Risks and Trends for 2020 – Authored by Martin Kreuzer, Risk Manager Cyber Risks, Munich Re
A Legal & Regulatory Perspective from the Middle East – Authored by Simon Isgar, Partner and Head of Insurance/Reinsurance, BSA
As global insurer and reinsurer of cyber risks, Munich Re is closely watching developments of cyberattacks to provide suitable insurance solutions and insights to prepare and prevent attacks from happening. While both the most sizable cyber insurance portfolios as well as most of the devastating and costly attacks on enterprises to date have occurred in North America, Europe and a few Asian countries, we are observing patterns and trends across countries and continents.
Many of the following global trends have also hit companies and organisations in the GCC region. Known examples are large, known data breaches of a ride-sharing provider in the UAE or a popular communication app in Saudi Arabia in 2018 as well as a large number of unreported cases of cybercrime against financial institutions and banks in the region. We, therefore, regard the following global trends as relevant for companies, insurers, policymakers, and industry organisations in the GCC region as very relevant to counter omnipresent cyber threats.
Review of 2019
Despite increased investment in cybersecurity, the risk from attacks has increased significantly in the last year. In the qualitative review, three cybercrime risks top the trend list: data theft, attacks using ransomware Trojans, and fraud with forged business e-mails.
Ransomware Trojans were used in a much more targeted way in 2019 to cause as much damage as possible and extort correspondingly high amounts. In many cases, the attackers already have access to the victim's system and employ malware that encrypts data or computer systems, thereby blocking access to them. In return for decryption, they demand a ransom, usually in the form of crypto currency. Besides companies, attacks over the last year have increasingly targeted critical areas of public life, such as public authorities and healthcare providers. Ransom demands ranged from USD 5,000 to USD 5m – often individually adjusted to the victim's financial strength. Two Scandinavian companies suffered the largest known economic losses in 2019. A Norwegian aluminium manufacturer lost approximately USD 70m – primarily from business interruption. Another ransomware attack cost a Danish manufacturer of hearing aids roughly USD 95m. What drove the costs up, apart from the business interruption, was the effort required to restore IT systems.
The number of unidentified data thefts and unauthorised personal access to data in the last twelve months increased by roughly one third. Worldwide, some 8.5bn data sets were affected in 2019. From a global perspective, the average economic loss per data breach was almost USD 4m, which included the cost of notifying the authorities and the affected persons, investigating the incidents, taking measures to contain the damage and recover the data, as well as fines and court costs. At roughly USD 6.5m, the average costs in the health sector were the highest, as critical data are regularly collected and stored in this field. Data theft is also used for the purpose of blackmail. In the event of non-payment, there is the threat of sensitive corporate or customer data being published. Similar amounts are demanded as with ransomware attacks.
Business email compromise scams
There was a surge over the last year in fraud featuring forged business e-mails, also known as business e-mail compromise. The attacker procures access to a company e-mail account or creates an email account that looks very similar to a standard company address. They operate with a stolen or forged identity, with the aim of defrauding companies, customers or employees. Between May 2018 and July 2019, the number of incidents discovered worldwide doubled, while the average economic loss was roughly USD 270,000 according to figures published by the FBI. Small- and medium-sized enterprises are the particular targets of this type of fraudulent e-mail attack. The biggest individual loss that came to light in 2019 was of USD 37m and affected a company in the automotive sector. This trend is also reflected in the statistics for insured cyber losses. BEC scams are already responsible for the biggest losses in individual markets.
Outlook and trends 2020
A connected world and advances in technology, such as the new 5G mobile telecommunication standard or artificial intelligence, present opportunities in every social area. At the same time, however, they increase dependencies and open new attack points for cybercriminals who are operating with an increasing level of professional sophistication.
Technology improves efficiency – including that of cybercrime
Ransomware remains a substantial threat – particularly in view of the potential for business interruption. Losses from BEC fraud and data theft can also be expected to remain at a high level. The cybercriminal world is increasingly operating in a targeted, networked and collaborative way. The latest technologies are being used in every phase of the attacks. Artificial intelligence, for example, is finding increasing application to identify targets, identify and exploit weaknesses, and to cover the criminals' tracks. This allows attackers to increase the level of automation and efficiency, which in turn results in higher losses. Manipulated or forged video or speech recordings, where voices or individuals are mimicked almost to perfection, known as "deepfake", will also be used more and more in future phishing attacks and identity theft, and to blackmail companies and individuals.
