Data breaches are on the rise. Barely a week goes by without headlines about major breaches or new threats, such as the WannaCry ransomware that infected over 200 000 computers across 150 countries a couple of weeks ago.
Other, larger breaches, such as the attack on Target in which 40 million credit and debit card accounts of their customers were stolen, or the more recent Yahoo breach that compromised confidential information of 500 million clients, are also becoming commonplace.
The recent '2016 Cost of Data Breach Study: Global Analysis Report' by IBM and Ponemon Institute that surveyed 383 companies across 12 countries, revealed that a data breach costs on average of $4 million for a business, a 29% increase in cost since 2013.
More worrying, the research showed that organisations in South Africa and Brazil are most likely to have a material data breach involving 10 000 or more records.
So says Jaco Oosthuizen, chief exponential officer at Exponential Ventures, adding that: "The King IV Report on Corporate Governance has also recognised the advent of the fourth industrial revolution and the central role that technology plays in revolutionising businesses, societies, and transforming products, services and business models."
He adds there is no doubt that all reasonable and appropriate steps should be taken to protect the information and technology in a business. "But what happens when there is a breach and the organisation is exposed to physical and financial damage, as well as business interruption that threatens business continuity?"
According to Oosthuizen, in the age where knowledge and information is currency, where organisations will soon be subject to regulations such as the Protection of Private Information Act in South Africa, General Data Protection Regulation in Europe, and where organisations are collecting huge amounts of data that assist them to serve their clients better, cyber risk insurance is becoming integral not only for risk management, but also for good corporate governance.
Vica Manos, director of UK-based Anthemis Group, says although cyber risk insurance is comparatively new in relation to other insurance sectors, the space is evolving rapidly due in part to the advent of data science and technology, and the resulting emergence of specialist cyber technology companies that focus on the SME market.
"In fact, with annual premium growth expected to remain at 15% over the next five to 10 years, cyber risk is one of the few insurance markets not challenged by stagnant or decreasing premiums, attracting the attention of insurers and reinsurers alike," says Manos.
He adds that comprehensive cyber risk insurance policies are currently mostly used by big corporations. The current process of using a consultancy firm to perform a security benchmarking process from an insurance perspective and to understand the corporation needs in terms of protection is a costly exercise which also requires extensive internal cyber knowledge. "This is prohibitive for smaller organisations."
According to Anthemis, there are several challenges for the growth of cyber risk insurance, including a lack of cyber expertise. "The very nature of cyber risks commands highly specialised professionals to both assess and underwrite risks, which will require companies to either collaborate/acquire relevant cyber security firms or develop internal capabilities."
In addition, traceability and cooperation are an issue, because cyber threats are not as easily identifiable as physical threats. "Companies sometimes may not even know that they have been attacked and therefore cannot properly collect information about the incident. In addition, corporations might be reluctant to publicise breaches and share details because of the reputational effect of admitting security failures, potential impact on future sales, and a desire not to attract further attacks."
Data availability is also an issue, as the absence of a commonly accepted framework to capture information about cyber incidents adds to the challenge.
In addition, constantly changing risks, including new actors and methods, and the potential for unknown cyber threats creates significant ambiguity around the underlying sources of exposure, especially since these may be different for regular IT security breaches compared with catastrophic cyber events.
Lastly, cyber risk modelling, because the nature of cyber risk presents a unique set of challenges. "The frequency and severity of cyber events as well as their co-dependence are not easy to establish, making it difficult to assess potential aggregate losses."
"Exponential Ventures has been in extensive discussions with Anthemis to find solutions not only for the South African market (identified as one of the most vulnerable countries) but for the 15 other countries, and the broader global market. Financial Wellness drives us to invest in start-ups that have the potential to help us achieve this for our clients and stakeholders and cyber risk insurance is becoming an important component in this journey," concludes Oosthuizen.
Share