There is a growing familiarity with the trends driving developments in the global cyber insurance market; rapid digitalisation accelerated by the pandemic, the shift to remote work and cyber attacks that are ever more sophisticated and localised. However, domestic cyber markets are developing differently in response to these risks, in part because of increasingly divergent approaches to issues such as the regulation of data protection and privacy. These national responses to often global attacks make for an asymmetry in the cyber market that insurers need to be alive to.

The implementation of data protection laws is a clear driver for the development of domestic cyber insurance markets. Europe’s GDPR regulations, for example, have led many other governments to consider their own rules in this area. For instance, Brazil’s LGPD regime is similar to, and was informed by, GDPR and has led to an increase in claims resulting from data leaks, making cyber coverage a much more pressing priority for Brazilian businesses.

Regulators clearly expect the number of companies buying cyber insurance to increase, as the central bank and insurance supervisor, SUSEP, has issued new rules on cyber risks, including on outsourcing. Conversely, in India a lack of data protection regulation has added to firms’ reluctance to take out cyber policies, which are often seen as an unnecessary expense. However, a new regime, also expected to be based on GDPR, is expected soon and, if implemented, will significantly alter the risk landscape. With the introduction of data laws and stricter penalties for Indian businesses, cyber insurance will likely become an essential business protection policy.

Another point of differentiation between countries is whether or not ransoms can or should be paid to cyber attackers. In Denmark, insurers are known to pay extortions as a means of minimising claims costs. In Italy, there is a law that prohibits insurance on extortions regarding (only) physical persons, so, in lack of any special limitation, the cyber extortion might be coverable. However, elsewhere it is possible that governments will look to make such payments illegal. The Australian government, while not condoning extortion payments, has not yet made them illegal. Given the rising number of attacks it would be unsurprising if it regulated to ban them. In the Netherlands, legislators have also discussed a ban, although there appears to be little consensus on the issue, and a ban becoming law any time soon is unlikely. If governments do ban payments and make claims more expensive, they can expect insurers to increase premiums, reduce coverage, or even retreat from the market.

Insurers’ risk appetite will also vary from market to market, depending on their customers’ understanding of cyber risks and their ability to mitigate them. In Denmark, for instance, the Petya attack on Maersk focused minds and, while companies can still be vulnerable, there has been a concerted effort to improve cyber resilience. Other markets will likely follow this trajectory, especially if the number of attacks keeps rising globally. To access cover, firms are likely going to have to comply with stricter cyber hygiene standards as insurers shift to educating policyholders and facilitating behaviour change.

While rising rates are a global feature of the cyber market, domestic markets are developing in very different ways. In part, this is a reflection of the disparities in the maturity of those markets; relatively immature markets with few providers and poor cyber hygiene will develop differently to those with larger, more established insurers offering cover. However, it is also a reflection of the policy choices of national governments, and how they choose to regulate the digital world will have significant implications for those purchasing cyber policies.

Share Story: