While it remains an area of great debate and sometimes frustration, cyber insurance has over the past year become top of mind for chief information security officers (CISOs).
This was the sentiment shared by CISOs, echoing the findings of the ITWeb Security Summit CISO Survey, which recorded an increase in the adoption of cyber-specific insurance.
The CISOs spoke at last night’s second annual ITWeb Brainstorm CISO Banquet, hosted as part of the ITWeb Security Summit and in partnership with MTN Business.
Cyber insurance is a specialty insurance product that helps organisations pay for financial losses they may incur in the event of a cyber attack or data breach. Coverage may include first-party coverage against losses such as data destruction, extortion, theft, hacking and denial-of-service attacks.
Celia Mantshiyane, CIO of MTN SA, said the question of cyber insurance is akin to asking whether one needs car insurance. “Cyber insurance is critical for any organisation. Stakeholders want to have assurance that if something untoward was to happen to an organisation, in terms of data loss or breach, there’ll be some compensation or assistance.
“When you go through that rigorous cyber insurance assessment, the organisation gets to evaluate their strategies and controls against standards, determining if they are industry-aligned.”
Mantshiyane emphasised the importance of going through the terms and conditions (T&Cs) that apply to specific cyber insurance cover. She noted most cyber insurers have the condition that they will not cover damages should an organisation be compromised by a third-party.
“What I find is that organisations are quite proud to have cyber insurance and think they can sleep at night, but meeting the minimum requirements is a moving target, so you must read the terms and conditions.”
Nastassja van den Heever, group CISO at First National Bank, added that cyber insurers are “designed not to pay”, so they create loopholes. “Unfortunately, cyber insurance companies have had such badly-written policies over the last couple of years that they end up paying hundreds of millions because more organisations experience attacks and breaches.
“Now, they’ve become more stringent, so all of us that now have to take out cyber insurance in financial services get 100% to 150% year-on-year price increases.”
Camiel Govinsammy, head of cyber security advisory at the Sasol Group, noted cyber insurance might lead to complacency; therefore, companies need to weigh up the reasons for taking it out.
“Some organisations are looking at self-insurance. They weigh up the cost of paying those premiums monthly, look at the statistics within the organisation, and after doing some analysis, decide to put money in a fund that they will access when they need to.”
Pragasen Pather, CIO of Sun International, indicated his organisation has had cyber insurance for the last two years with cyber insurance service providers in SA. This year, Sun has also taken out cyber insurance cover with a company in London, he stated.
“The reason we’ve done this is that cyber insurance is not something that you should look at in isolation of your group insurance cover. Most insurance that organisations have excludes cover for any business interruption caused by cyber attacks.
“Cyber insurance at some point is going to become mandatory because business interruptions caused by cyber attacks will never be covered by normal insurance. You’ll see more exclusions coming in the normal insurance cover.”
Joseph Stokes, group head for cyber security and IT governance at Telesure Investment, pointed out there’s a big positive in getting cyber insurance.
“It shows – at a board and exco level – a certain level of maturity and realism, and takes a little bit of pressure off. It shows they know that protecting everything isn’t always going to be successful and helps the organisation in the long run.
“The T&Cs get more and more stringent, but it does keep you on your toes and reminds you where your weak points might be. That’s the more positive aspect of having than not having it, even when you consider the costs.”
This year’s CISO survey preliminary results show 53% of the respondents confirmed they have cyber-specific insurance, compared to 42% in 2022.
Presenting the findings, Nomonde White-Ndlovu, CIO of Bidvest Bank, pointed out that cyber insurance is a contentious issue among cyber security professionals, and many prefer not to declare whether they are insured.
“This is a good measure, because it means you recognise the devastating financial loss that would result in the event of a cyber attack.
“Given the rigorous process and the controls an organisation has to go through to satisfy insurance requirements…a lot of us will be pulling at our hair because of how intense and involved that process actually is.”
The survey results also show not all organisations have cyber-specific insurance, with respondents noting it as part of the broader insurance ecosystem within their organisation.
This year, 5% of the respondents said they don’t see the need for cyber-specific insurance, up from 4% last year. “This is potentially concerning because it means there’s still an ecosystem that will thrive from threats and organisations not being protected as a result,” said White-Ndlovu.
The majority of surveyed CISOs (93%) agreed cyber security should be a board priority, compared to 84% in 2022.
On the budget front, 47% said it increased marginally this year, which is down from 51% last year. Conversely, 29% of CISOs said the budget increased significantly in 2023, when compared to 25% in 2022.
When looking at barriers to security investment in 2023, 69% noted the costs involved, 53% pointed to the difficulty to determine return on investment, 28% said there was not enough time, 26% listed low perceived risk for the company and 22% noted the lack of security management skills.