Maxim Builov on cyber risk insurance

At the conference “Cyber ​​Risk Insurance: Legislative Aspects” held on Wednesday, the President of the All-Russian Union of Insurers (VSU) Evgeny Ufimtsev estimated the capacity of the cyber insurance market at a modest 10 billion rubles, although, according to expert estimates, the need for such protection reaches 40 billion rubles. Moreover, real fees are even lower – 1.3 billion rubles. for 2023 (see “Kommersant” dated January 29).

The prospects for changing the situation are vague, since the new law on cyber risk insurance (see Kommersant on February 12) does not imply the introduction of mandatory policies even for companies processing personal data. In addition to insurance, explained the author of the bill, member of the Federation Council Committee on Constitutional Legislation Artem Sheikin, the data operator can choose to form a “reserve fund or use bank guarantees.”

VSS believes that an insurance policy is the most profitable and convenient tool for clients. And so that potential insured people would also think the same, Mr. Ufimtsev suggested that the costs of cyber risk insurance be included in the cost price.

But some points will need clarification. For example, the law talks about compensation for moral and property damage in full, but the insured amount must be determined at the conclusion of the contract, and this wording does not allow this. The President of the VSS promised that the tariff “will not be draconian.”

Meanwhile, it has not yet been determined which categories of companies will be subject to the requirements of the law and what is considered an insured event. According to Artem Sheikin, it is necessary to classify an organization according to the sensitivity of leaks, as well as to identify categories of personal data itself, because “not all leaks cause damage.”

In other words, everything will be decided by law enforcement practice. If a law on turnover fines for leaks is adopted and the state actively uses such punishment, the demand for specialized insurance may really increase. And if the damage is calculated based on the proven amount of losses from a specific leak, then your own fund to pay such claims will be more preferable, as, perhaps, bank guarantees.

Taking into account the fact that there is a solid lobby against the first option, and many large personal data operators are controlled or close to the state, the second, softer option for calculating damages looks more realistic.

As a result, some companies will be able to earn a little money, some will be able to save a little, citizens will save their nerves, because, most likely, the sensations from Roskomnadzor about the leak from nowhere of hundreds of millions of unknown people’s data at once will decrease. But cyber risk insurance is unlikely to become a serious market segment.