Increasing Cyber Attacks, Insurance Against Them Still in Its Infancy

It is no news that the number of hacking attacks is rising globally, and predictions suggest that this trend will continue as technologies become increasingly sophisticated. The damages, which are on the rise, are not negligible, as data shows for both the world and Croatia, so one of the future important niches for insurance companies could be policies for coverage against damages caused by cyber-attacks. However, it seems that this is still in its infancy in Croatia, although there are interesting solutions.

We requested data from the Croatian Insurance Bureau (HUO) on how many insurance policies against damages from cyber attacks were issued in 2023 and 2024, as well as in the first ten months of this year, and what the value of those policies is. However, although HUO always sends us a response, this time they simply could not because, they say, they do not have such data. This is just confirmation that this form of insurance has not taken off in Croatia and it may take time for it to thrive.

Dramatic Increase in Attacks

One of the reasons there are not many such policies is the insurance companies themselves, as it is not profitable for most of them, at least for now, considering that no system is completely immune to hacking attacks. This is also shown by recently published data from the Security and Intelligence Agency (SOA), which states that the number of hacking attacks on state institutions and numerous companies is increasing. By the end of the year, estimates suggest it could break records. Specifically, in the first nine months of this year, 38 hacking attacks from other countries were recorded, targeting KBC Zagreb, Ina, Zagrebački holding, the Ruđer Bošković Institute…

When it comes to the EU, according to data from 2020 to 2023, cyber-attacks have dramatically increased from 1.2 million to 2.1 million, and damages have risen from 5.5 billion euros to as much as 9.7 billion euros in 2023. The trend of increasing hacking attacks is also evident in Croatia, according to data from the Ministry of the Interior (MUP). Namely, last year, 2167 attacks were recorded, which is an increase of 21.7 percent compared to 2023, when 1781 attacks were recorded. Accordingly, the number of damages also increased, from 11.1 million euros in 2023 to as much as 17 million euros in 2024, which is an increase of 52.5 percent. Adding to this is the prediction that by 2028, global damages from cybercrime will rise to 13.8 trillion dollars, making it clear that insurance companies could find their interest here.

For Small and Medium Enterprises

In Croatia, there is not a large offering, but the responses we received from Croatia osiguranje (CO) and Generali osiguranje (GO) lead us to conclude that something is indeed starting to move in this regard. CO emphasizes that it is the first insurance company in Croatia to provide financial and operational support to entrepreneurs in dealing with the consequences of cyber attacks. In March of this year, it introduced a new product – Cyber Insurance – primarily aimed at small and medium-sized enterprises. CO explains that this policy can be contracted by accounting services, notary offices, legal and law firms, hospitality establishments, agricultural and related activities. But not only them, as they believe that companies in construction, real estate agencies, retail stores, gyms, vehicle technical inspection stations, IT companies, hotels, private polyclinics, and medical laboratories, among others, can also find interest.

– Before contracting the Cyber Insurance policy, entrepreneurs fill out a questionnaire. In addition to general information about the client, the questionnaire contains questions about income and business operations, management of personal data protection, computer system controls, and previous requests and circumstances related to any past cyber incidents – they state.

What is Covered

At Generali osiguranje, they emphasize that they are aware that digital security is the foundation of business resilience, regardless of the size of the company. They offer solutions for the specific needs of micro-entrepreneurs, small and medium-sized companies, as well as exporters. The policies are modular and flexible, they emphasize, allowing for adaptation to the level of risk and business processes of each client.

– We offer micro-entrepreneurs basic coverage with affordable premiums, and for medium-sized enterprises and exporters, we offer advanced packages that include a broader range of protection, including compliance with international regulatory frameworks. In the event of a cyber incident, the insurance covers the costs of restoring software systems, access to certified IT professionals, as well as measures to preserve reputation and business continuity. Our solutions enable entrepreneurs to focus on growth and innovation, with the assurance that their digital resources are protected – they state at Generali.

