Yelena Gerassimenko, Senior Consultant, IT Advisory, KPMG in Kazakhstan and Central Asia

“I am delighted to submit for your attention an article by Vincent Maret, Partner and Head, Cyber Security Services, KPMG in France, entitled: “Cyber Insurance: An Opportunity to Lead in A Growing Market.”

Today, against the backdrop of an increasing number of cyber attacks and regular mass media coverage of instances of theft or loss of customer data by major corporations, the need for effective cyber insurance is becoming a priority issue for companies globally. The growing demand for services, situation on the market and awareness of existing risks create favorable insurance opportunities for insurance companies which are ready to act now to obtain market share and secure customer loyalty.

In his article, Vincent Maret talks about the four aspects that insurance companies should consider in order to increase the level of knowledge on this burgeoning type of insurance.

In Kazakhstan’s information space, as incidentally is the case globally, a constant and stable trend of increasingly frequent cyber attacks can be discerned, which is attributable to the unabated interest of hackers in the protected data of the financial sector, legal and state organizations. However, despite rapid growth on the cyber insurance market globally, the level of demand for insurance services in Kazakhstan remains low.

However, the situation may start to improve soon – the National Bank of the Republic of Kazakhstan is pioneering new and more stringent rules for ensuring information security for banks and other organizations related to the provision of financial services from 1 December 2018.”

Author: Vincent Maret, Partner and Head of Cyber Security Services, KPMG in France

Cyber attacks are on the rise. Hackers are increasingly looking to take advantage of security vulnerabilities to steal valuable customer data, including financial details and sensitive personal information. For corporations, the impact of these attacks goes far beyond data loss. From significant public relations fallout and loss of customer trust to stiff regulator penalties, a single successful cyber attack can paralyze a corporation's operations, and damage their reputation and profitability for years to come.

Yet, despite very real risks of cyber attacks, many corporations struggle to know how to respond appropriately. In KPMG's 2018 Global CEO Outlook, many CEOs believe a cyber attack on their business is inevitable, with 68% of US-based CEOs saying it's just a matter of time. However, only 51% of CEOs worldwide believe they are well prepared for a cyber attack.

Today, businesses of all sizes struggle to identify, assess vulnerability for, and respond to the explosion of digital threats and targeted cyber attacks. This is a significant gap — and one that insurers can help corporations bridge.

Cyber insurance gaining ground

The cyber insurance market is a small but growing part of the insurance sector that helps corporations protect against digital threats. Allianz estimates that cyber insurance currently represents about US$2 billion in premiums worldwide, with the US market accounting for approximately 90% of that total. However, as the incidence rate of cyber attacks continue to climb — and corporations are increasingly in the news for losing their customers' data, effective cyber coverage becomes an increasing corporate priority. Cyber insurance premiums globally are expected to reach US$20 billion by 2025 (A Guide to Cyber Risk, Alianz).

This growing need, market, and corresponding awareness of risk creates a significant opportunity for insurers willing to move now to capture market share and build customer trust.

The challenges of cyber coverage

Despite the scale of the opportunity, providing cyber insurance is not without its complications.

While most insurance products are based on decades of actuarially sound, aggregated, and shared data, cyber insurance is more risky. Not only is this type of insurance far newer, but the information surrounding associated risks and vulnerabilities is also more fragmented. One way that insurers can better understand and price for cyber risks is through the GDPR regime, which compels certain firms to make mandatory declarations of data. However, the extent to which insurance companies will obtain access to this disclosed GDPR data, both now and in the future, is not currently clear.

Assessing the risk of and coverage against digital threats is also difficult, with many insurers challenged by the complexities of pricing cyber insurance products. There is also uncertainty in the market as to whether businesses have coverage against cyber attacks as part of current policies, and if so the degree of coverage provided.

Another factor to consider is that, as businesses in possession of significant volumes of highly sensitive customer data, insurance companies are themselves prime targets for cyber attacks. As insurers transform legacy systems and manual processes to become more reliant on new technologies and platforms, the corresponding risk of attack and need for cyber security grows. This means that cyber security must become a priority for all insurers, regardless of the client base served or type of coverage provided.

Four steps to increasing awareness and uptake

For insurers looking to increase awareness and uptake for this burgeoning form of insurance, consider the following four steps:

1. Be proactive. By proactively measuring clients' current data security maturity level, insurers can estimate the potential impacts of a cyber attack on the business and its clients before an attack occurs. Not only does this work provide value to individual clients and reduce individual risk areas, but it also helps shape the structure and pricing of cyber insurance products moving forward.
   
2. Educate. Despite the growing rate of cyber attacks, some customers are not fully aware of the potential risks, associated impacts, or available coverage. Clear and targeted education campaigns that focus on cyber risks and mitigation strategies can help clients understand the need for coverage, and the types of cyber insurance available.
   
3. Collaborate to collect. Working together, insurance firms, professional associations and regulators can develop the scope of data required to appropriately structure, price, and sell cyber insurance as a core part of any firm's overall insurance profile.
   
4. Focus on smaller clients. Cyber attacks can affect organizations of all sizes, as well as individual professionals such as lawyers and doctors who handle sensitive information. Cyber insurance products for these smaller players is a huge and largely untapped market.
   

Cyber insurance is a rapidly growing segment of the broader insurance market. Insurers that take key steps now can quickly find themselves at the forefront of this new and increasingly necessary market.

Author

Vincent Maret, Partner and Head of Cyber Security Services, KPMG in France.

Vincent has 20 years of consulting and auditing experience within cybersecurity and personal data protection, especially around operations, technology and governance. At KPMG, he leads a team of professionals in supporting clients on GDPR compliance, security architecture reviews, intrusion test campaigns, definition and managemant of security policy and more.