Cyber threats, exposure and insurance

One of the main concerns for South African businesses is dealing with cyber threats. While loss or harm caused by cyber incidents is not entirely new, these incidents have become more common in recent years due to the rapid advances in technology and the changes in many business models. By way of an example, machines are programmed to operate using technology and businesses trade on-line. The question which arises is how businesses respond to prevent or minimise their exposure to cyber threats? Businesses are well advised to put internal measures in place to ensure that their technology is sufficiently safeguarded and their employees are well trained. To mitigate against these risks, externally, insurance is available.

In the last few years the insurance offerings available to South African businesses has grown. This is because a number of companies, mainly in the USA, have suffered significant losses due to cyber incidents and the awareness of these types of risks has grown. A number of international insurers who have had some exposure to cyber incidents offer cyber products in line with what is available globally. South African insurers have followed suit and have developed their own cyber liability products. The products available differ from insurer to insurer as do the policy wordings. For instance, many insurers offer stand-alone cyber insurance cover whilst others elect to combine this cover with an existing insurance offering as an add-on. In the main (and depending on the specific policy), cyber insurance products indemnify the insured business against:

1. The losses the business suffers from cyber-attacks, such as those incurred to investigate and manage a cyber-incident and business interruption costs;
2. Costs incurred in responding to data privacy regulators and fines and penalties (insofar as these may be lawfully indemnified); and
3. Claims made by third parties.

There are three main issues which business owners seem to struggle with when deciding whether to take up cyber insurance:

1. Is existing insurance cover adequate? For the most part, the answer is “no”. Most insurance policies exclude this type of cover. For instance, a normal assets / all-risks policy which provides cover for business interruption usually requires physical damage to tangible property. A manufacturing plant may malfunction because of the introduction of a computer virus without any “physical” damage to “tangible” property which will result in a claim of this nature being unsuccessful.
   
2. Will the business be exposed to cyber threats? In all probability, “yes”. Every business that has an Internet connection or has employees who use technology in some form or another is at risk.
   
3. What type and extent of cyber cover does the business require? This is more problematic to address because the risk profile depends on the type of business, its turn-over or any other criteria generally used to assess risk. Certain sectors appear to be targeted more than others by cyber criminals but a small to medium accounting enterprise may face the same threat as a large retailer. Many insurers have designed cyber insurance products to cater for different business requirements. This said the risks are dynamic and as cyber threats evolve so will insurance offerings.

Despite the increase in cyber threats, it seems that the uptake of cyber insurance products in South Africa is still rather low, with many larger businesses declining to take up this offering. In my view, this is likely to change in the next 5 – 10 years with cyber insurance possibly being the most important insurance cover for businesses to invest in.