At Croatia osiguranje, they claim that their Cyber Insurance allows companies to recover faster after a cyber incident. They support this by making their expert services available to entrepreneurs. Specifically, this involves consulting with lawyers and experts in computer security and forensics, informing and responding to inquiries from individuals whose data may be compromised due to a cyber incident, and they monitor personal and financial data while providing public relations and crisis management services.

Compensation for Losses

Regarding costs, CO offers compensation for them and for financial losses. When we say losses, we mean those due to business interruption caused by a security incident, due to fraudulent actions – false representation aimed at deception and transfer of money, and losses due to prevention or response to extortion threats. As for costs, this refers to data recovery.

And finally, CO also emphasizes compensation to third parties for damages incurred. This refers to the liability of the insured for data and network, i.e., for violation of the right to data protection. It also includes media liability, i.e., violation of the right to privacy of individuals, defamation, insults, infliction of emotional distress, plagiarism, and infringement of copyright in the media.

– There is also compensation for liability on web-sites and/or social media, obligations and costs related to payment cards – PCI penalties, expenses and costs, legal defense costs, and penalties. Reporting an incident is quick and easy; just one call activates operational-security checks and legal support. Throughout the entire process, clients have access to a top-notch team of experts 24 hours a day: from IT security experts, forensic investigators, and lawyers to experienced professionals responsible for crisis management. Clients can also report if they merely suspect a cyber attack, during which their security system is checked – they say at CO.

Price of the Policy

The price of the Cyber Insurance policy depends on the activity and annual income of the company. For example, the price of a policy for an accounting office with an annual income of up to 500,000 euros starts at 246 euros per year. For an IT company with an annual income of 500,000 euros to 1 million euros, the price of the policy starts at 405 euros per year, and for an engineering office with an annual income exceeding 1 million euros, the policy can be contracted from 591 euros per year.

– We would like to emphasize that Cyber Insurance is not a substitute for investing in security measures, nor can it prevent attacks. However, it can significantly mitigate their consequences and help entrepreneurs recover faster and more effectively in the event of such attacks – they convey from CO.

Generali’s cyber insurance policies cover a wide range of risks, as does CO. Basic coverage includes the costs of notifying about personal data breaches, in accordance with legal obligations, coverage for damages caused by theft or loss of digital assets, expert IT support for incident remediation, and measures to preserve the company’s reputation.

– Additional coverage is available according to the client’s needs and includes compensation for business interruption caused by a cyber attack, coverage for cyber extortion and ransom costs, insurance against losses due to non-fulfillment of contractual obligations, compensation for physical damage to computer equipment, as well as coverage for damages caused by security breaches by external suppliers. Our approach is based on individual risk assessment and client needs, allowing us to create a policy that precisely matches the business model and digital exposure of the company – they enumerate at that insurance company.

How Risk is Assessed

Let us briefly return to the earlier statement that insurance against cyber attacks is not a substitute for investing in security measures. On the other hand, we know that the highest quality security measures also enable a cheaper policy. We were curious whether insurance companies have tools to test how exposed companies are to threats and thus ensure the best support. At Generali osiguranje, they tell us that they use advanced digital tools to assess cyber risk, which allow them to analyze the security profile of the company in detail. Thanks to these tools, they analyze the client’s information systems, identify vulnerabilities, and assess the likelihood of a cyber incident.

– This approach allows for precise determination of the level of risk, which is the basis for creating an optimal policy. Companies that actively manage their risks and implement recommended preventive measures often achieve more favorable insurance conditions. In addition to assessment, our experts provide advisory support in the form of technical and organizational recommendations, making insurance part of a broader information security management strategy. In this way, the client receives not only financial protection but also a lifelong partner in building a resilient digital environment – they state at Generali.

As we mentioned, in the first nine months, 38 hacking attacks from other countries on large systems in Croatia were recorded. However, in reality, there are dozens of such attacks every day involving many domestic hackers. Therefore, we believe that this insurance niche has a future.