Johannesburg, 30 Aug 2023
Cyber insurers’ terms, conditions and specifications around best practice risk mitigation are likely to get tougher in future, as cyber risk grows and insurers face mounting losses.
This is according to InfoTech CEO Mauritz du Toit, who expects claims to become more challenging and insurers to start playing a more collaborative role in helping clients reduce cyber risk.
“Globally, cyber insurers are taking a knock because of the increasing number and value of ransomware claims,” says Du Toit. “In South Africa, we believe the cyber insurance market is not yet mature, but we expect this sector to start evolving soon.”
He notes that local cyber insurers and their clients may currently face unnecessary risk because of how best practice is defined in policies. “We believe local insurers aren’t specific enough about what constitutes cyber security best practice. This puts the insurer at risk of paying claims when customers are negligent.
"On the other hand, if a customer puts in a claim after a ransomware attack, the insurer might partner with a cyber security expert, who would likely find vulnerabilities in the customer’s cyber security posture and the claim would be rejected.”
South African cyber insurers currently offer basic advice on mitigating risk, such as encrypting data and having multiple backups.
However, these measures are not enough for cyber resilience, says Du Toit. “For solid risk mitigation, it is crucial for organisations to implement advanced security controls. Managed endpoint security services, backups, data replication or data recovery help reduce cyber risk and maintain regulatory compliance, while also ensuring business continuity.
"A backup is only as good as the security around it, and organisations need to regularly review and test backups, do DR failovers and confirm that they work. Because employees are the weakest link in cyber security, regular training and awareness programmes must be run too,” he says.
“Our cyber software bundles are built to protect you from edge to endpoint, but most importantly include the most important factor – user awareness training and dark web monitoring to ensure you know if you are protected.”
Du Toit expects cyber insurers to become more specific about the measures customers should take to reduce their cyber risk. “They may offer incentives, such as reduced premiums for customers following best practice. They may also ensure best practices are followed by offering security and disaster recovery as a service, bundled with their policies, to ensure customers improve their security posture. This would reduce risk for both the insurer and the customer.”
He adds: “The key to getting all businesses to adopt cyber resilience is to make it as affordable as possible to ensure not only that corporates are protected, but smaller businesses as well. They are the most vulnerable and we aim to release products for the small business sector that are built to ensure those businesses can survive any cyber attack without losing any sleep.”