Organisations are increasingly dependent on technology to run their businesses. With this reliance however comes a potential threat serious enough to cause an organisation severe reputational and financial harm. Known as cybercrime, this threat involves illegal activities using computer systems, networks and the internet.
The global surge of cybercrime and the risks involved
In 2014 Sony Pictures Entertainment was hacked causing the release of confidential data into the public sphere. As a result of the leak, Sony had to cancel the release of its film “The Interview”. Sony also set aside USD$15 million to deal with ongoing damages from the breach. While such an occurrence may seem far removed from us, South Africa is in fact one of the foremost countries targeted for cybercrimes. According to PWC’s Global Economic Crime Survey of 2016 cybercrime was ranked as the second most reported crime internationally and ranked in fourth place in South Africa. In 2014 the Centre for Strategic and International Studies estimated that South Africa loses 0.14% of its GDP to cybercrime activities, amounting to around R5.7 billion annually.
When an organisation falls victim to cybercrime it’s exposed to a multitude of risks which Santam Limited identified as including loss of revenue, loss of data, loss of competitive advantage, industry and regulatory fines and penalties and fraud.
A standard property policy may not provide cover for these risks and in order to protect an organisation from cybercrime a comprehensive cybercrime insurance policy is required.
Inadequate cover by standard insurance policies
Aon South Africa (Pty) Ltd has identified the following gaps in standard insurance policies that could prevent organisations from claiming under their insurance policies:
- General liability and property policies cover risks that damage physical assets. Since cybercrime is a relatively new risk, the loss covered under conventional property policies do not extend to incorporeal assets nor losses caused by non-physical perils such as viruses or hackers.
- Professional indemnity policies cover damage resulting from a failure of the defined professional services and may not extend to losses resulting from data and privacy breaches.
- Crime policies generally cover money, securities and tangible property with no coverage for third party property such as customer data.
The challenges of providing cybercrime insurance
Taking out cybercrime insurance is an increasing trend in South Africa. In 2014, Santam reported an increase of over 3000% in quote requests. Specialised cybercrime insurance typically provides for first party insurance and third party insurance. First party insurance provides cover for the insurance holder and third party insurance provides cover for losses suffered by another organisation or individual due to a security breach.
Relative to other established risks, providing cover for cybercrime can be challenging for the insurer and Jain and Kalyaman of the management consulting company Capgemini identified the following challenges in providing cybercrime insurance:
- When conducting risk assessments an insurer will be required to predict the probability of cybercrime occurring in an organisation to be insured and determine its business impact. Cyber-attacks can lead to an array of business consequences and it may be difficult to quantify the financial impact.
- Since cybercrime is a relatively new concept in the insurance industry insurance firms still have to develop standard methodologies and financial models to determine the appropriate price to cover cybercrime risks.
- The lack of historical data poses a problem to insurance firms when deciding the rate of an insurance policy and whether to underwrite the risk in the first place.
- The lack of standard legal definitions of cyber liability across the world also impacts the insurance of cyber risks. A country’s laws are restricted by its geographical limits. This limit can create difficulties when determining which country’s laws are applicable when a cross-border cyber-attack occurs.
Electronic data and information is one of the most important assets in an organisation. Despite its importance PWC notes that most organisations in South Africa are still not adequately prepared or understand the risks inherent in cybercrime, with only 35% of organisations having a cybercrime incident response plan. It is therefore imperative that organisations obtain specialised and comprehensive cybercrime insurance to protect them in the event of a cyber-attack. In this regard, as cybercrime is a relatively new concept in the insurance industry, insurers will need to combine their knowledge of insurance and technology to ensure that they provide adequate cover.