Advancements in the IT sector are opening up new applications, but also creating new risks. So-called cyberrisks pose mounting challenges for companies, and corporate risk management needs to consider the threat of losses in turnover and reputational damage.
In 2011, more than 232 million data records containing personal information were stolen or compromised globally, of which about 23 million records related to people in the United States. According to the "Cost of Cyber Crime" study conducted by the Ponemon Institute, stolen data records can cost an average of US$ 200 per person. In Germany, crime statistics compiled by the police indicate that about 60,000 cases of cybercrime were recorded in 2011.
Cyberrisks can take a wide variety of forms. Virus infections, internet fraud, industrial espionage, misuse of personal data (identity theft), copyright infringements or denial-of-service attacks that block targeted sites by overloading them with communication requests - the companies affected may suffer extensive loss either in terms of turnover or as a result of liability claims made by clients or business partners.
Most traditional property and liability policies provide no cover for cyberrisks. That is why there is increasing demand in the corporate sector for insurance solutions that address this new risk situation and especially its inherent potential for loss accumulation. Depending on their design, individual policies may now cover a wide range of first-party and third-party losses. A British market research firm reports that 30% of major US companies have already acquired cover against cyberrisks, as compared to just 5% of the companies in Europe. "Adequate insurance against data abuse should be a standard element of commercial insurance because this is a context in which any company can suffer loss of turnover or image impairment", states Thomas Blunck, member of the Munich Re Board of Management.
Munich Re recently published a comprehensive brochure on cyberrisks. In addition to illuminating specific aspects such as the issue of liability for Facebook parties or the special legal situation in the USA, the brochure "Cyberrisks: Challenges, strategies and solutions for insurers" offers an overview of the various types of loss and liability. Cyberattacks can burden companies with substantial costs, for example:
- Due to business interruption resulting from the disruption of IT operations or the necessity of conducting a forensic investigation of the causes
- For legal counsel, attorneys and penalties or for defence against lawsuits
- For data and system recovery, notifying the clients affected and repairing reputational damage
- For liability vis-à-vis third parties, an aspect important particularly in the USA, where there is the risk of especially high damages claims (also via class actions).
Munich Re utilises its Group-wide know-how to offer made-to-measure cyberrisk covers. Hartford Steam Boiler (HSB) in the USA offers a Data Compromise programme to help small and mid-sized businesses respond to a data breach. HSB reinsures and manages the programme for other insurance companies, so they can include the cover in their business-owners and commercial package policies. "When a data breach occurs, customers expect prompt notification and assistance. We help businesses to respond to data breaches by covering the cost of client notifications and services for victims of identity theft", said Eric Cernak, HSB Vice President for Strategic Products.
Insurers face an entirely different challenge in cloud computing, i.e. the shifting of computing capacity, storage, platforms and software to the internet. Here, Microsoft and Munich Re have set up a strategic partnership this year to find common answers to issues involved in commercial cloud computing services.