Good role models are hard to find. Thus insurers on a quest for new business lines would do well to pay close attention to Estonia, the small Baltic republic where cyber security is writ larger than anywhere.
In April, Estonian President Toomas Hendrik Ilves highlighted his country’s success in safeguarding Internet freedom and implementing cyber-security measures. In an opinion piece in the International Herald Tribune, Ilves explained that Estonia’s cyber-security achievements came on the tails of a countrywide cyber attack five years earlier that targeted government websites, newspapers and banks and overloaded servers to the point of shutting down the country’s digital infrastructure for days.
While the attacks on Estonia were harsh, they were just part of a rising tide. As consumers, corporations and small businesses have moved onto the net, criminals and online mercenaries have followed. This, in turn, has created a huge need for online actors to protect individual and group rights of market participants. The situation today has reached the point where this protection system is moving beyond the need for technical and legal measures to a need for online insurance — not as a channel for marketing standard products such as a life plan, but as cyber insurance, such as corporate covers of financial liabilities related to data breaches.
In coverage terms, cyber insurance is a wide term for first-party and third-party liability protections. First-party policies can reimburse companies, for example, for the direct and indirect economic damage of having data destroyed by a malware (malicious software) attack. Third-party cover could be vital for companies that host online debates where hosts may be held accountable for libel found on their sites, or it may jump in when data hosting companies are held liable for exploitation of credit card numbers that were hacked from their servers.
Related articles: Lebanon's insurance industry dead in the water
The United States Department of Commerce describes cyber-insurance as potentially an “effective, market-driven way of increasing cyber security.” This is a reference to the value that insurers can add to the expanding web economy by identifying market needs of customers and researching what areas of business are most vulnerable, while advocating for cyber-security solutions.
Estonian President Ilves called the attacks on his nation a “blessing”, because they inspired Estonia’s commitment to cyber security and pushed the government and private sector to invest in better protection at a time when cyber assaults were nowhere near as threatening as attacks can be today. As further sophistication of malware comes in tandem with the increasing breadth of services the Internet has to offer, cyber-security solutions help in preventing such attacks.
But these methods cannot be relied on as the only defense, and here is the point where insurance companies, with their sound commercial interest in prevention, can step in to compel clients to greater preparedness and at the same time provide the security that they need if they fall prey to an attack.
Even with our terrible connection speeds…
Lebanon is a country where e-banking is slowly reaching a threshold of prevalence and this means that cyber insurance is something that providers and commercial clients need to be aware of, ideally without suffering direct wake-up calls akin to the pre-paid card fleecing that two banks in the Gulf suffered earlier this year.
The expansion of cyber insurance into the Lebanese market is inevitable, according to Roger Zaccar, director of Commercial Insurance, who told Executive, “People are going to come to realize how important Internet security is, and how to buy insurance.”
But Zaccar sees a misconception among customers that insurance takes the place of cyber security. “No one can insure them if we don’t have a certificate from a company that says [their security systems] are up-to-date.”
According to computer security software corporation Symantec, global cyber attacks surged 42 percent in 2012 from 2011, and of those targeted, 31 percent were small businesses. Without risk management or an IT department, Zaccar explains, small firms try to take security measures into their own hands.
Given that 90 percent of Lebanon’s firms are small and medium-sized enterprises that likely don’t have the means to understand and mitigate risk, many Lebanese businessmen could be vulnerable.
Even so, Zaccar believes the Lebanese market is not quite ready yet. “We are starting to have small stories [of cyber attacks] here and there, but I think in a year and a half, we are going to see a bigger movement [towards cyber-insurance policies],” he says.
A nascent niche
There are also fundamental challenges that limit the growth of this new line of products and these apply to Lebanon as to every other market. Even conceptually, while some risks are easier to define and therefore easier to insure, such as loss of finance, income and information, there are others, such as reputational damage, that are more difficult to define.
Compounded on this wide range of vulnerabilities is the lack of actuarial data to assess security products, leading to insurance policies that are often more generally inclusive, meaning higher premiums for businesses, which might prefer to bear the risk instead.
More specific to Lebanon is the lack of national awareness of the importance of cyber security. Zaccar says, “There is no cyber-insurance culture… because there is no cyber-security culture.”
So far banks, for example, have experienced petty fraud — think stolen credit cards. These losses amount to little and can be covered by the banks themselves. Unless a business or bank has been hit hard by cyber crime, similar to the case of Estonia, industry experts agree that most firms will overlook the need for proper cyber security.
As Lebanon’s market for cyber insurance and cyber security unfolds, these factors will need to be addressed and, as Zaccar puts it, “tailored” to the country’s needs.
While cyber-security firms continue to find solutions to battle cyber crime, insurers must prepare their underwriting capacities in anticipation of the certain growth of demand for this new business specialty. This could include operations such as designing transparent policies and determining which security products Lebanese companies need in order to be granted coverage for eventualities ranging from downtime caused by data theft, to liability cases from people whose privileged information has been stolen from a cyber-insured corporation.