We recently had a discussion with Alicia Narainsamy, Underwriting Head, Digital Distribution and Sizwe Cakwebe, Cyber Business Development Manager at SHA, on emerging CYBER risks and the role brokers need to play in especially the lives of their small business clients.
COVER: Alicia, from a small business perspective, the question is always, is there really sufficient cyber risk for a small business that they really need to get insurance?
Alicia: That is like asking me if there is crime in this world. It is not a matter of if I get hacked anymore, it is a matter of when. As long as SMEs are holding customer data of any form, whether it is on the cloud or on premises, they could be held liable by their clients in the event of a breach.
Now, just to back up what I’m saying from our annual risk review survey, where we interviewed about 900 small to medium enterprises. The data extracted there revealed that 37% of SMEs reported suffering a breach in just the last 12 months. Further to that, stats indicate that 19% experienced ransomware attacks, and 50% of those who pay the ransom, were hit a second time round, but that is not the interesting part.
The ransom averages between R10 000 and R20 000, so what does it really tell us? It tells us that the amounts are small enough for an SME to consider paying the ransom. So that false connotation, that SMEs are the least at risk, is a false pretense to have and to adopt.
So small SMEs need to caution themselves around this type of thinking and, most certainly, take the necessary steps to firm up their cybersecurity posture.
COVER: Which cyber risks are faced by small and medium businesses, would you then say are actually insurable?
Alicia: Let me answer this by looking at the cover and how the policy would respond in such instances. I think that would be more palatable for one to actually understand the makeup of a cyber insurance policy.
Most insurance policies have your first and your third-party cyber quadrants. However, you do get cyber policies only covering third-party losses. So here is the risk, where there is a data breach, somebody hacked the system and stole the client information and now the client sues the person responsible for holding that data. That is the third party quadrant and how it would generally respond to some of those cyber risks.
Then you have the first party quadrant, which includes cover for the cost of investigating the cybercrime. Now bear in mind that, with entities that do not have this cover, the cost of investigating can quickly escalate. So you also have your own damage quadrant to also think about. This is the business interruption, if the systems were offline for several hours, and it also covers the cost of the ransom itself as well as theft of funds only on the client’s side. But the last two quadrants are also pertinently important, especially for an SME. If you are an SME, it is really your business name on the line, so the cover here entails costs associated with PR, regulation in terms of fines and penalties, legal costs, notification and monitoring.
COVER: Now, the last thing that a broker wants to get roped into, is to give advice on cyber risk. I mean they have an understanding of a bit of protection on their laptops and on their cell phones, but start coming in with questions about broader cyber risk and most brokers will be in uncharted territory, right? So how do they actually get involved in this sort of business, without being the one to give technical advice?
Alicia: Let me start off by saying this; it is imperative to acknowledge that brokers play a pivotal role in the insurance ecosystem, and that role is to render financial advice and intermediary services, not to tell the client what firewall to use, because that falls outside the ambit of the advice portion that they render. So what I would do, is implore our brokers to engage with us, as we have partnered with a host of risk management suppliers that are trained to support them with those technical discussions.
Now, when it comes to really explaining the cover, the insurance side of it, we have a great online tool that aids the broker in doing this. Where there is a lack of knowledge we have to bridge that gap with training and awareness. We are cognisant of that, which is why we currently create a wide variety of training sessions with our brokers, and most importantly, the tool online helps them understand cyber insurance at their leisure, which is a great add on.
Sizwe: If I can I add on here. We also don’t mind sitting in on meetings with brokers and the clients, to help facilitate the actual session and explain the different types of terminologies and cybersecurity controls that we are looking at. This is an important part of the service that we also do provide to focus.
COVER: We have all read how cybercrime has increased over the last 18 months. So Sizwe, could you maybe tell us a bit about the trends and the types of crimes that we’re talking about?
Sizwe: I’ve only been with SHA for about 10 months, so I will talk from that perspective. I have noted quite a spike in the number of queries regarding the interception of emails, whereby particular emails have been intercepted by hackers and banking details are changed before they are sent through to vendors and suppliers. Subsequent to that, payments are made to the incorrect bank accounts. This is definitely a new trend and it is more specific within the professional services sector and more specifically, with attorneys and architects. So it is very prominent within that kind of industry.
We always recommend that a bit of due diligence is done whenever such details have been changed. Just a simple phone call to the account executive or whoever it is, normally would suffice. But most of the time, because the email is coming from the financial director, everyone trust that it is correct and they will make the payment, to the detriment of the supplier at the end of the day.
COVER: From the risk and how people are managing this cybersecurity, what are the common weaknesses that you see in IT security systems that you guys have detected, and how much of that is insurable under cyber policies and extensions to existing policies?
Sizwe: I will start off by saying, as human beings, we are fallible creatures, we are prone to making mistakes. With that being said, I will say that the human element, or intervention within a computer system of process or cybersecurity control mechanism, would be the biggest flaw. I say this because, at the end of the day, it is human beings that do the configuration, the development, the programming, and the coding behind all these tools and devices.
We are prone to making mistakes and misconfigurations. It is those mistakes that lead to vulnerabilities that hackers exploit every day. So, I would say that would be one of the biggest things. The recommendation from that perspective is that they should probably take out a policy that will cover them from a misconfiguration point of view, and probably supporting that, would be some kind of a cyber policy as well that will cover them from a cyber breach or hack perspective.
Secondly to that, the lack of cyber security awareness and training. Again, it has a bit of human element in that as well, whereby staff or contractors fall prey to phishing attacks, or whaling attacks, with people clicking on emails that they shouldn’t be clicking on or going to sites that they should not be going to, and end up compromising company networks. From that perspective, I would say there needs to be companywide cyber security awareness and training, and not just training targeted at IT, but the entire staff.
COVER: Seems to me then that the big thing, being a small business owner myself, is that this whole cyber risk issue is a constant thing in your head that you worry about. As Alicia said earlier, from your business reputation perspective, but also from damage, actual loss, financial loss, and so on. So it is good to know that with the insurance comes advice from people who have seen and dealt with a lot.