The recent WannaCry ransomware attack highlights cyber-crime’s inherent risk to business, with its dramatic rise in the top ten risk to business from number nine to number five in Aon’s 2017 Global Risk Management Survey.
The 2017 findings from the web-based survey underscore that companies are grappling with new risks such as cyber-crime, and lack consensus on how to best prioritise and respond to them.
The frequency of cyber breaches is increasing and incident response plans have become more complex due to regulation and mandatory disclosure obligations. The disclosure obligation is of particular interest to South African businesses with related legislation brimming on the horizon – the General Data Protection Regulation (GDPR) commenced on 24 May 2016 with its grace period ending on 24 May 2018, while the Protection of Personal Information (POPI) Act brings a further layer of complexity for any business holding personal client data.
“There are massive financial and reputational damages that result from such attacks, and for the most part, the true extent of the damage is unquantifiable until something actually happens and can be measured,” says Kerry Curtin, business unit manager: financial institutions at Aon South Africa.
Ransomware, such as ‘WannaCry’, is a newer example of malware and is a growing problem globally and in South Africa. Phishing and social engineering attacks increased significantly from 62% in 2015 to 70% in 2016, which in turn has increased the demand for cyber insurance, particularly in the wake of high-profile cases.
“Cyber crimes have evolved from stealing personal information and credit cards to staging coordinated attacks on critical infrastructures. As cyber-crimes become more rampant, more costly, and take longer to resolve, companies need to improve their risk readiness with the acceptance that cyber security risk management is a critical part of doing business across industries, and needs to happen as part of an enterprise wide risk management strategy.
“Rapid changes in digital transformation continue to create more cyber vulnerabilities, triggering exposures across the business so quickly that companies find it challenging to deploy timely and adequate risk management strategies,” she adds.
Much more progress is needed in the area of cyber risk control and mitigation to keep pace with the pervasive and fast evolving cyber threats that go hand in hand with the dizzying speed of technological innovation. Currently, only 23% of companies employ financial quantification metrics in cyber risk assessment.
Without measuring the actual financial impact of identified cyber threats, companies will not be able to adequately prioritize the capital investment in risk mitigation, nor will risk managers be able to convince a potentially less tech-savvy board of its importance. Only 33 percent of surveyed companies are purchasing cyber coverage.
More organisations claim they take their cyber risks very seriously, it is not being echoed in insurance uptake and risk readiness according to Aon’s 2017 Global Risk Management Survey. This may have to do with the fact that many organisations are still lagging in performing the type of risk assessments that insurers require.
Even technology companies, those heavily reliant on the web to conduct their businesses and those that hold extensive and sensitive personal data still have no cyber insurance, despite the fact that class action lawsuits and regulatory fines have become synonymous with data breaches.
There is still a great deal of complacency in local markets, and this has to do with the fact that incidents in South Africa are grossly under-reported and kept under wraps despite South Africa being in the top three in the world when it comes to cybercrime attacks.
“Cyber insurance is specifically designed to cover the unique exposure of data privacy and security and can act as a backstop to protect a business from the financial harm resulting from a breach. While some categories of losses might be covered under standard policies, many significant gaps often exist. Risk managers should work with their insurance advisors to analyse such policies and determine any potential gaps in existing coverage because cyber events can impact numerous lines of insurance coverage,” explains Kerry.
Companies with cyber insurance in place also soon discover there are significant advantages to having this cover in place:
* Data breaches are difficult to budget for as they are so unpredictable. The size, scope, and complexity of each data breach vary widely, so insurance is a practical way to manage high price tag exposures such as data breach notifications, forensic investigations, legal fees, data analysis, crisis communications, monitoring, remediation, restoration and legal settlements.
* Specialist – and expensive – resources are typically provided by insurers or carriers within hours of notification of a breach. These resources include specialised tech teams and forensics whose first role is to identify and contain the damage as quickly as possible, along with legal counsel, communication specialists and response teams whose role is to limit the organisation’s legal exposures – typically all resources that few organisations would have in-house and on-call due to their price tags.
“In order for companies to actively evaluate cyber risks, they need to broaden their collaboration with other business functions to ensure an integrated approach to the cyber challenge and effective strategies. The risk that cyber crime poses affects all companies, big and small, and that is why it is crucial to speak to a qualified risk advisor who is able to take your business through a comprehensive cyber risk assessment in order to mitigate your exposure to this growing risk,” concludes Kerry.
