Cyber-attacks are escalating in frequency and intensity, posing a growing threat to businesses and countries’ national security. South African companies in ever-larger numbers are seeking financial protection through insurance, buying coverage for losses from data breaches and business outages.
Within the UK, 81% of large UK businesses and 60% of small companies suffered a cyber-security breach in the last year, according to a report published by HM Government and Marsh, global leader in insurance broking and risk management. And South African companies should be aware that this trend is not far off in our market.
The report, entitled “Cyber Security: The Role of Insurance in Managing and Mitigating the Risk”, has been published by Marsh UK in collaboration with the UK Government. Cyber threats are estimated to cost the UK economy billions of pounds each year with the cost of cyber-attacks nearly doubling between 2013 -2014. The report found that, while larger firms have taken some action to make themselves more cyber-secure, they face an escalating threat as they become more reliant on online distribution channels and as attackers grow more sophisticated. It issues a call to arms for insurers and insurance brokers to simplify and raise awareness of their cyber insurance offering and ensure that firms understand the extent of their coverage against cyber-attack.
But insurance is only part of the solution and in order to manage risk effectively, companies should also have their ducks in a row in terms of audits, procedures, policies and compliance. Insurance is not a substitute for good cyber security but is an important addition to a company’s overall risk management. Insurers can help guide and incentivise significant improvements in cyber security practice across industry by asking the right questions of their customers on how they handle cyber threats.
The South African insurance market has responded by offering specialty cyber insurance products that are designed to help bridge gaps in traditional lines, such as property and general liability. Cyber policies can provide direct loss and liability protection for risks associated with the use of technology and data. Policies can also be expanded to include business interruption.
At a board level, a deeper understanding of cyber risk, its impact and ways to mitigate have bumped it up to a top line item on the agenda given the fiduciary responsibility incumbent on top management.
In addition, the adoption of POPI is pushing South African companies to ramp up their cyber liability strategies as they try to get a better understanding of the impact that this can have on their business. Global trends has seen the US hit hard, followed by a wave in the UK and our market is now following the curve, which means businesses need to learn from global incidents and make sure they are properly protected on all fronts.
Some businesses don’t know a breach has happened until six months down the line and the cost of a breach can cost millions. Costs range from investigation, to server downtime, notifying customers affected, credit monitoring and third party losses, not to mention regulatory fines and penalties. “South African companies should not think for a minute that they are not vulnerable, and the prevalence of incidents is growing even though they may not reach the light of day for fear of reputational damage,” says Elsa Jordaan, Partner at law firm Clyde & Co.
The data revolution has brought about new efficiencies, and consequently a new world of risk. Coupled with a growing trend in cybercrime as well as white collar crime, companies need to ensure they are buying the right cover for their business, and ensure that this cover is adequate for their needs. While critical infrastructure in regulated sectors, such as banks and utility firms, are used to this kind of risk, most firms are not and their risk management practices are geared around lower-level, slower moving risks. Companies will need to upgrade their risk management substantially to cope with the growing threat of cyber attack, including introducing disciplines such as stress-testing, and creating a joined-up recovery plan that brings together financial, operational, and reputational responses.
Key findings from the report:
Insurers can help firms better manage their cyber risks. By asking the right questions and educating clients, insurers can help drive the adoption of cyber security best practice, including Cyber Essentials.
The UK insurance sector is already a world-leader. With initiatives like this the sector is demonstrating that the UK is the natural home for a growing global cyber insurance market.
Firms place cyber amongst their leading risks in terms of likelihood and severity of impact.
Banks and national infrastructure organisations are generally better equipped in modelling cyber risks which can be very fast moving and damaging whereas most other businesses are not as well equipped to deal with this type of ‘tail risk’.
Modelling of cyber risk has been difficult due to a lack of available data. However, there are alternative approaches to valuing the risk of cyber attack including using stress testing.
There is a lack of awareness of cyber insurance and certainty about coverage – less than 10% of companies have cyber insurance according to recent surveys.
A lack of data pooling poses a challenge for the insurers in the development of their pricing models and coverage.
The potential for the aggregation of losses impacting a large number of firms and arising from a is a growing concern for insurers.
Jonathan Healy, divisional executive of Marsh Africa’s financial and professional liability practice