As more businesses transform digitally, more cybercriminals are exploiting vulnerabilities. Fortunately, businesses do have a shield to protect them through cyber insurance.
By Brett Marais, head of cyber solutions and managed security services, and Veronica Lukwago, associate director of finance transformation at BDO South Africa
However, they caution that while it offers significant benefits, this type of insurance still comes with limitations. Here, they provide insights into global trends and the considerations companies should keep in mind when evaluating cyber insurance.
Cybersecurity has been a hot topic for the last few years because no matter how hard businesses try to mitigate the risks, the sophistication of threats and the rapid rate at which threats evolve keep the subject top of mind for IT teams across the globe.
According to a recent Global Risks Report from the World Economic Forum, cybercrime and insecurity were among the top 10 global business risks in 2023. With more than 560 000 new malware instances detected daily and over 1 billion already in circulation, it’s not hard to understand why this type of crime is causing such global concern.
Luckily, the insurance industry has recognised the impact of cybercrime and is creating new products to protect consumers and businesses across the board. Unlike traditional insurance, which might cover physical assets or general liability, cyber insurance specifically addresses the risks associated with operating in a digital environment.
A typical cyber insurance policy can cover a wide range of incidents, including:
- Data breaches – This includes the cost of notifying affected individuals, providing credit monitoring services, and managing the resulting customer fallout. It also covers legal fees and potential settlements if the breach leads to lawsuits.
- Cyber extortion – If a company falls victim to ransomware or other forms of cyber extortion, cyber insurance can cover the costs of the ransom payment (if deemed necessary) and the expenses involved in restoring data and systems
- Business interruption—Cyber incidents can bring business operations to a grinding halt and lead to massive financial losses. Cyber insurance can also cover the loss of income when the business cannot operate due to a cyber incident.
- Legal and regulatory fines—With increasing regulation around data protection, businesses can face hefty fines if they fail to comply with laws like the Protection of Personal Information Act (POPIA). Cyber insurance can help cover these fines and the legal costs involved in responding to regulatory investigations.
- Public relations – A cyber incident can severely damage a company’s reputation. Cyber insurance can cover the costs of managing the public relations fallout, including hiring a PR firm to help rebuild the company’s image.
Essentially, cyber insurance is a safety net that can help businesses recover financially from cybercrime.
However, it is essential to remember that unlike in the USA, where businesses are increasingly required by law or contract to have some form of cyber insurance, particularly in sectors like healthcare, finance, and retail, this type of insurance is still in its infancy in South Africa. Fortunately, the market is expanding, especially as South African businesses increasingly do business with international partners.
Businesses looking to explore their cyber insurance options must remember that policy costs can vary exponentially across the landscape, influenced by several factors and the levels of risk associated with different types and sizes of organisations.
Insurers determine the cost of policies using varying criteria such as:
- Industry – Certain industries, like healthcare, finance, and retail, are more prone to cyberattacks and could typically face higher premiums.
- Size of the business – Larger businesses with more extensive digital footprints may face higher premiums due to the greater potential for damage in the event of a cyber incident.
- Data sensitivity – Companies that handle sensitive data, such as personal or financial information, are considered higher risk and may face higher insurance costs.
- Security measures – Businesses with robust cybersecurity measures, such as encryption, firewalls, and regular security audits, may benefit from lower premiums.
- Claims history – A company’s history of previous claims can also impact the cost of a cyber insurance policy. A history of frequent or severe cyber incidents could lead to higher premiums.
Policies can include restrictions on exclusions for incidents caused by internal employees, claim limits that may not cover all the costs of a cyber incident, and waiting periods.
The first step for businesses who want to explore insurance options is to ensure a robust cybersecurity framework. Without this, no insurer will be willing to take any further steps in the process. The first stop when it comes to accountability after a cyber incident is the business itself, so without the proper groundwork for protection, the delicate environment of cyber insurance will face grey areas.
While certainly not a silver bullet, cyber insurance can offer financial security and peace of mind. What is important now is to bridge the gap between insurers and those seeking coverage so that the right policies can be implemented to harness the power of this type of protection.