• Back-up plan

    Cyber insurance should play a crucial role in any risk-management strategy

    Back-up plan

    Cybercrime falls into the same category as global warming and smoking-related health risks that have reached saturation levels in the psyche of the general population. As is the nature of these things, the less we pay attention, the worse it gets. Reports of high-profile data breaches in African nations seem to be on the rise, and this is backed up by hard data showing that cybercrime has skyrocketed in the last few years and especially during COVID.

    Insurers and brokers have long been preaching the crucial role of cyber insurance as part of a cyber-risk strategy, but for firms it’s more complex than simply calling up a broker and purchasing a cyber product. Attacks on critical infrastructure are becoming more frequent in Africa, as evidenced by those on African Bank and the Johannesburg municipal systems in South Africa that shut down services and led to data breaches. Cyberattacks against maritime infrastructure are also posing a threat to African nations, considering that 90% of the continent’s trade is seaborne, according to the Maritime cybersecurity report by the Institute for Security Studies.

    ‘Information technology is increasingly becoming part of the maritime space, and the ports and shipping sectors are set to become completely dependent on it in the future,’ the report notes. ‘Most African trade is seaborne, and due to the highly interconnected and networked nature of African and international economies and transport systems, the impact of maritime cybersecurity threats may have a devastating effect on the stability and well-being of African states.’

    Increasingly prevalent, cyberattacks can have many ramifications for a business, including financial loss and reputational harm

    In 2021 Liquid Cybersecurity surveyed 141 business decision-makers from Kenya, Zimbabwe and South Africa, and reported its findings in its Evolving Cybersecurity Threat in Africa report. Those surveyed said that the most pressing cyberthreats were email attacks, among them spam, phishing and social engineering attacks (67%); followed by data breaches, such as data leakage, data disclosure and data extortion (59%); and malware attacks, including ransomware attacks (50%).

    In 2019, there were 310 reported cyberattacks on ships and ports in Africa, up from 120 in 2018, and 50 in 2017. That said, ‘it is probable that the number of cyber incidents is drastically under-reported due to potential reputational risks or insurance problems, which further underscores the significance of cybersecurity in the maritime space’, the report notes.

    These types of cyberattacks can have devastating effects on not only the company but also the whole supply chain. Remember the 2017 attack that corrupted the entire computer network of Maersk, the world’s largest shipping line? It shut down operations for two weeks and cost the company damages exceeding US$300 million.

    Cyber-risk insurance is in a relatively early stage of the product life cycle compared to other lines of insurance, explains Spiros Fatouros, CEO at Marsh. ‘Cyber-risk insurance is a dynamic, complex class and market segment,’ he says. Companies seeking to buy insurance should consult intermediaries that are equipped with the knowledge and experience to advise businesses on appropriate risk management and transfer mechanisms available. ‘Organisations would need to quantify their cyber-risk value of exposure in order to determine how much insurance is sufficient and understand the impact to their business,’ he says.

    South Africa is not immune to significant and sophisticated cyberattacks that result in cyber-insurance claims. Multiple businesses have suffered financial losses exceeding ZAR50 million, notes Fatouros. Ransomware, systemic risk exposures, outsourcing, remote workforces, and outdated and unsupported systems are all risk exposures that businesses must manage. ‘The financial impact of incident response, business-interruption loss, extortion and legal liability incurred to a business resulting from a cyberattack is significant, and can have an adverse effect on the solvency and balance sheet of an organisation and, in some instances, threaten the position of the business to continue as a going concern,’ he says.

    The SHA Annual Specialist Risk Review revealed that 50% of SMEs surveyed in South Africa did not have cyber insurance in place; 23% of companies said they didn’t need the cover. ‘This speaks volumes about cyber-risk awareness,’ says Sizwe Cakwebe, manager of cyber risk and financial lines at SHA. ‘There is no doubt that cyber risk will continue to increase as a threat across all industries. The onus is on the insurance industry to drive proper messaging around cyber awareness and the prevalent risks impacting all businesses.’

    There are certain requirements that companies must meet before insurers are willing to take on the risk, warns Fatouros. ‘Businesses must meet certain IT-security requirements by having the control frameworks in place,’ he says. ‘Businesses that don’t comply with these basic requirements by risk carriers tend to impede their ability to purchase insurance and, if they are able to, the terms are often punitive.’

    Fatouros adds that even if the demand for cyber cover increased, it’s currently a tough time for insurance, as supply of cyber insurance in the open and reinsurance markets is limited. ‘It’s a very challenging market,’ he says. ‘The pricing and self-retentions are on the increase, appetite and scope by the risk carriers are restricting, and exclusionary language pertaining to coverage is commonplace.’

    South Africa’s Protection of Personal Information Act (POPIA) came into effect in July 2021 and calls on organisations to report breaches and adhere to various compliance requirements, failing which a fine of up to ZAR10 million may be instituted by the regulator. Condition 7 of POPIA speaks to safeguarding information and hence forces organisations to look at their data-security controls. POPIA has caused a spike in cyber-insurance requests in South Africa, says Cakwebe, as clients need to be more vigilant about how they handle personal data, and with whom they share that data.

    So, where does a company begin in putting in place a cyber-risk management plan? Understand and quantify the specific businesses cyber-risk exposure, says Fatouros. Many businesses don’t understand the extent of the risk and how much cover to buy, and which products suit their requirements. Once this has been sorted, companies can explore the various risk-management and transfer options available in the market, whether they rest in South Africa or in international markets. Insurers such as SHA offer SME cyber insurance that serves as a risk-management offering that includes cyber cover. This type of insurance provides first- and third-party cover, along with antivirus protection and cyber-monitoring tools. ‘This drives proper risk awareness and serves as a form of measurement for the SME of their cyber-security posture,’ says Cakwebe.

    The insurance policy may respond to first-party losses, such as incident response in the form of IT forensics, legal and PR services to mitigate the impact of the cyber event, but also to assist the business in restoring systems, information integrity and to continue to trade.

    A policy can also respond to legal liability in the form of damages and defence costs, notification and credit monitoring requirements, and regulatory actions. In certain cases, coverage may extend to responding to a monetary demand made on a business, should it not be possible or feasible for the business to effectively recover from the event in question.

    Cyber insurance is generally the last line of defence, notes Cakwebe, and it remains the responsibility of the insured to have all the necessary control measures in place. These measures go a long way in deterring hackers and providing an extra layer of protection from any attempted cyber breaches. ‘If all else fails and the attacker is successful in their attempt to hack into the system, the cyber-insurance policy will be triggered, and the insurer will try stop the bleeding and compensate the insured for any losses incurred as a result of the breach,’ he says. Companies should start by outlining their exposures regarding their information assets to obtain an understanding of the potential impact a cybersecurity event may have on their company, explains Cakwebe.

    Fatouros adds that the majority of insurance products provide cover for first-party and legal liability as a base, and there are various extensions and enhancements specific to a business or industry. ‘It is important to understand the macro cyber-insurance landscape and be in a position to develop solutions that meet specific requirements,’ he says. ‘It is certainly not a “one-size-fits-all” approach.’

    By Sven Hugo
    Images: Gallo/Getty Images