Networking increases risks along the entire supply chain
Digital dependencies and the use of a constant range of new, connected devices and applications are on the rise, and not just in companies. Cloud-based services and the introduction of 5G as the mobile communications standard will drive this trend. The powerful technologies permit more intensive networking and automation of machines and devices in both industry and private households. Unfortunately, these are not always adequately protected. This will lead to an exponential increase in the continuous data stream, but will also expand the opportunities for substantial, automated attacks on infrastructure, devices and data. A modern supply chain with dependencies between many companies will be increasingly complex as a result. This will also substantially increase the requirements for risk management in light of the expectation of more frequent attacks.
Increased regulation worldwide
Legal data protection requirements, in part are being tightened worldwide in response to the growing threat from cyber risks. There are now laws protecting consumers against data loss or misuse in more than 100 countries. The introduction of the EU General Data Protection Regulation ("GDPR") in May 2018 has promoted an awareness of data security, both in Europe and beyond. In some cases, it is serving as a blueprint for other countries. As a result of increased regulation, which often contains detailed provisions on notifying attacks and data breaches, the extent and cost of cyberattacks are being made public more often. If a loss occurs, companies must also cope with a potential loss of reputation and fines that are sometimes in the hundreds of millions of dollars. The largest fine in 2019, of around USD 234m, was imposed on an airline in the United Kingdom. As of January 2020, it is not yet finally settled. Governance requirements in the area of data security are complex and binding. They are leading to a process of sensitisation within companies and to a growing demand for loss prevention measures and insurance protection.
Growth in the insurance market for cyber solutions
Overall, we are seeing a significant rise in global IT investment in cybersecurity. Experts estimate the figure will be approximately USD 400bn in 2025, which corresponds to a fourfold increase within a decade. A portion of this will manifest itself as a demand for insurance solutions and services. Munich Re expects the global cyber insurance market to reach a value of more than USD 20bn by the year 2025, which will represent a fourfold increase on the figure in 2018. For 2020, Munich Re estimates that the global cyber insurance market is worth over USD 7bn. North America remains the largest market with a value of USD 5.3bn. Munich Re anticipates strong growth in Asia and Europe, but also the Middle East. The value of the Middle East cyber insurance market in 2020 is estimated at more than USD 400m, with an average annual growth of 30%.
The biggest demand for cyber insurance comes from the industries most affected by attacks: the health sector, manufacturing industries, and IT, finance and service companies. Risk awareness of cyber losses is increasing for reasons other than media reports. Stricter requirements under tighter regulation, and undertakings required by business partners, are assisting a steady increase in demand for risk covers and corresponding prevention measures. The range of quality solutions has also improved in recent years along with the continuous growth of the cyber insurance market. Covers in the commercial sector are becoming increasingly standardised, with individual solutions for large industrial enterprises predominating. Protection against business interruption and data theft remain key coverage elements. Awareness of their own exposure, which is often substantial, is also increasing at small and medium-sized enterprises. These companies are increasingly purchasing insurance cover. Private demand for cyber products is also developing more strongly.
Expanding portfolio with cyber solutions at Munich Re
Cyber is a strategic growth field at Munich Re. In line with expectations, the cyber portfolio continued its profitable growth over the last year. Munich Re has the strategic ambition to maintain its market share of approximately 10% of the rapidly growing cyber market.
Munich Re supports its clients with a comprehensive approach to cyber risk management. This is based on understanding the risks, making transparent hidden cyber risks in existing policies (silent cyber), and on adequately assessing the risks, not just individually, but also in terms of their combined effect on the entire portfolio, thereby making them insurable. The accumulation models being used by insurers are rapidly improving. The complexity of the risks and the need for risk-adequate pricing also require top-class cyber teams cooperating across industries and markets. Munich Re continually invests in cyber expertise, and develops new solutions in close collaboration with insurance industry experts and technology partners. Along with risk transfer by way of insurance, its range of offerings is rounded off with risk management services and security measures.
Munich Re Cyber Security Threat Radar
Cyber experts from all of the relevant division at Munich Re consolidate their assessment of developments in the Cyber Security Threat Radar, which summarises the trends in terms of their loss potential for the insurance industry.
The Importance and the need for Cyber Insurance Coverage – A Legal & Regulatory Perspective from the Middle East
The 2018 fines by the United Kingdom's Information Commissioner (ICO) imposed on British Airways and the Marriott hotels group, £183 million and nearly £100 million respectively, reinstates the importance of mitigating these risks, both in terms of having proper systems and controls in place and in terms of having the right insurance coverage. The European Union General Data Protection Regulations (GDPR)1 advocates, inter alia, the importance of mitigating cyber and data privacy breaches. In terms of the aforementioned breaches, the ICO said that "the data breach, which began in June 2018, occurred because British Airways had "poor security arrangements" in place to protect customer information being accessed. "People's personal data is just that – personal," said the information commissioner, Elizabeth Denham. "When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."2 In addition, a fine of £175,000 was sanctioned and imposed on Bupa Insurance Services Limited for failing to have effective security measures in place to protect customers' healthcare and other personal information 20183.
