By: Spiros Fatouros, CEO of Marsh McLennan, Africa and South Africa
In recent years, cyber risk has emerged as one of the most pressing threats for businesses worldwide.
The complexity and evolving nature of this risk were highlighted in the recent report by Marsh McLennan and Zurich, which underscored a worrying reality: 99% of the economic losses caused by cyber incidents are not insured. This statistic reflects the growing challenge of adequately managing and mitigating cyber risk in today’s increasingly digital world.
When we talk about economic loss in the context of cyber incidents, it’s important to differentiate between what is insurable and what is not. In general, losses are considered uninsurable for two reasons. First, there may be a lack of appetite or capacity from insurers to accept certain risks at a feasible premium. Second, certain losses may be uninsurable because they conflict with public policy.
For instance, a large-scale malware attack that disrupts business operations may be covered under a cyber insurance policy. However, a cyberattack targeting a public utility with widespread downstream impacts would typically be excluded. This is a key distinction, as it highlights the limitations of current insurance products in addressing the full scope of cyber-related economic losses.
Cyber risk is a constantly evolving landscape, with new threats, such as ransomware and vulnerabilities in cloud infrastructure, emerging rapidly. The report emphasises that the widening gap between economic losses and insured losses is driven in part by the inability of insurance products and risk management strategies to keep pace with these evolving risks. This is not unique to cyber risk; the same phenomenon occurs in response to natural disasters like hurricanes, where insured losses often fall short of covering the full economic impact.
In South Africa, small and medium-sized enterprises (SMEs) are particularly vulnerable when it comes to cyber incidents. Many SMEs remain underinsured or entirely uninsured against cyber threats. This stems from a perception that cyber risks are primarily a concern for larger companies, such as banks or those handling sensitive data. However, this mindset overlooks the indirect risks that SMEs face, especially when their businesses rely on third-party services and infrastructure that could be compromised in a cyberattack.
A cyber incident affecting cloud services or essential digital infrastructure can have devastating consequences for small businesses, even if they are not the direct targets of an attack. As such, the risk for SMEs often lies in the potential disruptions to the services they depend on rather than being targeted by cybercriminals themselves.
Encouragingly, there has been a growing awareness of cyber risks and a corresponding increase in the uptake of cyber insurance. In recent years, more South African companies have recognised the need to safeguard against cyber threats, leading to increased purchases of insurance policies and higher coverage limits. This shift reflects a broader trend in which cyber risk is no longer viewed as a niche issue but as a critical concern that warrants attention at the highest levels of business leadership.
Cyber risk is now firmly on the agenda of boards and CEOs, with companies increasingly integrating cyber risk management into their overall business strategies. This change in perspective is essential. Cyber risk can no longer be siloed as a purely IT issue—it must be embedded into the broader risk management framework alongside market risk, operational risk, and credit risk.
From an insurer’s perspective, there is an ongoing challenge to keep pace with the fast-evolving nature of cyber threats. The development of cyber insurance products often lags the emergence of new risks because insurers rely on historical data to price and structure policies. This delay means that while insurers are continuously adapting, there is always a gap between the appearance of new threats and the availability of tailored insurance solutions to address them.
Nevertheless, the insurance industry has made significant strides in establishing minimum standards for cyber protection. Just as fire safety standards are a fundamental requirement for property insurance, certain baseline cyber protections, such as multi-factor authentication, identity and access management, and immutable backups, are becoming standard prerequisites for obtaining cyber insurance coverage. These measures help ensure that businesses meet a minimum level of cyber resilience, thereby reducing their exposure to risk.
In conclusion, cyber risk is a business risk that must be integrated into a company’s overall risk management strategy. The days of treating cyber as a standalone IT issue are over. Instead, businesses must view cyber risk as an inherent part of their operations and take steps to mitigate it accordingly. Collaboration between the public and private sectors will also be crucial in addressing the most significant cyber threats, particularly those targeting national infrastructure.
By working together, we can build a more resilient response to the growing cyber risk landscape.