The growing number of cyber incidents has a major impact on companies, such as problems with business continuity or reputational damage. The Association wants to raise awareness of these risks and reduce the risk of damage.
Cybercrime is a collective term for fraud, theft or extortion via the internet, among other things. For example, criminals steal identity data. Or they render computers or servers unusable and then demand a ransom.
Entrepreneurs run the risk that business continuity will be jeopardised or that customer data will be exposed, resulting in reputational damage and loss of customers. Deloitte estimated the total loss of value due to cyber risks for the largest Dutch companies and government in 2016 at 10 billion euros per year.
In addition to crime and vandalism, systems can simply fail or lose data in the digital world. Human actions are often the cause of this, for example by not properly executing protocols or passwords that are easy to retrieve. But the system itself can also fail due to a bug or software error.
Despite the increase in cyber risks, insuring these risks (private and business) is not yet so self-evident in the Netherlands. There are three reasons for this:
According to the Association's Data Analytics Centre , the gross premium revenue of cyber insurance in the Netherlands is around 101 million euros (2023). This is a significant increase compared to the 65 million euros in 2022. But still a modest size compared to the more than two billion dollars in the United States. Compared to the gross premium size of the total Dutch non-life insurance market in 2023 (16.5 billion euros), the share of cyber insurance is also small.
Although the premium volume has increased in recent years and the Netherlands is not doing badly compared to other European countries, the absolute numbers remain small. Especially in view of the dense ICT infrastructure in our country. In addition, the vast majority of the range of cyber insurance products applies to the business market. The private market is still in its infancy. Some of the cyber risks are covered through more traditional insurance, such as liability and fire.
Insurers often work together with partners in the fields of IT, security, laws and regulations, forensics and communication.
With the help of the Digital Security Risk Classification , entrepreneurs and companies gain insight into the cyber risks and information about prevention measures. On the basis of nine questions, an assessment is made of the risk of a cyber attack. This assessment determines which risk class a company falls into and which concrete preventive measures can be taken. The Association has been closely involved in the development of this tool.
The knowledge and standardisation institute for the financial services sector, SIVI, will soon publish the first codes for causes of damage for the Cyber Insurance sector. These have been developed in consultation with the Cyber platform. The purpose of the codes is to provide clarity when registering a cause of damage.
The codes are divided into main and subcategories. The main categories include crime, theft, and human acts, while the subcategories include causes of damage such as phishing, data breach, ransomware, etc. In the near future, insurers will find out whether the codes need to be supplemented.
What is happening within the sector in the context of cyber insurance? This question is answered once a year with the Association's market monitor. In this way, the trends in the market are tracked.
The Association also participates in the Cyber working group of MKB-Nederland and VNO-NCW. This working group focuses on promoting risk awareness among (SME) entrepreneurs and develops sector-specific instruments under the heading Digital Security Together.
The Association of Dutch Insurance Exchanges (VNAB) has drawn up a manual for insurance advisers and companies on how to take out cyber insurance. The aim is to provide insight into the meaning of cyber insurance and the way in which it is established in the co-insurance/(large) business market.
Nevertheless, the manual also provides useful information for smaller companies about what coverage cyber insurance offers, what conditions are applied and what preventive measures are required as a minimum.
Incidents at Maastricht University and the municipality of Hof van Twente, among others, have sparked the discussion about (assuring) the payment of ransoms. Politicians, the Minister of Justice and Security and the police call on people never to pay ransoms, but daily practice is unruly. Nynke Brouwer obtained her PhD with a dissertation on cyber insurance. She calls a ban pointless: "It doesn't necessarily lead to fewer payouts." You can read a conversation about her dissertation, the role of insurers and the sense and nonsense of ransom here.
Insurers do everything they can to prevent a company from having to pay a ransom after a hack . The minister argues for a ban on insuring the reimbursement of ransoms. The Association points out that in practice this yields very little and is even counterproductive. Insurers can ensure that companies do not respond to ransom demands and first do everything they can to solve the problem in other ways. Insurers incur a lot of extra costs for this, including for technical and forensic investigations. Assistance and reimbursement of costs are already covered. This can help entrepreneurs in a concrete way and can often prevent the payment of ransom or significantly reduce the ransom amount.
During the livestream Security, risk and claims in balance, a start was made with the discussion on this topic, which was then continued during a number of round table discussions.
Insurers' own cyber security is also of great importance. In order to make an operational contribution to the cyber security of the sector itself, services are provided through the Computer Emergency Response Team (i-CERT) for the insurance sector. In addition, there is a special platform (Insurance ISAC) for Chief Information Security Officers (CISOs) of insurers. This stimulates knowledge sharing and thus contributes to digitally secure business operations by insurers.
The (i-CERT) is supported by the Centre for Combating Insurance Crime (CBV) of the Dutch Association. This central service continuously informs and advises insurers about current cyber threats and coordinates collective actions.
The increase in the number of cyber attacks means that insurers are becoming increasingly critical when it comes to insuring cyber risks. The cyber insurance market in the Netherlands is relatively small and in a state of flux. Insurers therefore take different positions when it comes to covering these risks.
The elusiveness of cyber risks, due to a lack of data and the risk of accumulation of incidents (and therefore very large damages), can lead to the imposition of (extra) requirements for prevention, the limitation of maximum compensation, adjustments in premiums or even the cessation of insuring these risks. Each insurer makes its own assessment in this regard.
Similar developments are taking place in the US and neighbouring countries such as Germany, France and the United Kingdom.
