(by Luca Angelucci, Head of the Aidr Computer Crimes Insurance Observatory) Insurance policies able to cover direct and indirect damages related to the violation of personal data processed, represent the real added value of a company organization.
Over the last two years, their demand from companies has grown, in the face of a greater increase in the number of cyber attacks.
Likewise, on the supply side, the insurance companies have implemented the range of proposals, with solutions increasingly targeted to specific needs.
Estimates made by US and British companies suggest the creation of a huge market for Cyber - Insurance in the short term, as these are insurance products designed specifically to protect private and even public companies from the risks associated with the use of the web and specifically from risks related to IT infrastructures and activities.
The major underwriting problem for insurance lies in the lack of historical data within companies capable of allowing to have a picture of the risk as exact as possible and with correct statistical data, also useful for evaluating the possible evolution of this phenomenon in the future and any technical-implementation dynamics.
The panorama of the new Cyber Security insurance packages highlights various products and viable solutions. It starts from coverage against cyber attacks, hacking attacks (Hacksurance), up to coverage against data destruction or loss
(Theft \ fraud) and packages covering legal fees resulting from the data breach (Legal Protection \ Forensic Investigation). There are also coverage for failure to restore the activity (Disaster recovery), coverage for costs deriving from image damage and damage to software and / or hardware.
Given the aforementioned framework, should public companies also take out insurance policies for Cyber risk? Here is the opinion of Dr. Alessandro Spinetti (General Manager of the specialized ICU consulting company.
All coverages on the market are not intended to prevent damage from occurring. It is the company security policies that must prevent it, the insurance policies serve to transfer the risk in question from the company / public administration to the insurance company, avoiding a fraudulent action with subsequent damage and / or claims for damages from damaged third parties can heavily affect the company's assets. In fact, in some recent cases, the damages suffered as a result of computer attacks with theft of databases, with subsequent direct and indirect very significant damages, have been fatal for the economy of some companies operating in the IT sector in particular.
In Italy, the communications of data breaches received by the competent Authority in the electronic communication services sector have almost doubled. For the above, I recommend customized Cyber insurance coverage as much as possible, in fact the stipulation of a Cyber insurance insurance package should always be preceded by a very precise assessment within the companies, involving the Risk manager to the Data Protection Officer, and working together to the insurance technical consultant. >>
In conclusion, with the full entry into force of Regulation no. 769/2016 EU (General Data Protection Regulation - GDPR, General data Protection Regulation) it is necessary and useful, for companies and public bodies that have not yet taken action, to intervene promptly on these topics by stipulating appropriate insurance packages , aimed at specific needs and absolutely prepared in a "tailored" way.