The advancement of technological platforms and the wide application of data exchange and sharing calls for consideration of risk mitigation strategies at the highest levels including insurance coverage. Yet, in the Middle East there is lack of awareness and knowledge about insurance coverage types to address Cyber risk. One question arises, whether and to what extent, criminal or quasi-criminal conduct is uninsurable under Middle East legal frameworks. Under English common law, it is generally accepted that this conduct is uninsurable based on the doctrine of "ex turpi causa" save in respect of strict liability offences4. However, this is very much an academic argument under English law and often insurance is procured and underwritten for various criminal liabilities5.
As one will note, Cyber law and any breach of prescribed legal/statutory requirements incur both criminal and civil liability. Several Middle East jurisdictions provide a legal framework for cyber and data information protection. For example, cyber-crime is covered in the United Arab Emirates, inter alia, within the legal framework of Federal Decree Law No. 5 of 2012 on Combating Cybercrimes (Cybercrime Law), in the Kingdom of Saudi Arabian Anti-Cyber Crime Law (Saudi Arabian Anti-Cyber Crime Law) and in Oman under the Law for Combating Cybercrime (the Law) issued by Sultani Decree 12/20116. Yet, on close analysis of the various legal frameworks, it would appear, that cyber insurance coverage would not be prohibited in terms of covering criminal or quasi-criminal conduct for the prescribed fines based on the degree of culpability. Of course, those criminal acts that constitute immoral and illegal conduct would not be insurable under public interest requirements and Shari'ah law. Insurance coverage for these actions would not be in the public interest. In addition, insurers can refuse to pay out on an indemnity basis for a claim as a defence should the claim constitute criminal liability with intent.
Looking at several Middle East legal frameworks, insurance of risks related to criminal or quasi-criminal conduct is possible to insure, whether under a tailored Cyber insurance policy or another insurance coverage. By way of illustration, the Saudi Arabian Anti-Cyber Crime Law and its constructed is such, that it deals with serious criminal acts with intent to cause harm. The Saudi Arabian Anti-Cyber Crime Law contains sixteen (16) Articles of various criminal offences related to the misuse of data/IT information systems through a computer or portable device with intent to cause harm. Article 2(3) states: "This Law aims at combating Cybercrimes by identifying such crimes and determining their punishments to ensure the following: "protection of public interest, morals, and common values...". Therefore, those offences without the intent to cause criminal acts, i.e. offences where intent is not necessarily required such as strict liability offences, should for all intents and purposes be insurable under a Cyber insurance coverage. Under the UAE Civil Code7, Articles 1027 and 1028 both provide a degree of clarity confirming that it is possible to insure quasi-criminal conduct. Article 1027 provides that: "Without Prejudice to the operations of the foregoing Article, it shall be permissible to effect insurance against risks arising out of personal accidents, accidents at work, theft, breach of trust, insurance for vehicles, civil liability, and all events which by custom and the special laws may be insured against". Articles 1028 goes on to state – "Any of the following provisions appearing in a policy of insurance shall be void: (a) Any provision which provides that the right to insurance shall lapse by reason of a breach of the law unless the breach involves a felony or a deliberate misdemeanour."[emphasis added]. Clearly the words "felony" and "deliberate misdemeanour" would imply intent and not necessarily a quasi-criminal conduct or offences equivalent to strict liability. To that end, unintentional breaches in terms of compromised data by a corporate entity due to a network attack (ransomware) would be insurable in contrast to a deliberate infiltration of an IT network with intent to gain, for example a financial benefit such as stealing the identity of a genuine supplier to receive a payment from a third party.
It is therefore important to be aware, and have consideration of, Cyber risks. The term "Cyber" has no legal definition, (although the Convention on Cybercrime, ETS No.185, Budapest, 23/11/2001 refers to a definition of sorts8) and is a broad concept covering malicious, and non-malicious cyber-attacks, such as malicious codes on IT systems and loss of data, involving both tangible and intangible assets. While there is a general awareness of Cyber-attacks, what is less understood is the liability risk to shareholders, officers and managers of the company in relation to cyber risk. Under the legal framework of several Middle East jurisdictions, executives and managers of companies can face personal liability for cyber risks both in terms of criminal and civil liability. By way of illustration, in the United Arab Emirates (UAE), Article 162 of Federal Law No 2 of 2015 on Commercial Companies provides a general obligation for the board of a public joint stock company to be liable to the company (and shareholders) for any acts of fraud, misuse of power and other breaches of law. This would include Cyber liability.
