The demand for cyber insurance is increasing, but cyber liability is the form of specialist cover brokers are least comfortable with placing, according to SHA’s 2022 Specialist Risk Review.
Sizwe Cakwebe, the cyber risk manager at SHA, said 60% of SHA’s brokers reported an increase in requests for cyber liability cover.
Of the survey’s 1 040 respondents – which included 243 corporate leaders, 232 professionals and 171 SMEs – 39% (up from 18% in the previous survey) have bought cyber insurance.
SHA said this positive feedback should be viewed with caution, because many businesses do not have comprehensive cyber cover, which “in itself is quite dangerous”.
Cakwebe said brokers have “plenty of opportunities” to sell to the remaining 61%, particularly because 48% of those who did not have cyber insurance said they did not know this type of cover existed. “The 29% who said they do not need it will be easily swayed, too, as awareness around ransomware attacks increase.”
He said brokers’ discomfort with placing cyber cover probably stems from their mistaken belief that they need to be cyber-security experts.
“Brokers should rather study up on the cover elements within a cyber policy offered by different insurers and the differences between them and be aware of the wordings on the policies they place. All other technical and underwriting-related considerations can be handled by the insurer and their risk management teams.”
Brokers must familiarise themselves with cyber cover and carefully manage client expectations around the type of cover they have, Cakwebe said.
He pointed out that a cyber policy is not a catch-all, obligation-free risk transfer mechanism for all damages or losses consequent to a cyber-security failing. It is a last-resort safety-net if a range of risk-mitigation steps prove insufficient.
Most cyber policies contain an element of first-party and third-party cyber cover, although some policies cover only third-party losses.
First-party cover includes the cost of investigating the cybercrime and some of the financial ramifications associated with data losses following a security breach.
Business interruption costs, because the IT system is offline following an attack, can also be included.
The policy will pay for the costs associated with public relations and the costs associated with defending against the imposition of fines and penalties by the regulator. Even the fine can be covered.
Large-scale attacks often mean a business incurs costs in notifying affected parties, as well as monitoring their credit profiles.
From a liability perspective, where personal data is breached, the cyber policy will reimburse any sums the insured party is legally liable to pay following a third-party claim, including for the infringement of data protection laws.
Employees are often the weakest link in the cyber-security chain
SHA said that more needs to be done to educate employees and contractors on what cyber security is and what their role is in protecting the organisation’s assets and information assets. This type of education, along with performing regular offsite data backups and ensuring a strong and well-rounded cyber security posture, is the best way for businesses to ward off cyber-attacks.
“The notion that the task of cyber security falls upon the shoulders of the chief information officer or chief technology officer is false. It is not an IT process but a business process, so all stakeholders need to work together to ensure a better cyber security posture throughout the organisation.”
SMEs have a low awareness of cyber insurance
Of the 171 SME respondents surveyed, one in three said they had suffered a cyber-attack over the previous 12 months.
However, 64% of SME respondents believe they are not a potential target for cybercriminals. This is probably because SMEs assume that only businesses with vast amounts of valuable data are hacked. This view arises from the misconception that every business that falls victim to a ransomware attack was specifically targeted by hackers. In fact, hackers are randomly sending out hundreds of millions of emails every day with the expectation that someone, somewhere will open one and click on a link.
Any business with an online presence, however basic, is at risk of a cyber-attack and should reflect this reality in its approach to risk management, SHA said.
Not addressing cyber security exposes a business to risks
About 44% of respondents said they had budget allocated to cyber security, with 45% indicating that they conducted employee awareness training on cyber security and cyber risk. SHA would expect these numbers to be higher given the spate of reported cyber-attacks.
Failure to identify and address cyber-security shortcomings opens firms to a range of related risks:
- The financial impact of business interruption, where the main revenue-generating activities are halted due to a cyber-attack. This includes hacking into physical assets, such as plant and machinery to shut down a factory, for example. The survey found that 69% of cyber-attacks resulted in the business being offline for more than 24 hours, while 60% of respondents suffered a financial impact following an attack.
- Having to pay a ransom.
- The legal consequences that follow a breach of confidential or personal information.
- The reputational consequences that may affect the insured’s share price and brand.
Paying a ransom does not guarantee data recovery
The survey found that 53% of ransomware victims who paid a ransom were not able to recover their data.
“Once cyber criminals have your data, they have your data, whether they restore or return it or not: nothing stops them from on-selling this data to other criminal syndicates via the dark web.”
In South Africa, cyber insurers are still able to pay ransoms, “although we do so as an absolute last resort, and the insured must take security precautions to mitigate the risk from the outset”.
Globally, there is a move among regulators to stop victims of cyber-crime or their insurers from paying ransoms, to discourage this type of crime.
The X-Force Threat Intelligence Index 2022 by IBM found that ransomware was the top attack type in 2021, representing 21% of all attacks. This was confirmed by the 2022 Specialist Risk Review, which found that 25% of SMEs and 17% of corporates surveyed had suffered a ransomware attack. Among SMEs, 73% suffered damages of R50 000 or less, with 27% reporting losses of between R50 000 and R250 000.
Cyber risk management is a fiduciary duty
Although 88% of SHA clients do discuss cyber risk management or cyber security during their regular board meetings, Cakwebe said this number should be 100% as more and more companies digitally transform.
“We expect the remaining boards to follow through in light of the growing frequency and severity of globally reported cyber claims.”
Boards should also be aware that their failure to consider cyber from a risk management, mitigation and transfer perspective is contrary to the requirements of the King IV Code of Corporate Governance.
It could be argued that company directors have a fiduciary duty to consider cyber insurance as a means of combating cybercrime and protecting the company in the event of a cyber incident. Those that do not could be found negligent in the event of a breach resulting in damages.
I get that brokers need not be cyber-security EXPERTS to sell cyber insurance cover. That begs the question – what level of knowledge IS required? What level of knowledge (so-called ‘competence’) will satisfy the FAIS Ombud (for example) when the question is asked? The reasonable man test?
What does FAIS ‘best advice’ look like in a cyber crime environment? As a thought experiment – assume a complainant puts forward as fact or as basis for argument that technical details of the cover were not sufficiently explained to him and that, as a result, he or she is ‘dissatisfied’. What defence could the respondent offer? Ignorance?
Mr. Cakwebe has offered us his various opinions on threat levels, governance and so forth, but really takes the matter no further. Methinks his skirt is showing…