Thokozile Mahlangu, Chief Executive Officer at the Insurance Institute of South Africa
While the past two decades have seen a steady evolution in the frequency and sophistication of cyberattacks against businesses and individuals, the outbreak of the global COVID-19 pandemic last year resulted in a significantly increased attack surface for cybercriminals to exploit.
In effect, the “new normal” ushered in by the pandemic has forced companies to accelerate their digital transformation journeys, with remote working creating an attractive target of mass attacks, as companies and employees scrambled to implement remote applications, networks and systems.
With businesses across the globe increasingly relying on digitally-enabled platforms, hackers wasted little time to take advantage of the situation, with research predicting that cybercrime is expected to inflict damages totaling $6 trillion across the globe this year alone.
The top pandemic-related cyber scams that caused business disruptions in 2020 include information-stealing scams, malware and ransomware attacks, vulnerabilities related to working from home and websites selling fake products, including coronavirus remedies and personal protective equipment.
The impact of cyberattacks has also been exacerbated by the introduction of regulatory frameworks and legislation that govern the handling and storage of customer data, such as South Africa’s recently introduced Protection of Personal Information (POPI) Act and the Cybercrimes Act.
Thus, regulatory penalties and consequences for not protecting critical data have grown significantly in recent times, meaning that a data breach could potentially put a company out of business.
Unsurprisingly, this spike in cybercrime is creating a new market for insurers as traditional cybersecurity solutions are not always effective to stop bad actors from delivering increasingly complex and targeted attacks.
According to corporate law firm Michalsons, companies must take proactive steps to comply with cyber laws as a means to mitigate risks (including privacy-related legal risks). However, insurance can also be an effective way of managing some of the risks.
However, the characteristics of cyber events, including a limited loss history, the unreliability of past data when predicting future events, as well as the possibility of a large-scale attack where losses are highly correlated across companies and/or industries, make it difficult to write comprehensive policies.
Hence, while cyber insurance is considered a major emerging opportunity for the insurance industry, there are a number of risks that must be taken into account by underwriters, brokers and clients.
These include the increasing frequency of cyberattacks, the difficulty in pricing for the risks and the fact that existing policies, including liability and property policies, may be invoked to pay claims which have never been priced for.
Another dimension to consider is that as technology continues to grow in capacity, advances in areas such as artificial intelligence, quantum computing and the internet of things are also creating major risk exposures.
Insurers will ultimately have to determine whether to insure cyber risks to physical damage or intangible assets only. For instance, the advent of self-driving cars, pilotless ships and smart buildings are exciting, but also create attractive targets for hackers.
Yet, while cyber threats are affecting all aspects of life and cybersecurity issues are becoming a day-to-day struggle for most businesses, cybersecurity insurance is still an emerging industry. Organisations that purchase cybersecurity insurance today are considered early adopters.
This then means that all insurance professionals, whether directly dealing with cyber insurance or not, need to learn the basics of cyber insurance, according to the UK-based Cyber Insurance Academy.
For example, insurance brokers must learn how to explain coverages, endorsements, exclusions and the services provided by the insurance company. They need to be able to explain cyber threats, exposure, and security gaps, quantify risk and help choose the appropriate liability limits and payable excess.
Underwriters must know how to perform cyber due diligence, analyse security exposures and risks, and assess the current security posture, as well as determine premium prices and capacity based on the insurer’s risk appetite.
Claims Professionals form part of the response team when a cyber-attack occurs, and need to have a deep understanding of the cyber insurance policy and its coverages. They must assess the incident and how it relates to the policy terms to make claim payment decisions.
Lastly, Risk managers must learn to identify and analyse the financial impact of cyber threats to prepare risk management and insurance budgets. They must be able to quantify risk and help choose the appropriate liability limits and excess fees.
As mentioned, cybersecurity insurance is relatively new, so expect policies to vary significantly from one provider to the next. However, when choosing a policy, companies should closely review policy details to ensure that they contain the necessary protections and provisions, as well as protection against known and emerging cyber incidents and threat profiles.