Marsh: More German firms turning to cyber insurance


Reporting by Jonathan Gould and Andreas Kroener, editing by William Hardy

The rising number of hacking attacks is prompting more companies in Germany to seek cyber insurance protection, insurance broker Marsh said on Tuesday.

While cyber premiums in Germany are expected to be worth only around $10 million this year – compared with $2 billion in the United States – the German market is expected to grow by 30 percent per year in the future, Marsh estimated.

“We are seeing a wave of enquiries that will lead to many more contracts in the coming months,” the head of Marsh’s German business Georg Braeuchle told a news briefing.

Many insurers see cyber as a key growth area at a time when premiums in other types of insurance are under pressure due to chronic over supply of insurance availability.

However, insurers are also advancing cautiously and will not cover all the losses a company could face from a cyber attack.

Marsh has brokered 46 contracts so far this year in Germany, compared with 20 in all of 2014, with industrial espionage and hacking attacks – such as one that forced the German parliament to switch off its entire computer system – helping to raise awareness.

“People are more conscious of the vulnerability of their own IT departments,” Braeuchle said, pointing out that interest was coming not just from online companies but also manufacturers, banks and health care providers.

Around 15 insurers are active in the German market, including Allianz, Axa, Hiscox, Ace , AIG, Talanx, Munich Re, XL Catlin and Zurich, allowing individual clients to take out up to 500 million euros ($562 million)in cyber risk cover.

Cyber insurance is still finding its feet in Germany, with buyers and sellers working to get to grips with pricing and risk, but at least one damage claim of nearly 100,000 euros has been paid already in a telephone hacking incident, Marsh said, without giving details.

Credit rating agency Standard & Poor’s on Tuesday said it would not look favourably on banks that relied solely on cyber insurance as protection against hacking.

“We view weak cyber security as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades,” Standard & Poor’s said. ($1 = 0.8897 euros)

Cyber-insurance: What you need to know?

By Roland Hung | Canadian tech law blog

A question that I often get from clients is one about cyber-insurance. In light of the recent passing of Bill S-4, better known as the Digital Privacy Act, the Personal Information Protection and Electronic Act (“PIPEDA”) has now been amended to include mandatory breach notification provisions. While these mandatory breach notification provisions are not yet in force, it is a good time to review your cyber-insurance coverage.

As data breach incidents continue to rise, and legislative regimes provide more and more stringent regulation of data breaches, including the proliferation of mandatory breach notification provisions, the expense associated with data breaches also rises. Estimated costs of dealing with a data breach, even to resolve a potential attack, or an attempted breach, have been as high as $600 000. Costs can be incurred as a result of forensic and investigative activities, assessment and audit services, crisis team management, and the necessary internal and external communications. As these incidents increase in number, scope, and impact, organizations are looking to transfer the risk associated with informational security breaches.

The most common way of transferring risk is by obtaining insurance policies: if the risk is insurable, the risk is transferable. Cyber and privacy insurance has been available on the market for the last decade, covering organizations’ liability for a data breach in which the organization’s or customers’ information is lost or stolen. Marsh Inc., a global insurance broker, said that the number of organizations that purchased cyber insurance in the US increased by 33% from 2011 to 2012, and that cyber insurance is currently the fastest growing area of commercial insurance in the world. Policies vary, with cyber insurance offered as an add-on or included in more generally policies, or sold as a distinct product. Marsh Inc. also noted that the lesser growth of cyber insurance in Canada compared to the US is likely due to the higher number of mandatory breach reporting regimes in the US.


An important preliminary note on cyber insurance is that cyber insurance is often confused with technology errors and omissions insurance (commonly called “Tech E&O” insurance). Tech E&O insurance protectsproviders of technology services or products, such as software designers and manufacturers, whereas cyber insurance protects consumers of those products and services.

Generally, cyber insurance is divided into first party coverage protecting the policyholder, and third party coverage protecting from third party claims against the policyholder. First party policies may cover:

(a) The costs associated with determining the scope of the breach and taking steps to stop the breach;

(b) The costs of providing notice to individuals whose identifying information was compromised;

(c)  Public relations services to counteract the negative publicity that can be associated with a data investigation;

(d)  The costs of responding to government investigations;

(e)   The costs of replacing damaged hardware or software;

(f)    The costs of responding to parties vandalizing the company’s electronic data; and

(g)    Business interruption costs.

Third party policies may cover:

(a)   Liability for permitting access to identifying information of customers;

(b)   Transmitting a computer virus or malware to a third-party customer or business partner;

(c)    Failing to notify a third party of their rights under the relevant regulations in the event of a security breach; and

(d)    Potential “advertising injury,” i.e., harms through the use of electronic media, such as unauthorized use or infringement of copyrighted material, as well as libel, slander, and defamation claims.

Cyber insurance can also cover specifically the crisis stage of a data breach. This could include any expenses related to the management of the incident, such as investigation, remedial steps, required notifications, call and public relations management, credit checks for the subjects of the data, and any legal costs including fines or the costs of running a suit.

Limitations of Coverage: Relevant Considerations

It is important to determine the extent to which your organization’s cyber insurance policy will protect against liability for breaches. Because all insurance policy coverage is dependent on the particular terms and conditions in the policy at issue, organizations looking to obtain cyber insurance should consider a number of questions, including those detailed below. In general, organizations should ensure that their response plan to a potential or actual breach is consistent with their insurance policy.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest