59 per cent of companies approached were considering integrating a cyber insurance plan into their overall cyber defense strategy.

However, will it be necessary to obtain a cyber insurance plan when we have already invested in modern cyber defense technology? 

This will be a question commonly asked by SMEs, as most of them have begun paying attention to cyber defense but do not have a lot of budget to spare. 

Normally, financial institutions that have revenue of less than $1 billion can expect to pay premiums of $150,000-$175,000 per annum for a $10 million cyber insurance plan.

According to Mr. Robert Trong Tran, Director of Cyber Security Services at PwC Vietnam, while cyber defense is the main protection against hackers, cyber insurance is the main financial protection for enterprises, as it can enable them to swiftly recover operations after being compromised.

“Figures from the US indicate that 60 per cent of companies that fell victim to cyber criminals have to declare bankruptcy afterwards,” he said. 

“This is mostly because they cannot handle the financial losses from the attacks. Besides losses from business interruption, companies also have to compensate other affected parties, like customers or business partners, if they are sued. And since there is no perfect cyber defense technology, cyber insurance is definitely the only resource that can help companies recover and stay in business.”

Hard to buy, hard to sell

Though being an insurance product at its core, cyber insurance often presents a number of challenges for both buyers and sellers. 

The product is quite new and, as such, industry standards are not clear, and the nature of cyber risks for each customer is unique.

For insurers, it’s a huge challenge to properly estimate the risks of losses for a customer from cyber attacks by solely depending on the customer’s data from past attacks, which is inaccurate most of the time. 

The current cyber defense capability of a customer is also not the most reliable indicator of its risk of being successfully compromised in the future, as there is no perfect cyber defense technology.

Besides this, the risks of a customer conducting a cyber-attack on itself for compensation must be calculated, since hackers are always anonymous and are seldom caught. 

As a result, insurers tend to be extra careful and often suggest a high premium, ask the customer to invest more in cyber defense technology, or insist that the customer take a designated cyber security test beforehand.

Companies that look to buy a cyber insurance plan will also have to face a number of obstacles. 

They may find it hard to differentiate between insured and non-insured items within a cyber insurance plan if they do not seek advice from a cyber insurance expert. 

Moreover, companies often look to buy a cyber insurance plan after being attacked, but the risks and losses of each cyber attack are different. 

This makes it even harder for companies to choose which items to insure in the most cost-effective way. 

Mistakes during the process of maintenance and updates of cyber defense systems as per the requirements of the insurance plan may also prevent companies from being compensated.

In 2015, the database of a major life insurance enterprise in the US was compromised and hackers managed to steal the health documents of almost 80 million individual customers. 

Although the enterprise had a $150-200 million cyber insurance plan in place, experts note that compensation would not able to cover the possible losses of up to $1 billion resulting from the incident.

Mr. Phillipe Robineau, CEO of Gras Savoye Willis Vietnam, an insurance brokerage company, emphasized the critical need for companies to involve cyber security experts in the process of buying a cyber insurance plan, in order for it to be effective.

“Leaders of information technology and cyber defense technology at a company must be involved in the process of buying a cyber insurance plan,” he said. 

“They must be in discussions with the risk compliance leader of the company to mutually agree on insured and non-insured items before compiling any formal documents. Buying a cyber insurance plan is a complex and time-consuming process, so it is vital to seek professional advice from relevant experts.” 

VN Economic Times