Cyber insurance delivers business value
In a world where threats are becoming more complex and ever evolving; with laws becoming more demanding, investing in cyber insurance delivers true business value.
That was the message from Natalie van de Coolwijk, MD CyGeist, speaking during the ITWeb Governance, Risk and Compliance 2014 Summit at The Forum, Bryanston, yesterday.
According to Van de Coolwijk, the digital revolution has presented new challenges to the organisations on top of the corporate governance and legislative developments they are already faced with.
The world has also become a global village because of the Internet, which has spurred aggressive growth in cybercrime, she noted, adding that assets and perils are no longer just tangible or physical in this age.
Describing the traditional insurance products, Van de Coolwijk noted that they mainly covered things like professional indemnity, general liability, business interruption, computers, as well as fidelity guarantee.
However, these were mostly tangible assets like hardware, property, loss of business etc but did not cover things like data, she pointed out.
"Cyber insurance is specifically tailored to address intangible property and non-physical perils," Van de Coolwijk said. "It provides cover for information and network security breaches, as well as first-party and third-party cover."
She explained that it also covers for data recovery and business interruption. "Cyber insurance provides coverage to respond to a loss of income and operating expenses experienced due to a network security breach.
"It will cover expenses of specialists, investigators, digital forensic auditors, or loss adjusters as well as costs to restore/recover data and operations, or costs incurred until such point in time where it is established that data can't be recovered/restored."
When cyber insured, organisations also get crisis management and notification expenses cover as it provides coverage for costs to respond to a security failure or privacy breach," Van de Coolwijk stated. Response costs could include notification expenses, costs to provide credit-monitoring or other remediation services to customers or impacted third parties and public relations/crisis management expenses.
"It also provides coverage for third-party claims due to a failure of the insured's network security or failure to prevent unauthorised access to personal information. Coverage would also be provided for associated regulatory fines and penalties to the extent insurable by law."
Describing how the system works, Van de Coolwijk said when a breach occurs, a notification to insurer is sent; then a panel of service providers will be notified and deployed.
"Depending on the nature of the incident, these may include technology and forensic specialists to contain the incident and restore services; legal specialists to guide and assist with legal and regulatory actions to be taken; or PR specialists to assist with developing and implementing a PR strategy," she said.
The legal specialists will assist in making a decision regarding notification of parties affected by a breach, she explained, adding that guidance will be given to ensure that notifications, call centre Q&A scripts and dark Web site text comply with regulatory requirements and PR strategy.
"Notifications will be distributed to affected individuals and, depending on the nature of the compromised information, may include an offer to register for credit monitoring services. In addition, a call centre and dark Web site will be provided.
"Affected individuals who elect to take up credit monitoring services are registered with the relevant service provider. They will be provided with regular reports and alerts should there be any activity on their credit record. Legal specialists will provide them with assistance in dealing with regulatory bodies and third-party liability claims."
Giving examples of where cyber insurance was needed, she cited the Sony PlayStation Network which was hacked, compromising personal information of 77 million customers and causing losses of $171 million.
Malware inserted into point-of-sale devices has cost South African banks tens of millions of rands in what is being described as one of the worst breaches of customer card data in the country's history, she added.
According to Van de Coolwijk, the US is one of the leading market in regards to cyber insurance adoption.
However, she concluded, the market is still in its infancy in the South African landscape though she believes it will start growing with the POPI Act on the cards.