Cyber insurance, frequent questions answered

A look at five frequent cyber insurance related questions.

Johannesburg, 05 Dec 2013
Read time 7min 10sec

As the South African cyber insurance market develops and organisations contemplate taking out the cover, there are some frequent questions that arise.

Natalie van de Coolwijk, MD of CyGeist, tackles five such questions in order to shed some insight on the topic.

1. Cyber insurance - why is it important for companies to have this cover; what does it protect them against?

Cover varies, but generally includes the following:

* Third-party claims arising from compromised systems or data; * Costs to restore data and systems; * Loss of business income as a result of systems downtime; * Crisis management expenses, eg, the costs of a PR campaign to minimise reputational harm; * Expenses incurred to notify regulatory bodies as well as affected third parties of a breach; and * Expenses of security specialists, attorneys, forensic investigators and loss adjusters to contain, manage and recover from an incident.

There is a common misconception that traditional insurance policies provide cover for the above costs. While some traditional coverage options might have cyber-crime extensions, the cover provided by cyber insurance is a great deal broader and has been tailored to assist organisations in responding to a network security or data privacy breach.

As opposed to just covering the insured for any direct financial losses, cyber insurance policies cover the resultant expenses of a data or systems breach, including aspects such as investigating and recovering from a breach while implementing measures to protect the organisation and affected third parties from damages as a result of the breach. In addition, the product not only provides cover for breaches resulting from cyber crimes committed by external parties, but also breaches as a result of malicious or negligent acts carried out by employees. It doesn't matter if your employees' or clients' information was compromised as the result of a hacker stealing it, an employee selling it on the black market or you losing a USB drive, your cyber insurance policy will respond accordingly.

A major selling point in the US market has been the value-added services - insurers assist their clients in responding to a breach in the most effective manner possible to minimise any potential damage. We are emulating that model in our market and therefore have structured our product as a holistic cyber risk management package, encompassing features beyond the insurance itself, such as an information centre, IT security risk assessments, incident response coaching and planning.

2. Cyber insurance is still relatively new in the South African market, how do insurers ensure that it is relevant and meets customer needs?

While cyber insurance is new to our market, well-established models exist in many other markets, particularly the US where the product has been available for around 15 years already and premium volumes exceed $1.3 billion per annum. As a result, we have been able to learn from their stumbling blocks and from the outset offer a sophisticated product that has been customised to our local environment and legislation. The South African IT security industry is advanced and highly regarded internationally, enabling us to partner with reputable service providers to ensure a high quality of service. We have structured the product in such a way that clients should see huge benefits even if they don't claim.

3. What should companies have implemented in order to qualify for insurance cover?

While it would be great for the insurer if policyholders' systems were impenetrable, the reality is that this is simply not feasible. In fact, even an incident outside of the control of a company, like an employee's cellphone being stolen, could result in a privacy breach.

The sentiment in the more advanced IT security circles is that organisations should operate under the assumption that data breaches are inevitable. Evidence to this is that increasingly IT security solutions and budgets are placing more focus on monitoring and response, than purely prevention. This is where insurance plays a critical role, as companies essentially have the opportunity to outsource the response function and the premium should constitute a cost saving, as insurers benefit from pooling, diversification and economies of scale. The level of IT security required in order to qualify for cover can vary greatly from one organisation to the next and will depend on a number a factors indicating the level of risk, such as the organisation's turnover and the industry in which it operates. Generally, a solid risk awareness and sound IT security and risk management principles are a good starting point. For clients that don't meet the criteria, our aim is to walk the path with them and improve their security to a point where cover could be provided.

4. Do you have any advice or tips for companies who want to buy cyber insurance?

The South African insurance market is highly regulated, so clients' interests are definitely protected. Factors to consider when buying a cyber insurance policy are as follows: * Understand your company's current insurance coverage to identify any potential gaps; * Evaluating the need for cyber coverage is not a one-man job! Involve relevant stakeholders within your organisation (such as leaders from IT, risk management, privacy, compliance and legal departments); * Involve a knowledgeable broker who can explain the exact scope of coverage provided to ensure you fully understand the policy (particularly when it comes to the exclusions and sub-limits); * Make sure you complete the application form correctly, you want to avoid any disputes arising at claims stage; * Ask the insurer about the value-added services they offer and make use of these to manage your risk; * Agree with the insurer upfront on the panel of service providers to be used in the event of a breach; and * Understand how to integrate the insurance claims process with internal breach response.

5. Would you say that South African companies are underinsured when it comes to cyber risks?

Many South African organisations are not even aware of the fact that there is now insurance to protect against these risks, or they are under the impression that coverage would be provided under their existing insurance policies. Traditional insurance policies are generally designed to cover tangible assets and/or material damages and cyber and information risks often fall wide of these criteria. There are many examples in the US where insurers have rejected claims stemming from cyber perils and the decision has been upheld in their courts of law. This principle has not been tried and tested in South Africa yet, but there's no reason to believe that our market would be vastly different.

This lack of awareness regarding cyber perils, coupled with the fact that legislation is only now being implemented to address data and privacy risks, means that companies are very much underinsured. Assigning figures to this is incredibly difficult due to the lack of accurate (or any) reporting and data. The 2012/3 South African Cyber Threat Barometer by Wolfpack estimates the South African economic losses as a result of cyber crime to be in the region of R2.65 billion. It would not be unfeasible to assume that insurance would pick up a sizeable portion of these costs. Companies should also bear in mind that as Internet penetration continues to grow (according to a recent Wits study, it grew from 15% to 34% in the last four years), so will losses due to cyber crime.

Van de Coolwijk invites interested parties to pose additional questions to her directly or via the CyGeist social media platforms, which can be accessed via the CyGeist Web site:

CyGeist underwrites on behalf of Guardrisk Insurance Company (Authorised Financial Services Provider FSP 261075) by means of a dedicated and ring-fenced short-term cell captive, wholly owned by the Natsure Group.

See also