While the global WannaCry ransomware attacks left Germany relatively unscathed, the narrow escape was a serious warning for many companies. For the country’s insurance industry, increased awareness of the vulnerability of computer systems may present a golden opportunity. The attacks, estimated to have hit 200,000 computers in 150 countries, have highlighted one of the industry’s largest potential growth markets.
According to a study by McAfee, a major US manufacturer of security software, cyberattacks cause an estimated $445 billion in yearly damages worldwide. In Germany alone, the annual cost is estimated at close to $60 billion. But only a small minority of German companies are insured against the risks.
“We are optimistic that this can be the next blockbuster product for Allianz and the whole insurance sector,” says Hartmut Mai, Chief Underwriting Officer for corporate clients in Allianz’s industrial insurance division. Allianz is currently Europe’s largest insurer,“Cyber insurance is our most important growth market right now,” he added.
According to figures from Allianz, only four to five thousand of Germany’s 3.6 million companies have taken out policies to cover the growing risk. The highly-publicized ransomware attacks could shift cyber insurance into the mainstream. “The recent cyberattacks will certainly contribute to raising awareness of the threat,” said Torsten Jeworrek, who serves on the management board of reinsurer Munich Re.
Questions of network security loom large in Germany, especially as the industry pushes hard to digitize its production processes.
The industry has received support on the issue from leading politicians. At the most recent G7 summit in Italy, German Finance Minister Wolfgang Schäuble demanded the rapid development of insurance structures to deal with cyberattacks. As a result, the issue was included in the meeting’s final statement: “We recognize that cyber incidents represent a growing threat for our economies and that appropriate policy responses are needed.”
The German government and the central Bundesbank want to help businesses come to grips with the risks. In the future, the Federal Office for Information Security, or BSI, will collect data on all attacks, providing an empirical basis to help insurers assess their products, said Jens Weidmann, president of the Bundesbank.
Mr. Weidmann is keenly aware of the serious nature of the issue. Questions of network security loom large in Germany, especially as industries push hard to digitize their production processes. “Measured by gross domestic product, Germany is the country where this is the biggest issue, so we think there is a huge potential market here,” said Jörg Wälder, a senior executive at consultants KPMG.
It has been suggested that Germany escaped the worst of WannaCry because of its stricter regulatory environment. But even if true, this will not protect against all attacks. KPMG’s own figures suggest 19 percent of German companies have been hit with ransomware attacks in the last two years.
So cyber insurance, currently very much a niche product, seems set to grow rapidly. “It is very possible that the latest attack may prompt some businesspeople to think harder about coverage,” said Jens Lison, Allianz’s head of corporate clients.
According to the German Insurance Association, GDV, only one third of key decision makers in Germany believe their firm is vulnerable to hackers. But according to KPMG, demand for cyber insurance is set to boom.
“According to our model, the volume of cyber insurance premiums in German-speaking countries will increase from €90 million today up to €20 billion in 2036. Less conservative estimates suggest €26.2 billion,” said Mr. Wälder. Major insurance players, including Allianz, Ergo, Munich Re, the British firm Aon, and the Swiss reinsurer Swiss Re already have policies on the market.
Insurance companies are targeting mid-sized companies as well as major corporations. Their data can be just as critical to business operations, but they are often among the least prepared to meet the risks, warns Mr. Lison from Allianz.
“Cyber insurance has the potential to overtake car insurance as the biggest seller in damage and accident insurance,” predicts Mr. Wälder. Between 2015 and 2020, companies worldwide are expected to spend a total of around $650 billion on cybersecurity.
But so far, insurance premiums make up only a tiny part of that spend – $3 billion in the US, $250 million in Europe and around $1 billion in Asia. So it’s no surprise that the German Insurance Association is already calling cyber insurance the “fire insurance of the 21st century.”
High-profile hacker attacks mean cyber risks are increasingly an issue for senior management, said Paul Bantick, UK head of cyber insurance at specialist insurers Beazley. But while the latest attacks may be good publicity, they also underline the complexity of the risks, and how difficult they are for insurers to calculate.
Mr. Schäuble’s intervention should be understood in that light – what the insurance industry needs above all is reliable past data on which to calculate premiums and payouts.
“Cyber insurance has the potential to overtake car insurance as the biggest seller in damage and accident insurance.”
The WannaCry attacks will likely lead to widespread recalculation of insurers’ statistical models. For example, an insurer will provide coverage to 100 buildings, knowing that perhaps one may actually experience a fire. But the same is not true in cyber, where a large number of organizations can be attacked simultaneously. With WannaCry, British hospitals, American courier companies and French car factories were all paralyzed at once.
Mr. Jeworrek, of Munich Re, concedes that calculating these risks is extremely challenging, pointing out that it is hard to estimate the large-scale damage involved when entire production processes are shut down.
One indicator of how seriously insurance companies see the issue is how they have been hiring. Last October, Aon appointed James Trainor, the former head of the FBI’s cyber division, as senior vice president in its Cyber Solutions Group.
Mr. Wälder, of KPMG, warns against complacency. “Even in the future, there will be no absolute protection against cyberattacks,” is his sober assessment. “The attackers are dedicated criminals, often with astonishing skills and IT knowledge.”
Carsten Herz leads Handelsblatt’s asset management and insurance coverage and is based in Frankfurt. Christian Schnell covers the auto industry in Germany. To contact the authors: firstname.lastname@example.org, email@example.com