The systemic nature of cyber risk provides intermediaries with an unprecedented opportunity to show-case their value to clients, Andrew Coutts, Santam’s head of Intermediated Distribution, told the recent InsureTalk18 online conference.
It is difficult to insure and re-insure against something that happens everywhere at the same time, such as a pandemic, climate change, political instability and cyber-crime. With such systemic risks, a pure risk-transfer solution is not viable, so more must be done to prevent and manage the risk, he said.
Intermediaries have an opportunity to demonstrate their value by identifying cyber risks, advising clients on how to prevent and manage these risks, and educating clients about the benefits of cyber insurance, Coutts said.
“This is a great opportunity for us to reposition ourselves as the real insurance and risk experts.”
The role played by the broker has never been more important than when addressing the complexities of cyber risks and insurance. Cyber insurance is not a product that can be bought off the shelf or from a telephone agent, Coutts said.
What can be covered
He said a portion of cyber risk can be transferred to the insurer, and it was important for intermediaries to start educating their clients about cyber cover.
Coutts said a good cyber insurance policy typically covers four key areas:
- Liability – legal costs, damages and settlements.
- Regulatory – notification and monitoring, legal costs, fines and penalties (note: by law, not all fines and penalties can be covered).
- Own-damage costs – investigation, response, restoration, loss of profit, ransom payments, theft of funds.
- Reputation – employing public relations and reputation management experts to deal with the fall-out from data breaches.
On the subject of regulatory-related losses, Wolfgang Boffo, Munich RE’s business development and underwriting manager for cyber risks in Southern Africa, told the conference that clients should be made aware of the implications of chapters 10 (enforcement) and 11 (penalties) of the Protection of Personal Information Act.
It was envisaged that the Information Regulator would be self-financing (via levying fines and penalties), so one could expect it to be “very active” – as similar bodies in other parts of the world have been, Boffo said.
What is usually excluded
Coutts said intermediaries should also ensure that clients understand what is not covered. The typical cyber insurance policy excludes:
- Use of illegal or unlicensed software;
- Design faults in systems and professional indemnity losses;
- Loss or damage to tangible property;
- Scheduled downtime or planned outages of computer systems;
- Outage of infrastructure of a third party or service provider;
- Losses where the insured’s third party has subcontracted to another third party;
- Human error of a service provider;
- In-game currencies, crypto-currencies, rewards points and air miles; and
- Loss or theft of a third party’s money or property in care, custody or control.
As pointed out above, not all of the risk can be transferred to the insurer, and advisers have a key role in driving awareness among clients of what they should be doing to prevent and manage cyber risks.
Coutts said clients should be encouraged to implement the following:
- Compulsory, ongoing training of staff about cyber risks;
- Password management;
- Security specialists ensuring that networks are protected; and
- Policies on the use of work devices for non-business purposes.
Boffo noted that while people tend to focus on cyber risks that result from malicious activities, such as hacking, more than 50% of cyber risks arise internally, such as staff clicking on phishing emails and failing to download security updates timeously.
Intermediaries could draw on a large amount of research to support the case for the need for cyber insurance.
In his presentation, Coutts said:
- It is believed there will be 75 billion interconnected devices in the world by 2025, creating huge opportunities for cyber-criminals, according to S&P Global Markets Intelligence.
- Cyber-criminals are pocketing about $1.5 trillion a year, according to S&P. This is five times the estimated cost of natural disasters in 2017 and $500 billion more than net written insurance premiums in the US in 2017.
- South Africa has the sixth-highest average exposure to cyber-crime in the world, with the industrial and financial sectors the most common targets.
He said the annual risk review published in December 2020 by SHA, Santam’s specialist underwriting division, found that:
- More than 30% of brokers surveyed noticed a marked increase in cyber-related incidents; and
- 37% of businesses reported suffering from some kind of cyber breach in the past 12 months.
Boffo said research in September by global consulting company Roland Berger found that South Africa was among the top four countries favoured by cyber criminals.
Charl Ueckermann, the chief executive of AVeS Cyber, said that, on average, a cyber incident cost a small business R1 million, a mid-sized business, R16m, and a large enterprise, R40m or more.
Research also indicated that the door was open for intermediaries to sell cyber insurance.
- The IDC cyber security survey in September found that 50% of South African business leaders are concerned about the consequences of security breaches.
- Only 18% of South African businesses report having some kind of cyber cover, according to SHA.
- Global research by Munich RE found that 81% of senior executives believe their company is not adequately protected against cyber threats. However, most are not aware of the cyber insurance policies and services that are available, and less than 10% believe they do not need pre- and post-incident services in addition to pure financial cover.
Boffo said pre- and post-incident services can be paired with an insurance policy, in the same way as road-side assistance has been paired with motor insurance. This add-on was particularly valuable for individuals and SMEs, which don’t have IT security departments.
Zamani Ngidi, client manager: Cyber Solutions at Aon South, said the number and value of claims was increasing in South Africa. As a result, more underwriters were excluding cyber cover from “traditional” insurance policies and were tightening the conditions in cyber policies for key risks, such as ransomware attacks.
More and higher claims were also driving steep premium increases, although this was also due to cyber insurance having been under-priced.
Boffo said cyber risks can result in severe business interruption losses and third-party liabilities. As a result, cyber cover cannot be an add-on to property or casualty insurance, and it must be priced adequately.