Andrew Coutts, recently spoke at Insurtalk18, focusing on the increased cyber-crime in the digital age. I took the following highlights from his presentation. (The full video is available from CN&CO Events)
Andrew started out by referring to a market intelligence report by S&P Global which indicates cyber-crime revenue of $1.5 trillion annually, which is five times the approximate costs of disasters that happened in 2017 and $500 billion more than the US annual insurance premiums on a net written basis. He also indicated that we can expect to see $75 billion related to connected devices, with about seven or eight devices per person connecting all that you engage with, such as cell phones, laptops, iPods and iPads.
He said you can start seeing the breeding ground for cybercriminals and cyber activity and that, what’s really making the biggest impact, is the legislative changes related to POPIA, bringing accountability. The risk to and a real drain on the economy coming through, plus the fact that we can now be held to account for breaches, led to business leaders, surveyed in the S&P Global Markets Report, now saying that cyber has become the single biggest threat. Bigger than terrorism and climate change.
According to Andrew, South Africa is the sixth most exposed country in the world when it comes to cyber cover inside of insurance. Specifically, he mentions, we have seen some very real cyber-crime incidences in South Africa. Very much focused on identity theft, theft of funds and data, ransom, extortion, vandalism, and espionage. “We’ve seen lots of attacks coming through terrorism and then of course, accidental breaches, including companies like Nedbank, Liberty and of course, Government departments, with no real hiding place for many of the businesses in our space”.
Sharing some of the detail of the SHA annual risk review, he said that they completed and published this in December 2020 with the more recent report coming out shortly. Over 30% of brokers surveyed noticed a marked increase in cyber related activities, with 37% of businesses reporting suffering some kind of cyber breach in the past 12 months. Effectively, he said, more than one in three of their commercial customers have experienced some form of a breach but only 18% of businesses tried to buy some form of cyber cover, so it is increasing but penetration is really low, considering the risks that we see. “We’re trying to ensure against unauthorised access to bank accounts, unauthorised access to an internal email, customer data being stolen, locked systems and then of course, POPIA fines and penalties.
Andrew said he wanted to flag why systemic risk has become problematic for them, mainly because the nature of risk is changing so much, in turn changing the nature of insurance. What becomes really problematic with systemic risk is that it’s hard to insure and reinsure against. COVID is a great example of this. “You can insure against an individual instance of disease but, when the whole economy is taken down by disease, and it’s not one incidence of despair, it’s a global phenomenon and it becomes uninsurable”. At the same time, he said, the nature of the sideway spreading of these risks, is what creates the real problem in a systemic case. Examples of these are pandemics, climate change and cyber political instability, which become uninsurable, which means we have to do a lot more around preventing and managing risk to ensure it doesn’t happen.
You can still buy cyber cover, and it’s important that we start educating our clients around that, because there is a portion of risk that you can transfer onto the insurer. Never has this been more relevant in our market than it is today. Andrew explained that a typical insurance policy covers four key areas:
On the liability and the regulatory side, you can buy protection against any third party coming against you for some form of breach, reputation, or some form of loss, including costs. The policy will cover your legal defense costs and, should you lose against that legal approach, it would cover the damages and the settlements that arise from that action.
Andrew explained that you also can insure yourself against the two other key things that really impact your own business and that you have to manage and monitor very closely. The first is managing your own response. That is the “own damage” cost of a cyber event with things like getting a team of experts in to fundamentally lockdown and prevent further damage, then starting the restoration process, understanding what is actually being hacked and, finally, how you can stop and limit the damage. There is also some loss in profits, the cost of ransom to unlock your systems and potentially theft of funds.
Finally, he indicated that you have the reputation elements, which are critical. An event like this is obviously going to get lots of media coverage, mainstream and social media. You will need a response through your reputation management firms, aiming to control your own narrative.
What are you NOT covered for:
- Use of illegal or unlicensed software
- Design faults in systems and Professional Indemnity losses
- Loss or damage to tangible property
- Scheduled downtime or planned outages of computer systems
- Outage of infrastructure of a third party or service provider
- Losses where the Insured’s third-party service provider has sub-contracted to another third party
- Human error of a service provider
- In-game currencies, crypto-currencies, rewards points and air miles
- Loss or theft of a third party’s money or property in care, custody and control
Andrew then proceeded to provide the audience with a few tips on managing the risk:
- Increased awareness
- Manage staff Behavior
- Password management
- Consult a security specialist
- Reduce unnecessary info
- Limit access internally
- Avoiding complacency
As far as the role of the Intermediary goes, he listed the following:
- Brokers are key in driving broader and sustained awareness around cybercrime
- They have an important role to play in educating clients about the benefits of cyber insurance and explaining how the cover works
- They add the most value where knowledge and expertise is required to identify risks and find solutions that match client needs
- Their advice is especially required in the case of a complex, emerging and as-yet relatively unfamiliar risk like cybercrime
- There is great opportunity in the need to close the gap between exposure and cover
Andrew referred to the annual Santam insurance barometer study, which is available on their website. Here he said, they asked their commercial intermediates what the biggest three risk trends are that they are most worried about. And, surprise, surprise, political risk, cybercrime and pandemics topped the list? This is something that the industry are critically aware of.
On the Cyber Risk side, Andrew explained: “The Santam Insurance Barometer 2020/21 report shows that since the start of the pandemic businesses are pivoting to better take advantage of the opportunities presented by our “new normal”. The rapid adoption of technology has disrupted traditional business models, with many firms forced to digitise faster than originally planned. This rapid adoption of digital technologies has made us more vulnerable to cybercrime.” He positively noted that Cyber risk is now widely recognised as a global emerging risk and it was encouraging to see a notably higher level of awareness than previously reported among commercial businesses. “The Santam Insurance Barometer 2020/21 findings show that 45% of commercial intermediaries ranked cybercrime as the third highest business risk, while 36% of corporate and commercial entities ranked it their fourth biggest risk over the next two years”, he said.
The way forward – Andrew asked what should we be doing. His proposal is that first, we must be driving broad awareness around cybercrime, the size of it, the language that you’re being exposed to, and the risks that come apart from continuously changing and operating in different ways. He stressed that the education role is even more important and that with the increased complexity, the role of the expert adviser, the broker, has never been more important to sustain and drive our business going forward.
This is not a product you can buy off the shelf. This is not something that you can just go and get from telephone agents. He said this is a great opportunity for us to reposition ourselves for insurance and risk experts to grow and fundamentally create a niche of the market. An opportunity, not to the broker as a transactional placer of a policy but the broker as a risk advisor, somebody that can understand and talk to the concepts of systemic risk position. This is where the insurance policy is only a part of the solution and advising clients as to how to prevent and manage the risks while understanding your networks, has become crucial.
Andrew ended his presentation by referring to their own Cyber solution and the fact that they provide a lot of specific solutions. He encouraged the audience to reach out to the liability guy and SHA indicating that they are excited to bring out their own cyber cover is a part of commercial policies going forward. He indicated that clients will be able to buy first-party cover for data breach, restoration, interruption, cyber extortion, cybercrime, as well as the needed protection.
In the liability space, they will now have cover against a third party approach, privacy issues, network security or media liability in terms of the brand management and reputation.