As cyber risk becomes more ubiquitous, costing the globe up to R8.6 trillion a year – attacks such as NotPetya and WannaCry remind us that digital world risks are moving into the physical world with crippling business interruption, legal fees and massive damage to brands and reputation.
As a bespoke risk, cyber typically comprises purposeful intent to deliver malicious damage on systems or organisations. The omnipresent nature of cyber threats relegates it into the realm of ‘silent’ risks that are often not addressed through traditional property and casualty insurance policies – a fact only realised, very painfully, after a cyberattack and major loss occurs.
Traditional commercial insurance policies – such as property, casualty and liability – are not designed to explicitly address cyber-related losses – either by
way of express inclusion or exclusion. When an insurance policy does not affirmatively grant or exclude cyber coverage, this is termed ‘silent cyber’ – and there’s no guarantee that the insurance cover will cover any cyber-related loss.
Zamani Ngidi, a Commercial Risk Consultant at Aon South Africa says that the insurance market is moving to address the challenges of ‘silent cyber’ in insurance coverage. “Policies are being expressly written for the purposes of cyber, instead of it being an element of coverage in an existing policy. The current reality is that less than half of businesses purchase stand-alone cyber insurance coverage, which raises serious concerns about the potential for insufficient cover in the face of increasing risk,” says Ngidi.
As the industry moves to address these ‘silent cyber’ gaps and ensure proper coverage more broadly for this emerged risk, it’s important to know exactly what is covered and what is not when cyber flows into physical ramifications.
The Evolving Nature of Cyber Insurance Coverage
Among the threats businesses face from cyber-attacks are financial losses or exposure of data through social engineering or ‘phishing’ scams, physical damage to property, plant and machinery, data breaches that expose sensitive customer information and – most impactful – major business disruption.
Businesses could be burned by relying on ‘silent cyber’ coverage in their existing property and casualty portfolio, rather than seeking affirmative coverage grants for specific cyber loss or a standalone cyber insurance policy. When faced with a physical loss as a result of a cyberattack, businesses could be left without any cover if their policies have not been constructed to specifically address a breach-related loss.
In South Africa, many forms of data protection laws and regulatory standards apply. With the introduction of General Data Protection Regulation (GDPR) in Europe and the Protection of Personal Information Act (POPIA), the onus is on organisations to truly understand their information security structure and the legal risks associated with it.
“Looking at cyber-risk through a legislative lens and the quantum of punitive fines, it is quite peculiar to see insurance programmes where loss limits are less than those of other lines of more traditional insurance – especially when you consider that virtually every aspect of business is now driven by some form of technology and data. A cyberattack can literally take down an entire operation and all its subsidiaries in one foul click, yet the loss limits are nowhere near enough to cover business interruption costs, increased costs of working, legal costs and so on,” says Ngidi.
Holistically understanding cyber vulnerabilities and crafting appropriate coverage
Relying on ‘silent cyber’ coverage and hoping your policy will respond when an attack is launched is foolhardy. Businesses really need to comprehend the gap in coverage that exists between what they have and what they need and take the necessary steps to address the gaps.
“A cyber risk assessment and quantification analysis with an expert broker is an invaluable exercise in reviewing potential vulnerabilities as well as various cyber-attack scenarios, modelling the potential financial and physical impact of each tested instance, and putting recovery plans in place to address each scenario,” Ngid adds. “It needs to be undertaken in conjunction with a review of existing insurance coverages to highlight vulnerabilities, gaps in cover and the financial implications thereof. The result needs to be a thorough and comprehensive approach that addresses the digital and physical risks that a business faces as part of a holistic risk management programme.”
He explains that recognising there is no one-size-fits-all approach to cyber risk, businesses, insurers and brokers will continue to evolve how they think about cyber risk, creating effective coverage solutions against this rapidly evolving and malevolent risk. “In today’s hyper-connected world, there is virtually no business that is not reliant on technology to generate its bottom and top lines – risk management and insurance needs to evolve rapidly to mitigate the threats posed by ‘silent cyber’”, he concludes.