While still lagging the United States, more European companies are now buying cyber insurance products, according to an Advisen survey of European risk managers, sponsored by Zurich.
Unlike their American counterparts, however, data security is not a strong incentive for purchasing coverage. Instead, business interruption protection is what many European buyers are most interested in.
Thanks largely to state notification laws, data breaches can be messy, embarrassing and expensive ordeals for American companies. Without similar notification laws – at least so far – data breaches are less of a concern to European companies. According to brokers in the European cyber marketplace, the more pressing issue for European risk managers is operational risk, especially business interruption.
European risk managers are concerned about their organizations’ networks being compromised, but they seemingly are less troubled than American risk managers about the consequences of data being stolen.
A recent report from reinsurance broker Guy Carpenter notes: “Technology is indeed a critical enabler of a supply chain’s operations.” Concerns about cyber-related supply chain disruptions have grown as hactivists such as the hacker collective Anonymous have targeted businesses and governments throughout the world, and as cyber terrorism has grown as a threat.
One of the boldest and most highly publicized attacks was against the oil company Saudi Aramco, in which a malware attack took out 30,000 workstations in August 2012. It took 10 days to restore the network. Fortunately for the company, its oil and production systems were not affected. Otherwise, the damage could have been much greater.
Companies should be concerned not only about the consequences of disruptions on their own networks, but also those of key suppliers. If hackers had been successful in disabling Saudi Aramco, which operates the world’s largest hydrocarbon network, the impact would have cascaded through the world’s energy and chemical markets. It sometimes takes the loss of only a few key suppliers to disrupt global markets in certain products, as was seen in the 2011 Tohoku earthquake and tsunami, and the Thailand floods, which particularly affected the technology and auto industries.
Although many organizations have a material exposure to cyber-related supply chain disruptions, U.S. companies typically view supply chain exposures as only about 15 percent of their overall cyber risk, according to Peter Foster, executive vice president, FINEX, for Willis, speaking at Advisen’s recent Cyber Risk Insights Conference in London. He said US companies tend to underestimate their exposures because they either have never had a loss themselves or they have not been exposed to them in the media.
Coverage for loss income and extra expenses resulting from a network security breach, including a denial of service attack, is typically available in cyber risk insurance policies. Coverage for contingent business interruption exposures, however, is more difficult to find.
Experts advise that cyber risks should be viewed alongside traditional property perils such as fire and windstorm, and incorporated into a company’s overall supply chain risk management strategy. According to panelists at the Advisen conference, this process can and often should include an evaluation of the network security procedures of suppliers and business partners.