Cyber ​​insurance case – Newspaper Kommersant No. 205 (7406) dated 11/07/2022

Personal data operators may be required to insure the risks of personal data leaks. The Ministry of Digital Development is considering such a mechanism, including for compensation for damage to affected entities. So far, such services are provided by a narrow circle of organizations, where they expect that by 2027 the market size, which is not too significant now, could reach 10 billion rubles. But experts talk about the complexity of the segment, in which it is often difficult to even define the very concept of “insurable event”, as well as to prove it.

The Ministry of Digital Transformation told Kommersant that they are considering options for a mechanism for compensating for harm to personal data subjects due to leaks, which “includes insurance of data operators against these risks.” We are talking about amendments to the Code of Administrative Offenses proposed by the ministry, according to which a company that has committed an incident can be fined 1% of its annual turnover. The fine will rise to 3% if the company tried to hide the problem (see Kommersant of May 30). Whether insurance of risks of leaks becomes obligatory, in Mintsifra did not specify.

In Russia, “cyber insurance” services, as the companies themselves call them, are provided by AlfaStrakhovanie, Sogaz and SberStrakhovanie. According to Soyuz Insurance, the demand for insurance coverage of cyber risks from Russian companies has grown by more than 20% over the past two years, and over the next three to five years, the segment may grow to 8-10 billion rubles. “According to the boldest forecasts, within five to seven years most large Russian companies will insure cyber risks, this will be the norm for the business turnover of companies,” says Oleg Khanin, CEO of Soyuz Insurance.

Against the backdrop of an increase in the number of cyber attacks in the Russian Federation in 2022, interest in cyber insurance is growing, becoming “more substantive and conscious,” they say in AlfaStrakhovanie, without disclosing indicators. SberStrakhovanie offers insurance for legal entities and individual entrepreneurs, support is provided by Sberbank’s partner BI.Zone. “In 2022, cyber insurance remains a promising area, the market has potential for growth,” according to SberStrakhovanie. The company expects business interest to continue, but does not undertake to predict the market size for 2023. In “Sogaz” “Kommersant” did not answer.

Since the outbreak of hostilities in Ukraine in Russia, the threat of cyberattacks has increased dramatically, from DDoS to viral mailings. Cases of data leaks have also become more frequent: according to InfoWatch, 305 databases “leaked” in the Russian Federation in the first half of 2022, which is 45.9% more than in the same period last year (see “Kommersant” dated August 15). But even before the conflict, analysts predicted the growth of the cyber insurance market worldwide. According to Allied Market Research, by 2022 the global market for such services should have reached $14 billion, and according to Allianz forecast, in 2025 – $20 billion.

However, not all market participants consider cyber insurance a promising business. “The trend is developing abroad, especially in the United States, but so far we are not aware of real cases in Russia,” emphasizes Kommersant’s interlocutor in the IT market. “In practice, such services are still unrealizable due to the unpredictability of threats, including very unstable at the moment.

The legal potential of cyber insurance is also unclear, Oleg Khanin noted. “The law prohibits payments to extortionists, and this is one of the most common methods of cyber fraud at the moment. And now the insurance company cannot cover the incident if the client transferred funds to the hackers,” he said.

The main problem of the service is that it is difficult to define the concept of “insurable event”, since cyber risks are at the junction with other operational risks and were not previously included in the insurance package itself, since it depended on many factors, says Pavel Samiev, general director of the Biznesdrom agency. “Including, for example, the actions of employees who leaked,” he notes. The second significant obstacle to the development of the segment, in his opinion, is that cybercrime is difficult to detect and prove, as well as to confirm the fact of the incident. Because of this, Mr. Samiev believes, disputes may arise between the insurance company and the client.

Tatyana Isakova