Cybercrime is a collective term for, for example, fraud, theft or extortion via the internet. For example, criminals can steal identity data to commit fraud. They also try to disable computers or servers in order to demand a ransom. As a result, entrepreneurs run the risk that business continuity will be jeopardised or customer data will be exposed, resulting in reputational damage and loss of customers. The number of cyber attacks is increasing rapidly, with the aim of taking systems hostage and demanding ransoms. Deloitte estimated the total loss of value due to cyber risks for the largest Dutch companies and government in 2016 at 10 billion euros per year.

In addition to crime and vandalism, other things can also go wrong in the digital world, causing systems to fail, data to be lost and damage to occur. Human actions are often the cause of this, due to the improper execution of protocols, easy-to-retrieve passwords and other inaccuracies. But the system itself can also fail due to a bug or software error.

Despite the increase in cyber risks, insuring these risks (private and business) is not yet so self-evident in the Netherlands. There are three reasons for this:

• Citizens and businesses are not yet sufficiently aware of the risks.
• Sometimes there is a perception that cyber risks are insured on existing insurance policies such as (business) liability, electronics and fire. Also known as the so-called silent cyber cover. Unfortunately, in most cases, this is not the case.
• The small range of cyber insurance. The Netherlands Bureau for Economic Policy Analysis (CPB) concludes that a lack of insight into the costs and benefits of cyber security is an obstacle to the development of an insurance market for cyber risks. More than ten insurers now offer cyber coverage. Particularly to companies, and also limited to individuals.

Cyber insurance premium volume

According to the Association's Data Analytics Centre, the gross premium revenue of cyber insurance in the Netherlands is around 101 million euros (2023), a significant increase compared to last year (65 million euros in 2022). Nevertheless, it is still a modest size compared to the more than 2 billion dollars in the United States. Compared to the gross premium size of the total Dutch non-life insurance market in 2023 (16.5 billion euros), the share of cyber insurance is also small.

Business market

Although the premium volume has increased in recent years and the Netherlands is not doing badly compared to other European countries, the absolute numbers remain small. Especially given the dense ICT infrastructure in our country. In addition, the vast majority of the range of cyber insurance products applies to the business market. The market for private individuals is much more in its infancy. Some of the cyber risks are covered through more traditional insurance, such as liability and fire.

Total package

Business cyber insurance offers a total package, see the chart. This includes:

• Advice on how to identify cyber risks and take measures.
• Help if things do go wrong in the form of legal, forensic, technical and communicative assistance.
• Repair of damage such as replacement of computers, systems, software and data recovery.
• Compensation for financial loss suffered.

Insurers often work together with partners in the fields of IT, security, laws and regulations, forensics and communication.

Chart: Percentages of coverage on a cyber insurance policy (package)

Digital Security Risk Classification

With the help of the Digital Security Risk Classification, entrepreneurs and companies gain insight into the cyber risks and information about prevention measures. On the basis of nine questions, an assessment is made of the risk of a cyber attack. This assessment determines which risk class a company falls into and which concrete preventive measures can be taken. The Association has been closely involved in the development of this tool.

SIVI codes for registering the cause of damage

The knowledge and standardisation institute for the financial services sector, SIVI, will soon publish the first codes for causes of damage for the Cyber Insurance sector. These have been developed in consultation with the Cyber platform. The purpose of these codes is to bring clarity to the sector by using specific codes when registering a cause of damage. These codes derive from the subdivisions of main and subcategories. The main categories for causes of damage are divided into: crime, theft and human action. Then come the more specific subcategories that are further subdivided into the specific causes of damage such as: phishing, data breach, ransomware, etc. In the coming period, we will experience how the codes expand in the insurance sector and whether they need further additions.

Market Monitor

What is happening within the sector in the context of cyber insurance? This question is answered once a year with the Association's market monitor. In this way, the trends in the market are tracked.

MKB-Nederland / VNO-NCW

The Dutch Association also participates in the Cyber working group of MKB-Nederland and VNO-NCW. This working group focuses on promoting risk awareness among (SME) entrepreneurs and develops sector-specific instruments under the heading 'Digital Security Together'.

The Association of Dutch Insurance Exchanges (VNAB) has drawn up a manual for insurance advisers and companies on how to take out cyber insurance. The purpose of the manual is to provide insight into the meaning of cyber insurance and the way in which it is established, especially in the co-insurance / (large) business market.

This guide also provides useful information for smaller companies about what coverage cyber insurance offers, what conditions are often used and what preventive measures are required as a minimum.

Incidents at Maastricht University and the municipality of Hof van Twente, among others, have sparked the discussion about (assuring) the payment of ransoms. Politicians, the Minister of Justice and Security and the police call on people never to pay ransoms, but daily practice is unruly. Nynke Brouwer obtained her PhD with a dissertation on cyber insurance. She calls a ban pointless: "It doesn't necessarily lead to fewer payouts." You can read a conversation about her dissertation, the role of insurers and the sense and nonsense of ransom here.

Insurers avoid paying ransom

Insurers do everything they can to prevent a company from having to pay a ransom after a hack . The minister argues for a ban on insuring the reimbursement of ransoms. However, the Association points out that in practice this yields very little and is even counterproductive. Insurers ensure that companies do not respond to ransom demands and first do everything they can to solve the problem in other ways. Insurers incur a lot of extra costs for technical and forensic investigations, among other things. Assistance and reimbursement of costs are already covered. This can help entrepreneurs in a concrete way and can often prevent the payment of ransom or significantly reduce the ransom amount.

During the livestream Security, risk and claims in balance, a start was made with the discussion on this topic, which was then continued during a number of round table discussions.

Want to know more?

• Nomoreransom.org | This initiative provides assistance in decrypting digital files without paying the criminals.
• Taskforce Ransomware | An initiative by the police to combat the lucrative ransomware economy across the board.
• BNR podcast: Never pay in the event of a ransomware hostage situation | In this podcast, Marijn Schuurbiers (Team High Tech Crime of the police) and Jort Kollerie (Orange Cyberdefense) discuss the biggest threats of the moment in the field of cybersecurity.
• Together against cybercrime | A step-by-step plan from the police

Insurance companies' own cyber security is also of great importance. In order to make an operational contribution to the cyber security of the sector itself, services are provided through the Computer Emergency Response Team (i-CERT) for the insurance sector. In addition, there is a special platform (Insurance ISAC) for Chief Information Security Officers (CISOs) of insurers. This stimulates knowledge sharing and thus contributes to digitally secure business operations by insurers.

i-CERT

The (i-CERT) is supported by the Association's Centre for Combating Insurance Crime (CBV). This central service continuously informs and advises insurers about current cyber threats and coordinates collective actions where necessary.

Interviews on cybersecurity of insurers (2020/2021)

• How well is our digital front door locked?
• Insurers can't keep up with developments on their own
• Insurer board can strengthen IT security knowledge
• Practicing with phishing pays off

The increase in the number of cyber attacks means that insurers are becoming increasingly critical when it comes to insuring cyber risks. The cyber insurance market in the Netherlands is relatively small and in a state of flux. Partly as a result of this, insurers take different positions when it comes to covering these risks.

The elusiveness of cyber risks, due to a lack of data and the risk of accumulation of incidents (and therefore very large damages), can lead to the imposition of (extra) requirements for prevention, the limitation of maximum compensation, adjustments in premiums or even the cessation of insuring these risks. Each insurer makes its own assessment in this regard.

Similar developments are taking place in the US and neighbouring countries, such as Germany, France and the United Kingdom.