"Attackers are always looking for new tricks"
Cyber security is becoming increasingly important for companies - but only a few Swiss companies are insured against cyber attacks. Gabor Jaimes from the Swiss Insurance Association explains the challenges that companies and insurers have to overcome.
Only seven percent of Swiss companies are insured against cyber risks. Why is that?
Gabor Jaimes: Cyber risks are among the top risks that can cause immense damage to the economy and society. Similar to the pandemic, cyber attacks can have not only local but also supra-regional and global effects. While the insurability of cyber risks in the Swiss market is generally given within certain limits, certain scenarios - particularly those of a systemic nature - exceed the capacity of insurers. They play a central role in the prevention and risk mitigation of cyber damage, but also as knowledge brokers between the private sector, authorities and customers in order to strengthen cyber resilience.
The current rate of seven percent is merely a snapshot, as the cyber insurance sector is growing. But of course it always takes a while for new products to penetrate the market. Often, not all companies are aware of the risks. Smaller companies in particular may not know what solutions are available or may think to themselves: "I'm a small bakery, why should I be attacked?"
During my research, I came across the information that the demand for cyber insurance is significantly higher than the number of policies taken out. Can you confirm this? What are the reasons for this?
Despite high demand, our members report that only a small number of inquiries lead to contracts. This could be due to customers contacting various providers and then only deciding on one contract. Another reason could be that some customers either do not understand the issue sufficiently or do not currently have the budget for it. However, the figures show that policies and premium volumes have doubled in the last two years.
Do you believe that companies are sufficiently informed about the possibilities and limits of cyber insurance?
The corporate landscape in Switzerland is very heterogeneous. Some companies, especially larger ones that also have their own IT departments, are often well informed and sensitized. Insurers are also trying to reach other customers with information material, but there is certainly a larger group that is not aware of the possibilities. In collaboration with the Federal Office for Cyber Security, we are running an educational campaign to raise awareness in the market.
What risks are we actually talking about when we talk about cyber risks?
The biggest risk is certainly phishing. Fraudsters send text messages or e-mails asking you to make a payment. This happens not only to private individuals, but also to companies. If you open such an email without thinking, viruses can spread in the company network and give hackers access. Incidentally, this can also happen physically, with unauthorized persons gaining access to premises, for example disguised as a cleaning team, and attempting to log into the systems. The fact that postal traffic is constantly decreasing and being replaced by digital communication creates additional areas of attack.
How has the insurability of cyber risks developed in recent years?
The insurability of cyber risks has improved in recent years as insurers and IT security companies have taken proactive measures against these threats. A medium-sized company will certainly be attacked dozens, if not hundreds, of times a day, but with up-to-date security measures such as a firewall and regular updates, up to 99.9 percent of them can be fended off. Nevertheless, attackers are always looking for new tricks. In a way, you could call it a game of cat and mouse. Insurers are naturally cautious. If a company does not take precautions, it is not insurable. Insurers support companies in defining measures, such as data security and employee training.
Which risks are difficult to insure against today? What can companies do here?
Here, too, it depends very much on the type of company. A company that works with highly sensitive data will certainly have different requirements than a hairdressing salon, for example. There are also certification programs such as cyber-safe.ch that can help companies to meet the minimum requirements and make it transparent to insurers that they are adequately protected. Companies that do not take any precautions at all must of course make improvements before they can insure themselves, for example with employee training and technical updates.
Has the perception of digital risks changed in recent years, particularly with regard to their insurability?
Yes, the perception of digital risks has definitely changed in recent years. Companies are increasingly recognizing the importance of cyber security and are aware that cyber insurance is an important part of their risk management. Various major attacks, such as those on the NZZ or Xplain, have not only shown the vulnerability of society, but also the costs involved. The insurance industry is responding to this growing threat by adapting its policies and services accordingly and helping customers to prevent and manage digital risks.
What are the challenges in identifying damage caused by digital risks and how can they be better managed?
Digital damage is not always immediately apparent. It's not like a tree falling on a house as a result of a storm. Digital damage has to be investigated forensically and you have to see if you can find malware. Depending on how sophisticated the attack was, it can be like detective work. A company should therefore react immediately in the event of irregularities, as this is the only way to contain and stop malware before, for example, backups are contaminated or the damage spreads to customers and suppliers.