EU and national legislators should draft guidelines outlining what kind of damage from hacking could be covered under cyber insurance, the EU cybersecurity agency ENISA has said.
Cyber insurance is a small field in Europe, but companies are starting to offer more policies to cover losses from hacking incidents, according to data published in a new report from the Athens-based agency.
Around 50 companies offer cyber insurance in the EU, where premiums total between €3.5 and €4.7 billion per year.
ENISA is encouraging more companies to take out cyber insurance policies as one measure that could help them bounce back more quickly after they’ve been hacked.
“Increased adoption of cyber insurance would prepare the market to respond more effectively to large-scale incidents such as WannaCry and NotPetya and support the economic sustainability of organisations affected by similar major incidents,” the agency wrote, referring to the two large-scale attacks that hit Europe earlier this year.
Danish shipping giant Maersk reported an expected loss of more than €350 million from the June attack known as Petya or NotPetya.
But the cyber insurance industry is growing quickly and ENISA predicts that even more companies will start purchasing insurance policies once two new EU laws go into effect next year.
The so-called NIS directive, the first piece of hard EU cybersecurity law, requires companies operating infrastructure that is critical to society, including in energy, transport and banking, to report to public cybersecurity agencies when they are targeted by hackers. Under the EU data protection regulation, an organisation that controls or processes data will have to notify authorities if the security of that data is breached.
ENISA pointed to the United States as a forerunner for cyber insurance: companies started purchasing more insurance policies when laws there required similar notification about incidents. There are now more than 130 companies offering cyber insurance in the US.
An ENISA executive recently told EURACTIV that EU legislators should discuss liability issues relating to cybersecurity incidents.
“We need to understand where the liability really stands. If you have a car accident but the problem was in the chip which was embedded in one of the many systems in the car, several layers down in the architecture, how do you distribute liability? And how do you prove it was indeed due to the chip because it’s a complex system in which there are many things happening?” Steve Purser, the agency’s director of operations, said in an interview.
ENISA is also in charge of drafting new standards for EU-wide certification that will identify the security level of different technology products. The European Commission proposed the certification programme in September.
According to ENISA’s report, the financial sector faces the most severe and volatile cybersecurity risks.
To match the predicted growth in the cyber insurance industry, ENISA wants EU and national public authorities to agree on criteria for the kind of damage that should be covered by insurance providers.
The agency has proposed partnering with the Commission to come up with guidelines for insurance companies, including an outline of how they should assess firms’ cybersecurity risks.
The agency also recommended that EU authorities set up a centralised database on cybersecurity incidents so that companies could compare information about hacking attacks in different sectors. An ENISA survey of insurance providers found that they often do not have the right kind and amount of data to understand what cybersecurity risks companies face.
“The market is lacking realistic information on risk quality and, often, the in-house skills to process this information,” the agency wrote.
ENISA argues that an EU-wide database and guidelines to help insurers assess cybersecurity risks could improve the quality of information about attacks.
“Lack of data makes it very difficult for insurers to properly understand which industries are facing which threats, what is the motivation behind them, what is the loss frequency or severity, what is the loss correlation between industries, countries etc. On top of that, cyber insurance carriers are very reluctant to share their existing information amongst them,” the report says.