The growth of cyber risk insurance
Dennys ZimmermannManaging Partner at RPZ Advogados and specialist in cyber insurance, explores this fascinating new facet of insurance in this article.
In short, what is meant by cyber liability or cyber risk insurance?
Cyber insurance is still relatively nascent in Brazil. I remember working in an English law firm for ten years when I first interacted with the segment. Of the first ten typefaces of this branch registered in Brazil, we participated in the creation of more than half.
When talking about cyber risk insurance, the natural dichotomy between liability insurance and liability insurance is outdated; we are dealing here with a whole category of risks encompassed by the protection afforded by insurance. This is strictly a protection against the generality of damages that may result from the exposure of the Insured to “cyberspace”. And, given the growing dependence of natural and legal persons as well as their managers and employees, it is natural that the list of protected risks continues to grow. The constant evolution that we are experiencing with our “IT dependency” extends to cyber risk insurance, and I have no doubt that this is currently the most promising branch.
What important regulations govern this variety of insurance in your jurisdiction?
From a regulatory perspective, recent changes to our regulator, the Superintendence of Private Insurance, have been very positive. They have given greater freedom to market agents and operators to create and develop new products. Today, it is possible to design new products and adapt them to the reality of individuals and businesses with an ease unthinkable only a decade ago, when Brazil was considered an unbusiness-friendly jurisdiction.
From a cyber perspective, we have data protection laws inspired by the European model that put us at the forefront and put more emphasis on the need to engage this type of insurance.
Under what circumstances can an SME benefit from cyber insurance?
I believe that any company, even small and medium, that develops its activity in cyber environments should consider using this type of insurance. Protecting the network or virtual security is far more important than protecting physical facilities – evidenced, in many cases, by the temporary abandonment of physical spaces during the pandemic. For example, our law firm could probably carry out our activities with the same quality if we did not have physical premises.
The constant evolution that we are experiencing with our “IT dependency” extends to cyber risk insurance, and I have no doubt that this is currently the most promising branch.
With that, I don’t mean to downplay the importance of community experience at work. However, the fact is that we would hardly be able to provide services if a denial of service attack, for example, made access to our network impossible. And the best thing is that the insurance industry has taken this into consideration and there are already products with compatible prices for these small segments of the economy.
Are there particular digital threats or circumstances that cyber insurance alone is not enough to address?
Cloud storage is a challenge that is beginning to be overcome. There are situations that the industry has only recently noticed, such as property damage caused by cyberattacks. However, when I collaborated in the development of cyber products, I remember that the mindset was to offer the best protection to policyholders.
What pitfalls should a company watch out for when taking out cyber insurance?
Policyholders should bear in mind that adequate underwriting of risk is highly relevant to the underwriting of this product, thus any guarantees stipulated at this stage are essential to maintain cover for the duration of the policy. At this stage, the Insurer will report any shortcomings in the insured’s production process that will need to be remedied for the subscription of the insurance. It is crucial to consider what the Insurer notes because when a cyber event occurs, these notes will be the first examined in the claims procedure.
The cyber insurance industry is expected to quadruple by 2028. What are the factors driving this explosive growth?
The digitization of the economy, no doubt – and with it the entry into force of laws and regulations on the protection and processing of data which increase the level of exposure of companies and increase the possibility of their civil liability and administrative for damages that cyber events may cause. The subscription of an Insurance is relevant even so that the company demonstrates its good faith and thus mitigates the extent of future indemnities and penalties.
Although cyber insurance is a growing field, there are few Brazilian specialists in this field. Do you expect to see this change in the near future?
I think so. In the first product I helped develop, which was in 2016, I remember how difficult it was to assemble a panel of forensic experts. In some situations, it was even embarrassing to show our lack of resourcefulness on the subject to foreign clients. Today the reality is different and we have many qualified professionals in the country.
Do you foresee any other legislative or cultural changes in cyber insurance emerging in 2022 and beyond?
Cyber risk insurance will be a reality for everyone, at the level of companies and individuals. Virtual reality permeates our educational and cultural lives – for example, when I meet with clients, I hardly bring any physical documents with me. I have no doubt that we will soon be buying cyber insurance just like we buy life or health insurance. It has never been more true that the world fits into a computer screen as it is today, so it is fair to say that this virtual environment can now reap the benefits that the IT industry insurance can provide.
Dennys Zimmerman, Managing Partner
A V. Rio Branco, 12 – 9th Floor – Centro, Rio de Janeiro – RJ, 20090-000
Tel: +55 21 3900-7588 | +55 11 3199-5380
Email: [email protected]
Dennys Zimmermann is the managing and technical partner of RPZ Advogados, as well as a professor of civil law specializing in insurance and reinsurance contracts and a regular speaker at conferences. Throughout his career, Dennys has specialized in the insurance and reinsurance sector with particular emphasis on large losses, and is one of the few lawyers in Brazil with a working knowledge of cyber and M&A insurance.
RPZ Lawyers is a law firm based in São Paulo and Rio de Janeiro, with roots in one of London’s largest insurance companies. After parting ways with that firm in 2020, RPZ Advogados has retained all but one of its attorneys and nearly all of its clients, building on the global advocacy network it previously enjoyed. The firm also created Insulaw, a global network of highly specialized insurance and reinsurance law firms with offices in Latin America, Spain, Portugal, France, Germany and elsewhere.