Cybercrime is a collective term for, for example, fraud, theft or extortion via the internet. For example, criminals can steal identity data to commit fraud. They also try to disable computers or servers and then demand a ransom. As a result, entrepreneurs run the risk that business continuity is endangered or customer data ends up on the street, resulting in reputational damage and loss of customers. Hand over hand, the number of cyberattacks is increasing, with the aim of holding systems hostage and demanding ransoms. Deloitte estimated the total loss of value due to cyber risks for the largest Dutch companies and government in 2016 at 10 billion euros per year.

In addition to crime and vandalism, other things can also go wrong in the digital world, causing systems to fail, data to be lost and damage to occur. Human actions are often the cause of this, due to the improper execution of protocols, easy-to-retrieve passwords and other carelessness. But the system itself can also fail due to a bug or software error.

Despite the increase in cyber risks, insuring these risks (private and business) is not yet so self-evident in the Netherlands. There are three reasons for this:

• Citizens and businesses are not yet sufficiently aware of the risks.
• Sometimes there is the image that cyber risks are insured on existing insurances such as (business) liability, electronics and fire. Also called the so-called silent cyber coverage. Unfortunately, in most cases this is not the case.
• The small offer in cyber insurance. Cpb Netherlands Bureau for Economic Policy Analysis (CPB) concludes that a lack of insight into the costs and benefits of cyber security is an obstacle to the development of an insurance market for cyber risks. More than ten insurers now offer cyber coverage. Especially to companies, and also limited to individuals.

Cyber insurance premium volume

According to the Association's Data Analytics Centre , the gross premium turnover of cyber insurance in the Netherlands amounts to approximately 25 million euros (2020). A very modest size compared to the more than 2 billion dollars in the United States. The share of cyber insurance is also small compared to the gross premium size of the total Dutch non-life insurance market in 2020 (14.4 billion euros).

Business market

Although the premium volume has increased in recent years and the Netherlands is not doing badly compared to other European countries, the absolute numbers remain small. Especially given the dense ICT infrastructure in our country. In addition, the vast majority of the range of cyber insurances on offer applies to the business market. The market for private individuals is even more in its infancy. Some of the cyber risks are covered by more traditional insurance, such as liability and fire.

Total package

Business cyber insurance offers a total package, see the chart. This includes:

• Advice to identify cyber risks and take measures.
• Help if things do go wrong in the form of legal, forensic, technical and communicative assistance.
• Repair of damage such as replacement of computers, systems, software and data recovery.
• Compensation for financial damage suffered.

Insurers often work together with partners in the field of IT, security, legislation and regulations, forensics and communication.

Graph: Percentages of coverage on a cyber insurance (package)

Digital Security Risk Class Classification

With the help of the Digital Security Risk Class Classification, entrepreneurs and companies gain insight into the cyber risks and information about prevention measures. On the basis of eleven questions, an estimate is made of the risk of a cyber attack. This assessment determines in which risk class a company falls and which concrete prevention measures can be taken. The Association has been closely involved in the development of this tool.

SIVI codes for recording the cause of damage

The knowledge and standardization institute for financial services, SIVI, will soon publish the first codes of damage causes for the Cyber insurance sector. These have been developed in consultation with the Cyber platform. The purpose of these codes is to achieve clarity in the sector by using specific codes when registering a cause of damage. These codes derive from the subdivisions of main and subcategories. The main categories for causes of damage are divided into: crime, theft and human activity. Then come the more specific subcategories that are further subdivided into the specific causes of damage such as: phishing, data leak, ransomware etc. In the coming period we will experience how the codes are expanding in the insurance sector and whether they may need further additions.

Market Monitor

What is happening within the sector in the context of cyber insurance? This question is answered once a year with the Market Monitor of the Association. In this way, the trends in the market are kept up to date.

MKB-Nederland / VNO-NCW

The Association also participates in the Cyber working group of MKB-Nederland and VNO-NCW. This working group focuses on promoting risk awareness among (SME) entrepreneurs and develops industry-specific instruments under the heading 'Together Digitally Safe'.

Incidents at Maastricht University and the municipality of Hof van Twente, among others, have stimulated the discussion about (insuring) payment of ransom. Politicians, the Minister of Justice and Security and the police call for never to pay a ransom, but daily practice is unruly. Nynke Brouwer obtained her PhD with a thesis on cyber insurance. She calls a ban pointless: "It does not necessarily lead to fewer payouts." You can read a conversation about her dissertation, the role of insurers and the sense and nonsense of ransom here.

Insurers prevent paying a ransom

Insurers do everything they can to prevent a company from having to pay a ransom after a hack . The minister calls for a ban on insuring compensation of ransoms. However, the Covenant points out that in practice this yields very little and even backfires. Insurers ensure that companies do not respond to ransom demands and first do everything they can to solve the problem in other ways. Insurers incur many extra costs for, among other things, technical and forensic research. Assistance and reimbursement of costs are already covered. This can help entrepreneurs concretely and can often prevent the payment of a ransom or significantly reduce the ransom amount.

During the livestream Security, risk and claims in balance, a start was made with the discussion on this topic, which was then continued during a few round table discussions.

Want to know more?

• Nomoreransom.org | This initiative provides assistance in decrypting digital files without paying the criminals.
• Ransomware | Task Force An initiative of the police to combat the lucrative ransomware economy across the board.
• BNR podcast: Never pay in the event of a ransomware hostage | In this podcast, Marijn Schuurbiers (Team High Tech Crime of the police) and Jort Kollerie (Orange Cyberdefense) discuss the biggest threats of the moment in the field of cybersecurity.
• Working together against cybercrime | A step-by-step plan from the police

The insurance companies' own cyber security is also of great importance. In order to make an operational contribution to the cyber security of the sector itself, services are provided via the Computer Emergency Response Team (i-CERT) for the insurance sector. In addition, there is a special platform (Insurance ISAC) for Chief Information Security Officers (CISOs) of insurers. This stimulates knowledge sharing and thus contributes to digitally safe business operations by insurers.

i-CERT

The (i-CERT) is supported by the Verbond's Centrum Bestrijding Verzekeringscriminaliteit (CBV). This central service continuously informs and advises insurers about current cyber threats and coordinates collective actions where necessary.

Interviews on insurance cybersecurity (2020/2021)

• How well is our digital front door locked?
• Insurer cannot keep up with developments on its own
• Insurer board can strengthen IT security knowledge
• Practicing with phishing pays off

The increase in the number of cyber attacks means that insurers are becoming increasingly critical when it comes to insuring cyber risks. The cyber insurance market in the Netherlands is relatively small and in full swing. Partly as a result of this, insurers have different attitudes when it comes to covering these risks.

The elusiveness of cyber risks, due to a lack of data and the risk of accumulation of incidents (and therefore very large damages), can lead to making (extra) demands for prevention, limiting maximum compensation, adjustments in premiums or even stopping insuring these risks. Each insurer makes its own assessment.

Similar developments are taking place in the US and neighbouring countries, such as Germany, France and the UK.