In Germany data privacy law was tightened in 2009.

When a company finds out that data security has been violated, it has to inform not only the supervisory authority but also the clients whose data has been lost. If it does not do that, fines of up to €300,000 can be imposed. “The notification requirement makes it easier for clients to bring claims for damages against the company,” said Mr Roeder. “Not every company is aware of this new situation.”

Companies should first of all get to know their IT risks better, said Mr Roeder. “A company must know where its data is stored, where it is transferred to and how it is accessed,” he said.

Companies should assemble a data security team to evaluate the data. It is not enough to assess the amount and kind of data, but also how it is collected, stored, used and transferred.

“New developments like cloud computing that increase risks have to be taken into account,” said Mr Roeder.

Furthermore, companies should stay informed about regulatory requirements and industry standards as well as develop their own data security guidelines and procedures, said the broker.

It is also important to control hardware and software because laptops, tablet computers and other mobile devices pose a huge challenge for data security.

Service and maintenance contracts with service providers must be updated to include clauses about data protection, according to experts.

Preventive measures are very important since conventional policies often only cover property or personal losses. But IT risk claims are, in most cases, purely financial claims.

“In liability policies pure financial damages are often excluded,” said Mr Roeder. For this reason Sony did not receive any money from its insurers, two Zurich subsidiaries, when it lost clients’ data to hackers in April 2011 and customers claimed compensation.

There are specialist IT policies which also cover financial damages on the market. However in most cases they are only available for data service providers and not for other companies.

Recently US insurers started to offer special cyber risk policies in Germany, observed Mr Roeder. “These policies cover one’s own and third party damages and crisis management measures,” he told CRE. “Unlike IT policies, any company which handles personalised data can buy this cover,” added the broker.

But they have to be careful. Companies have to assess whether the policy overlaps with other cover they already have such as policies that deal with criminal actions by their employees. “The companies should avoid having double insurance cover since this also means paying two premiums,” said Mr Roeder.

Furthermore the different types of cyber risk policies are difficult to compare with one another since the market is just about to evolve and standards have yet to be established. “Companies should obtain advice,” said the broker. 

Please sign up here to our full-time mailing list to ensure that you receive our weekly newsletter.

• More Insurance News
• More Risk Management News
• More Germany News