The Growth of Cyber Risk Insurance
Few industries show as much promise for growth as the tech sector, with individuals and organisations coming to rely on digital assets more heavily by the day. In response to this continued growth, cyber risk insurance has emerged to help the insured protect against specifically digital threats.
Dennys Zimmerman, managing partner at RPZ Advogados and a cyber insurance specialist, explores this fascinating new side to insurance in this feature.
In brief, what is meant by cyber liability or cyber risk insurance?
Cyber insurance is still relatively nascent in Brazil. I remember working in an English law firm for ten years when I first interacted with the segment. Of the first ten policies of this branch registered in Brazil, we participated in the creation of more than half.
When talking about cyber risk insurance, the natural dichotomy between first-party and third-party insurance is overcome; here, it is a whole category of risks encompassed by the protection granted by the insurance. It is strictly protection against the generality of the damage that can result due to the exposure of the Insured in “cyberspace.” And, given the increasing level of dependence that individuals and legal entities and their executives and employees experience, it is natural that the list of protected risks continues to grow. The constant evolution that we experience with our “computer dependence” is extended to cyber risk insurance, and I do not doubt that this is currently the most promising branch.
What significant regulations govern this variety of insurance in your jurisdiction?
From the point of view of regulatory matters, recent changes in our regulatory body, the Superintendence of Private Insurance, have been highly positive. They have given greater freedom to agents and market operators to create and develop new products. Today, it is possible to design new products and adjust them to the reality of individuals and companies with an ease that was unthinkable only a decade ago, when Brazil was regarded as a non-business-friendly jurisdiction.
From a cyber point of view, we have data protection laws inspired by the European model that put us at the forefront and place greater emphasis on the need to hire this type of Insurance.
Under what circumstances might an SME stand to benefit from cyber insurance?
I believe that any company, even small and medium-sized, that develops its business in cyber environments should consider hiring this type of Insurance. The protection of network or virtual security is much more important than that of physical installations – evidenced, in many cases, by the temporary abandonment of physical spaces during the pandemic. For example, our law firm could undoubtedly carry out our activities with the same quality if we did not possess physical locations.
The constant evolution that we experience with our “computer dependence” is extended to cyber risk insurance, and I do not doubt that this is currently the most promising branch.
With this, I do not want to belittle the importance of community experience at work. However, the fact is that we would hardly be able to provide any services if a denial-of-service attack, for example, made access to our network impossible. And the best thing is that the insurance industry has considered this and there are already products with compatible prices for these smaller segments of the economy.
Are there particular digital threats or circumstances that cyber insurance by itself is not sufficient to cope with?
Cloud storage is a challenge that is beginning to be overcome. There are situations that only recently the industry has noted, such as material damage from cyberattacks. Still, when I collaborated in developing cyber products, I remember that the mindset was to provide the best protection for insureds.
What pitfalls should a company be mindful of when acquiring cyber insurance?
Insureds should keep in mind that an adequate underwriting of the risk is very relevant for the contracting of this product, thus, any warranties stipulated at this stage are essential for maintaining the coverage throughout the policy term. At this stage, the Insurer will point out failures in the insured’s production process that will need to be remedied for the contracting of the insurance. It is crucial to consider what the Insurer notes because when a cyber event occurs, these notes will be the first ones examined in the loss adjustment procedure.
The cyber insurance sector is projected to quadruple by 2028. What factors are driving this explosive growth?
The digitisation of the economy, undoubtedly – and with it, the entry into force of data protection and processing laws and regulations that increase the level of exposure of companies and increase the possibility of their civil and administrative accountability for the damage that cyber events may entail. The contracting of Insurance is relevant even for the company to demonstrate its good faith and thus mitigate the extent of future indemnities and penalties.
Though cyber insurance is a growing field, there are few Brazilian specialists in this area. Do you expect to see this change in the near future?
I think so, yes. In the first product I helped develop, which occurred in 2016, I remember the difficulty of setting up a panel of forensic experts. In some situations, it was even embarrassing to show our lack of resourcefulness on the topic to foreign clients. Today, the reality is different, and we have many qualified professionals in the country.
Do you foresee other legislative or cultural changes in the cyber insurance space to emerge in 2022 and beyond?
Cyber risk insurance will be a reality for everyone at the corporate and individual levels. Virtual reality permeates our educational and cultural lives – as an example, when meeting with clients, I practically do not bring physical documents with me. I do not doubt that we will soon purchase cyber insurance just as we purchase life or health insurance. It has never been more true that the world fits into a computer screen as it is today, so it is fair to say that this virtual environment can now reap the benefits that the insurance industry can provide.
Dennys Zimmerman, Managing Partner
Av. Rio Branco, 12 – 9th floor – Centro, Rio de Janeiro – RJ, 20090-000
Tel: +55 21 3900-7588 | +55 11 3199-5380
Dennys Zimmermann is the managing and technical partner of RPZ Advogados, as well as a professor of civil law who focuses on insurance and reinsurance contracts and is a regular speaker at conferences. Throughout his career, Dennys has specialised in the insurance and reinsurance sector with a particular focus on large losses, and is one of the few lawyers in Brazil with practical knowledge of cyber and M&A Insurance.
RPZ Advogados is a law firm based in São Paulo and Rio de Janeiro, with roots in one of the largest insurance firms in London. After separating from this firm in 2020, RPZ Advogados retained all but one of their lawyers and almost all of their clients, building on the global advocacy network that it had previously enjoyed. The firm has also created Insulaw, a worldwide network of highly specialised insurance and reinsurance law firms with offices throughout Latin America, Spain, Portugal, France, Germany and others.