Demand for cyber insurance and, more importantly in many cases, the associated risk analysis and management services that come with it, is on the rise within the SME community across the Benelux region as the deadline for implementation of the EU General Data Protection Regulation (GDPR) nears, according to Frank Vanhoonacker, underwriting manager professional liability and cyber financial lines at AIG.
The GDPR will become effective in May 2018. Those EU companies that control or process customer data, as well as companies outside the EU that sell products and services to EU customers, must comply with its strict data privacy rules. Those that infringe the new rules face potentially huge fines of up to 4% of annual turnover or €20m, whichever is greater.
These fines should be insurable in many EU states, with the notable exception of Germany, so it comes as no surprise that interest in cyber insurance is fast picking up in Europe.
Frank Vanhoonacker, underwriting manager professional liability and cyber financial lines at AIG, told Commercial Risk Europe that he has seen fast-rising interest in cyber insurance as the clock ticks down towards the GDPR deadline.
But Mr Vanhoonacker – a key speaker at Commercial Risk Europe’s Risk Frontiers Belgium conference in Brussels, sponsored by AIG, Aon, Chubb and Marsh – said the GDPR is not the only spark driving demand. He said the daily flood of news about high profile and highly damaging cyberattacks, along with the realisation among companies of all sizes that no one is immune, are clearly also pushing cyber risk up the corporate agenda.
“When cyber insurance first came to Europe about four years ago, most people assumed it was only really relevant for financial institutions and multinationals. But now all companies – including SMEs – are waking up to this risk. The GDPR goes live in six months and this is driving demand and awareness,” Mr Vanhoonacker told Commercial Risk Europe on the morning of the event, held in partnership with Belgian risk management association Belrim.
“There has also been quite a growth in crypto lockers. Almost half of the claims we see are caused by crypto lockers and these affect many SMEs. Manufacturing companies, which are less dependent on data than [most] companies, have also been hit and so realise they are not immune. This is a new source of income for the criminals and they are chasing it hard. Customers need help to prevent the losses and protect themselves, and this is what we offer,” added the underwriter.
A crypto locker is a family of ransomware that extorts money by hijacking computer systems.
The underwriting approach taken by AIG and its competitors differs widely depending upon the size and complexity of the customer. Big multinationals require highly tailored cyber solutions that can be built into existing programmes. These tailored solutions soften involve in-depth data sharing and risk analysis work with partner companies before cover can be offered. For SMEs, the process is a lot more commoditised and simpler. The cover is naturally limited, but in most cases it is the associated services on offer that attract these kinds of buyers, said Mr Vanhoonacker.
“For SMEs, we unfortunately cannot afford to spend a lot of dedicated time with the customer and broker. This is a mass market approach based on three to four questions that produces a standard rate for a basic good coverage. The customer actually frequently buys the cover for the services…this is how we try to distinguish ourselves from the competition, with a whole set of pre- and post-loss services that are given depending upon the premium paid,” he explained.
These services include an IP blocking system that effectively provides an additional firewall up to ten times more effective than standard firewalls, said Mr Vanhoonacker.
AIG also works with a consulting firm to carry out full analysis of the customer’s systems to identify their weaknesses and offer solutions on a worldwide basis. In the Benelux region, AIG benefits from two top-level, dedicated internal IT experts who can help customers. Another partner firm – Bandura – offers employee awareness training in English or local languages.
In addition, customers can have access to a 24/7 call centre after a cyber loss occurs and, via an SLA agreement, gain access to two law firms and KPMG’s forensics team within an hour of the incident taking place.
“This is the main package of services designed to protect against losses occurring in the first place and assisting them when the incident occurs. This is why this product is not all about exemptions and exclusions – this is truly an end-to-end solution. It has advantages for international companies too, because a lot of SMEs in Europe have subsidiaries abroad and a lot of the centrally based legal counsel do not know the local privacy laws and how they are applied. This approach delivers a solution to this,” explained Mr Vanhoonacker.
This article first appeared on Commercial Risk on 30 November 2017.