It is therefore important to consider Cyber insurance coverage to mitigate actual and indeed potential Cyber risks, both civil and criminal.
What then does a Cyber insurance coverage include? Generally, Cyber insurance coverage covers liability for both first and third-party losses. First-party losses would typically include costs of forensic services, legal/regulatory support and crisis management as a first line of support. It would also include costs related to restoration of digital or network assets, trade secrets, intellectual property, business interruption expenses and Cyber extortion (costs to terminate incidents in which criminals hold (or threaten to hold) a company's network hostage in exchange for a ransomware).
Cyber policies also cover costs for regulatory reporting and defence/settlement of any litigation in respect of breaches as third-party losses. This coverage is important in respect of Middle East legal frameworks, where legal expertise will be needed in civil law jurisdictions that lack legal concepts of "privileged" communications and "without prejudice". Cyber policies are still very much developing as a new specialist line of insurance in many markets and are still very much evolving to keep in pace with the more and new sophisticated Cyber offences. By way of illustration, Cyber insurance coverage has been classed by the United Kingdom's Prudential Regulatory Authority (PRA) as "affirmative cyber risk", i.e. insurance policies that explicitly include coverage for cyber risk and "non-affirmative cyber risk", i.e. insurance policies that do not explicitly include or exclude coverage for cyber risk. This latter type of cyber risk is sometimes referred to as 'silent' cyber risk by insurance professionals9.
Cyber insurance coverage and the policy terms can be very complex to an untrained eye. It is important to understand the scope of Cyber liability policies and how the coverage will respond to claims. Common provisions in Cyber insurance policies include, timely notice (this is complex as it involves both discovery-triggered and claims-made coverage because of the first-party and third-part cover); Consents related to retention of legal counsel, forensic support and crisis management, where the insured will need to make sure that it has sought agreement with the insurer; Privilege and Confidentiality issues. This relates to issues where communications cannot be kept privileged or confidential between lawyer and insured and possible incrimination. In many of the Middle East frameworks, the legal concept of privilege does not exist and often local counsel will reply on their professional codes of conduct to retain confidentiality between lawyer and client (insured); Excess layers of coverage. In large Cyber claims, first party losses may exceed the primary cover levels and consideration is needed for any excess coverage; Retroactive Dates. Cover normally incepts from the date the policy is put in to place and therefore any incident that occurred before the inception and picked up during the policy term would not be covered. It is therefore important to request for a retroactive date under the policy to cover this risk and normal market practice is to give 12 months based on underwriting the added risks; and other Insurance Coverage. It is important to consider other insurance coverage, such as Directors & Officers, Properties All Risk and General Liabilities Insurance, which may have elements of coverage for losses related to Cyber issues such as business interruption.
In summary, it is possible to insure against Cyber risks in the Middle East that have some penal/criminal element. However, on a technical basis, each breach or offence would need close analysis set against the backdrop of the respective Middle East jurisdiction and its laws. Organisations should not only be thinking of Cyber risk but should be exploring tailored Cyber insurance coverage for these events to mitigate their criminal and civil exposure.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
4 Ex turpi causa non oritur action – is a legal doctrine which states that a plaintiff will be unable to pursue legal remedy if it arises in connection with his own illegal act. www.legal-glossary.org/2013/01/19/ex-turpi-causa-non-oritur-actio/
5 The Organisation for Economic Cooperation and Development's (OECD) insurance and private pensions committee is considering the issue of whether and to what extent the insurability of fines and penalties for criminal liability should be legislated for.
6 Council of Ministers Decision No.79, dated 7/3/1428 H Approved by Royal Decree No. M/17 8/3/1428H
7 Federal Law No. (5) of 1985 On the Civil Transactions Law of the United Arab Emirates – ttps://lexemiratidotnet.files.wordpress.com/2011/07/uae-civil-code-_english-translation_.pdf
8 The Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception. Its main objective, set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation. Details of Treaty No.185 Convention on Cybercrime – https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185
9 Supervisory Statement | SS4/17 Cyber insurance underwriting risk July 2017 -https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2017/ss417.pdf?la=en&hash=6F09201D54FFE5D90F3F68C0BF19C368E251AD93
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.