5.8.2024 – In today’s world, companies cannot ignore the danger of cyber risks. Sustainable investments must be made in IT security. The focus should be on holistic solutions for prevention and response to damage. A key component of this is risk assessment. Insurance companies and insurance brokers also play an important role here, writes Gerrit Knichwitz, Managing Director of the IT service provider Perseus, in his guest article.
ADVERTISING
The signs point to growth. At least with regard to the trend of cyber insurance policies taken out. According to the Federal Financial Supervisory Authority (Bafin), business with pure cyber policies more than doubled across all customer groups and regions in the period under review from 2020 to 2022.
Gerrit Knichwitz (Image: Perseus)
When choosing cyber insurance, policyholders are very targeted. When taking out insurance, they focus in particular on benefits in the event of a claim. According to a study conducted this year by Statista GmbH for example, 24/7 advice (63 percent), coverage of the costs of restoring IT systems (62 percent) and access to IT forensics experts (59.5 percent).
Without prevention there is often no protection
The factor of preventive services also plays a very important role when taking out a policy. Offering preventive solutions is a win-win situation for policyholders and insurers. Targeted preventive measures prevent damage from occurring or reduce its extent.
Services such as raising employee awareness, having processes in place in the event of an emergency and compliance with minimum standards in the area of IT security are now often considered by insurance companies to be minimum requirements for taking out insurance.
If mandatory measures cannot be proven in the event of a claim, this will affect the insurance cover. In some cases, claims will not be covered, premiums may be adjusted when the contract is renewed, or insurance cover may be canceled completely.
Reducing cyber risks is a top priority
A look at current events shows why taking out cyber insurance is advisable for companies regardless of their size. Three quarters of all companies are affected by cybercrime. According to Bitkom e.V. a loss of more than 200 billion euros annually.
To avert these threats, companies must invest in holistic solutions. We see an interplay of two components here.
On the one hand, a company’s cyber risk must be minimized through prevention. This is done by strengthening the company with the help of technical and organizational risk assessments and raising employee awareness. These measures help ensure that criminal hackers encounter active defenses during their attacks.
On the other hand, the effects of a possible cyber attack must be reduced. Emergency management and financial protection against residual risk play an important role here.
In focus of prevention: risk assessment as an all-rounder
While regular awareness-raising among employees has become standard in prevention, the importance of risk assessments in the fight against cybercrime is increasing rapidly.
Companies benefit immensely by searching specifically for existing technical and organizational security gaps, uncovering them and closing them early. This way, a large number of cyber attacks and the associated consequences such as business interruptions, damage to reputation, loss of customers, competitive disadvantages or fines can be avoided.
Determine insurance premiums appropriate to the risk
But it is not only companies that benefit from the use of risk assessments. Insurers can also use the results of these analyses. Among other things, the insurance premium can be determined in a more risk-appropriate manner, as the individual risk profile of the policyholder can be taken into account.
Insurers can also better select which risks they want to cover and negotiate better terms with reinsurers. Ultimately, customer satisfaction and loyalty can also be increased by offering a holistic range of advice within the risk assessment.
Great need for risk assessments among SMEs
Small and medium-sized companies with up to 100 employees often have little or no internal resources to assess their own IT security threat situation. Therefore, external resources and experts must be used to determine whether the company is sustainably positioned against cyber risks.
In these cases, technical and organizational risk assessments are the most effective means of obtaining the necessary and meaningful results on the risk situation.
The risk assessment analyses we have carried out confirm that there is still a lot of catching up to do. Companies are certainly investing in their IT security. Basic technical protection measures such as anti-virus programs and firewalls as well as organizational and procedural measures such as creating data backups and securing access with passwords are in place.
Nevertheless, there are vulnerabilities in companies’ IT infrastructure. For example, log files are not adequately monitored and multi-factor authentication is often not used in relevant areas. These deficits can be identified early on through appropriate risk assessments.
Need for advice: The focus is on the agent
Insurance brokers can also encourage SMEs to carry out risk assessments by proactively addressing the analyses during the consultation and suggesting them to the company. It is not necessary for the broker to provide specialist advice. This investigation should be carried out by trained and experienced service providers.
The insights gained from the analyses not only reduce the likelihood of cyber attacks occurring, as existing security gaps are revealed at an early stage. They also help to identify particularly business-critical areas, identify particularly sensitive data, prioritize and implement processes, and ultimately create emergency plans.
Insurance companies and insurance brokers also have an important role to play in driving this fundamental trend forward. By making structured risk assessments part of cyber insurance and continually addressing the topic in consultations, risks can be reduced, damage avoided and damage costs minimized.
Gerrit Knichwitz
The author is managing director of the cyber security and IT service provider Perseus Technologies GmbH with more than ten years of experience in the finance and insurance industry.
