SA firms changing stance on cyber security insurance

Christopher Tredger
By Christopher Tredger
Johannesburg, 23 Jul 2024
Pieter Nel, regional head, SADC, Sophos.
Pieter Nel, regional head, SADC, Sophos.

The integration of cyber insurance as part of risk management strategies is on the increase in South Africa.

That’s according to a study by cyber security solutions firm Sophos, which surveyed 311 IT and cyber security professionals in South Africa – those whose organisations have some form of cyber coverage.

The research showed that 72% of organisations made major investments in cyber defences to optimise their insurance standing, and 74% believed these investments enabled them to secure coverage.

Additionally, 68% reported obtaining more cost-effective coverage due to their enhanced defences, and 45% achieved better policy terms, such as improved coverage limits and conditions.

Pieter Nel, regional head, SADC, Sophos, said, “Cyber insurance is no longer just an optional extra, it's a critical component of comprehensive risk management strategies, providing a financial safety net and helping to mitigate the impacts of cyber incidents.

“Our findings show a strong correlation between the quality of organisations’ cyber defences and their ability to secure favourable insurance terms. A significant 98% of respondents improved their cyber defences to better their insurance positions, with 74% achieving coverage they wouldn't have otherwise obtained.”

Favourable terms could include lower prices for coverage, and higher amount of total coverage offered.

Nel emphasised that Sophos is not an authorised insurance agent and cannot provide recommendations on insurance.

“However, we can help organisations put in place many of the security controls that will help them optimise their insurance position,” he said.

An example is what to consider when selecting a potential cyber insurance services provider.

“This is about how well carriers can meet your organisation’s unique needs. It is worthwhile documenting your requirements in advance of selecting a provider. For example, how much coverage you need, the level of support required in the event of a cyber incident, the types of incidents you want covered etc.”

“Bear in mind that needs may vary across the organisation, for example, IT may think that $2m is sufficient to cover them in the event of a major incident, however sales know that some client agreements require $2.5m coverage as a condition of doing business together.”

Sophos expects more companies to get standalone cyber insurance policies and fewer to to have cyber as part of a general business insurance policy.

Cyber insurance vs traditional

Nel noted that while cyber insurance is similar to other types of insurance, its operating environment changes faster than any other form of coverage

“Threats continuously evolve and new defence technologies to combat them quickly emerge. While factors affecting your vehicle and property coverage change relatively little year-on-year, the cyber security environment when you renew your policy will likely be quite different from when you took it out. For example, average ransomware recovery costs increased 50% over the last year, meaning the coverage levels needed in 2023 will likely fall short in 2024. Take the time to review your policy requirements every year rather than defaulting to previous levels,” he advises.