Cyber risk – definition and background to the new restaurant/hotel pool solution

The term "cyber risk" refers to a large number of potential risks associated with the technology or the information of a company. This includes identity theft, the transfer of sensitive information, interruptions to operations, for instance, after a hacker attack, damage to data records by a hacker, theft of valuable data, the introduction of malware and other harmful computer codes or also errors by the company's own employees that result in the transfer of confidential information or damage to the company's reputation.

However, "cyber risk" implies not only risks to the company's own IT infrastructure, it also goes much further and covers sensitive legal topics from the areas of data privacy, personality rights and liability law. One example of this is the European General Data Protection Regulation (EU GDPR) which the Swiss Data Privacy Act (DSG) is aligned to. This regulation states, among other things, that companies that receive personal data from end users are also responsible for these data when they are transferred to third-party providers. For the hotel industry but also increasingly for the restaurant trade, such provisions are highly relevant as numerous bookings, including the required personal data, are handled via online portals.

Classical cyber risks are:

Ransomware: Here, a malware infects the victim's computers and encrypts data there. This results in the IT systems affected being crippled and can, for instance, mean for a hotel that all systems, from the reservation software to the software for managing the room keys, no longer work.

Phishing: Here, a "bait" (e.g. a fake e-mail) is used in order to obtain the password and/or other information belonging to the victim. In most cases, a link is sent to a prepared website that, when it is opened, either loads malware onto the victim's computer directly or requests data such as passwords or account details from the victim.

Credit card abuse: In most cases, this involves the use of stolen credit card numbers or the forging of credit card data. There are diverse types: With a forged e-mail, for instance, data are requested directly or the data are stolen via an unsecure website. This can affect the hotel and also the guests directly if, for instance, the hotel system has been attacked.

Insiders: A frequently underestimated threat are attacks by employees. The elimination of the damage in the area of cyber risk indicates that a high percentage of attacks and data outflows are carried out and/or at least made possible by in-house employees.

CEO fraud: Here, accountants or other employees authorised to make payments are instructed to transfer large sums to the account of a third party. For this, the attackers feign the identity of the CEO and often demand non-disclosure from the employee affected.

Insurability of cyber risks

Cyber risk is still very young among the insurance products. And many cyber risks are not covered in current insurance solutions. For instance, the aforementioned credit card abuse - paying with a stolen credit card - or CEO fraud is typically not covered under a cyber risk insurance (catalogue with the general exclusions of Zurich Insurance > cf. Art. 5 of the General Terms and Conditions of Insurance). A major problem of the insurers is that the claims from cyber risk can barely be reliably calculated as, in addition to directly attributable costs, substantial costs that are not directly measurable, such as reputation risks or blackmail negotiations, have to be taken into account. With increasing claims experience, however, the insurers will continually adapt and improve their products. What is clear here is that with the growing threat of cyber risks the premium tariffs on the insurance market will also be subject to continuous increases.

To read more, please download the PDF