Businesses must prepare for a new generation of cyber risks that are fast evolving, and moving beyond the established threats of data breaches, privacy issues and reputational damage, to operational damage, business interruption and even potentially catastrophic losses.
In a new report – A Guide to Cyber Risk: Managing the Impact of Increasing Interconnectivity – specialist insurer Allianz Global Corporate & Specialty (AGCS) has examined the latest trends in cyber risk and emerging perils around the globe. It says cyber risk is a major and fast-increasing threat to businesses with cyber-crime alone costing the global economy approximately US$445 billion a year (being net losses according to CSIS/McAfee), with the world’s largest 10 economies accounting for half this total.
“As recently as 15 years ago, cyber-attacks were fairly rudimentary and typically the work of hacktivists. But with increasing interconnectivity, globalisation and the commercialisation of cyber-crime there has been an explosion in both frequency and severity of cyber-attacks,” says AGCS Africa CEO Delphine Maïdou. “Cyber insurance is no replacement for robust IT security but it creates a second line of defence to mitigate cyber incidents. AGCS Africa is seeing increasing demand for these services, and we are committed to working with our clients on the continent to better understand and respond to growing cyber risk exposures.”
Tougher regulatory regimes and new cyber perils
Increasing awareness of cyber exposures as well as regulatory change will propel the future rapid growth of cyber insurance. With fewer than 10% of companies currently purchasing cyber-specific policies, AGCS forecasts that cyber insurance premiums will grow globally from $2 billion per annum today to over $20 billion over the next decade, a compound annual growth rate of over 20%.
Comments Nobuhle Nkosi, Head of Financial Lines at AGCS Africa, “Legislative developments such as the African Union’s convention on cyber security and personal data protection and increasing levels of liability will see growth accelerate on the continent. Globally, there is a general trend towards tougher data protection regimes, backed with the threat of significant fines in the event of a breach.”
In South Africa the Protection of Personal Information Act 4 of 2013 (commonly known as POPI) was signed into law in November 2013 to define personal information and the processing thereof. A regulatory body referred to as, the “Information Protection Regulator”, will be established to ensure compliance with the Act. Recently, the Department of Justice and Constitutional Development has also published a draft Cybercrimes and Cyber security Bill for public comments. The objective of the legislation is to curb cyber-crime activities affecting organisations and individuals.
Elsa Jordaan, a partner at the South African office of global law firm Clyde & Co, has been following the developments in cyber liability and the law in South Africa closely. Jordaan says that, “Although the scope and impact of the country’s new data protection legislation has not yet been felt in South Africa there is no doubt that POPI is onerous and places arduous obligations on all businesses, whether public or private, big or small. It is worse for multi-national organisations as they face a web of complex and conflicting laws and regulations on data protection.”
Nigeria and Kenya are also looking at, or already enforcing, new laws. It is imperative for the AU, intergovernmental bodies such as SADC, ECOWAS and others to agree on data protection rules in line with expected guidelines on a country-by-country basis. Previously, attention has largely been focused on the threat of corporate data breaches and privacy concerns, but the new generation of cyber risk is more complex: future threats will come from intellectual property theft, cyber extortion and the impact of business interruption following a cyber-attack or from operational or technical failure, a risk that is often underestimated.
Notes Isaac Mahlangu, Head of Property at AGCS Africa, “Awareness of BI risks and insurance related to cyber and technology is increasing. Within the next five to 10 years business interruption will be seen as a key risk and a major element of the cyber insurance landscape,” In the context of cyber and IT risks, business interruption cover can be very broad including business IT computer systems, but also extending to industrial control systems (ICS) used by energy companies or robots used in manufacturing.
Explains Danny Myburgh, Managing Director of Cyanre, The Computer Forensics Lab,
“Many companies don’t think that cyber-crime, cyber threats or industrial espionage occurs in countries where they operate, but this is not true. Our firm acts as a digital incident response partner to firms throughout South Africa on these types of cases.
“In our experience, hackers or perpetrators can go unnoticed on systems for periods of up to 200 days before their activity is detected. Security credentials compromised with spyware can take up to 28 days before they are spotted.”
Connectivity creates risk
Increasing interconnectivity of everyday devices and growing reliance on technology and real-time data at personal and corporate levels, known as the ‘Internet of Things’, creates further vulnerabilities. Some estimates suggest that a trillion devices could be connected by 2020, while it is also forecast that as many as 50 billion machines could be exchanging data daily. ICS are another area of concern as a number of these still in use today were designed before cyber security became a priority issue. An attack against an ICS could result in physical damage such as fire or explosion, as well as business interruption.
Catastrophic event
While there have been some very large data breaches, the prospect of a catastrophic loss is becoming more likely, but exactly what it will look like is difficult to predict. Scenarios include a successful attack on the core infrastructure of the internet, a major data breach or network outage for a cloud service provider, while a major cyber-attack involving an energy or utility company could result in significant outage of services, physical damage or even loss of life in future.
Stand-alone cover
Allianz also predicts that the scope of cyber insurance must evolve to provide broader and deeper coverage, addressing business interruption and closing gaps between traditional coverage and cyber policies. While cyber exclusions in property and liability policies are likely to become commonplace, standalone cyber insurance will continue to evolve as the main source of comprehensive cover. There is growing interest among the telecommunications, retail, energy, utilities and transport sectors, as well as from financial institutions.
Education – both in terms of businesses’ understanding of exposures and underwriting knowledge – must improve if insurers are to meet growing demand. In addition, as with any other emerging risk, insurers also face challenges around pricing, untested policy wordings, modelling and risk accumulation.
Responding to cyber risk
The AGCS report highlights steps companies can take to address cyber risk. Insurance can only be part of the solution, with a comprehensive risk management approach being the foundation for cyber defence. Explains Nkosi, “Once you have purchased cyber insurance, it does not mean that you can ignore IT security. The technological, operational and insurance aspects of risk management go hand in hand.” Cyber risk management is too complex to be the preserve of a single individual or department, so AGCS recommends a ‘think-tank’ approach to tackling risk whereby different stakeholders from across the business collaborate to share knowledge.
In this way, different perspectives can be challenged and alternative scenarios considered. For example, these might include the risks posed by corporate developments such as mergers and acquisitions or by the use of cloud-based or outsourced services. In addition, cross-company involvement is essential to identify key assets at risk and, most importantly, to develop and test robust crisis response plans.