Understanding Cyber Insurance

What is Cyber Insurance?

Cyber insurance (Cyb-Ins), which is also known as cybersecurity insurance or cyber liability insurance is a type of non-life insurance, that protects organizations from the loss (mostly financial) incurred from cyber-attacks and or data breaches. It is a risk treatment option organizations adopt to protect themselves in the event of information security or cyber security incidents. Such security incidents may include business email compromise, denial of service, ransomware, data loss, theft of money, fraud, etc. Just like any other insurance product, Cyb-Ins may cover first-party and or third-party liabilities. According to ‘MarketsandMarkets’, the global Cyb-Ins market is expected to grow from approximately USD 12 billion this year to USD 29 billion in the next 5 years.

Key Stakeholders in Cyb-Ins

The cyber insurance industry is made up of several stakeholders. Key among them include the following.

Regulator: This is the state authority that monitors and supervises the operations of the Cyb-Ins companies in a particular jurisdiction. The regulator in the case of Ghana is the National Insurance Commission (NIC).

Insurer: The insurance company that offers the Cyb-Ins policy to organizations. Some of the major global Cyb-Ins companies include Allianz, American International Group (AIG), Aon, AXIS Capital, Beazley, Chubb, Fairfax Financial, Liberty Mutual, Lloyd’s of London, and Travelers. Enterprise Insurance can be cited for Ghana.

Insured: This is the organization that subscribes to the Cyb-Ins policy from the insurer. In Cyb-Ins, this primarily refers to organizations and not persons.

Agent & Broker: Serves as intermediaries between the insurer and the insured. The agent works for the insurer, whilst the broker works for the insured.

Technology Provider: Assists the insurer in building the Cyb-Ins product, provides technical advice to the insurer, and performs due diligence and assessments on behalf of the insurer. These are mainly cyber security companies.

Which organization needs Cyb-Ins?

Any organization may decide to subscribe to a Cyb-Ins policy. However, it becomes more needful or onus for organizations in the following scenarios:

  1. Organizations that have been designated as critical information infrastructure by the state
  2. Organizations that collect or process sensitive personally identifiable information such as payment card data, financial records, medical records, national ID numbers, and biometric data
  3. Organizations that are required by regulations to have Cyb-Ins in place
  4. Organizations that are required by agreements with their customers or partners to have Cyb-Ins in place

What costs may be covered or not covered under Cyb-Ins?

Depending on the type of Cyb-Ins policy (i.e first party or third party), Cyb-Ins may take care of the following associated with cyber security incidents: investigation costs, regulatory fines, legal fees, judicial fines, business interruption, payment of ransom, theft of money, notification costs, credit monitoring costs, mitigation costs, repair costs, and public relations costs.

Cyb-Ins may not take care of the following associated with cyber security incidents: reputation, decline in share price, decline in revenue, prior cyber security incidents, an incident with employee involvement, general system failure, and cost of improving cyber security.

It is extremely important for organizations to obtain clarity from their insurers on what their Cyb-Ins policies cover and do not cover. They also need to clearly read and understand the terms and definitions used in the agreement. Engaging a lawyer in this process is very prudent and cost-saving.

How much do Cyb-Ins cost?

The cost of Cyb-Ins (premium) cannot be explicitly stated, as it depends on several factors. The premium (amount to be paid to the insurer) may depend on the following: type of industry, size of business, annual organizational revenue, history of security incidents, and the results of Cyb-Ins risk assessments.

According to AdvisorSmith (2021), the average cost of Cyb-Ins in the USA is USD 1,485 per year, with premiums ranging from USD 650 to USD 2,357 for companies with moderate risks and annual revenue of USD 1 million.

Requirements for Cyb-Ins

Most Cyb-Ins companies have requirements that their prospective clients would have to meet before their application could be accepted. These requirements once met, would help the prospective client (insured) to pay a low premium. The absence of such requirements may result in the decline of the application by the insurer, or payment of a high insurance premium.

Prospective clients may be expected to have the following controls in place: multi-factor authentication, regular staff training, and awareness, effective management of third parties, encryption of data, testing of incident response plans, conducting regular vulnerability assessment and penetration testing, deployment of endpoint detection and response solutions, secure remote access to company systems, regular testing of backups, management of privileged access, patch management and management of end of life systems.

Benefits of Cyb-Ins

The benefits of Cyb-Ins include the following:

Saves cost: It helps save organizations huge sums of money in the long term. Considering the huge cost and fines associated with cyber-attacks and data breaches, Cyb-Ins will help cater to such costs.

Ensures faster recovery: It helps organizations to quickly recover from cyber security incidents. With the needed support (expertise, logistics, or financial) provided by insurers, organizations can quickly resume their operations within a tolerable period.

Provides competitive advantage: Having a Cyb-Ins policy provides an organization with a competitive advantage. Prospective clients and partners may prefer to do business with such an organization than an organization without a Cyb-Ins policy.

Helps meet requirements: It helps organizations to meet their regulatory and contractual obligations, in instances where it is required by a regulator or agreements to have a Cyb-Ins policy in place.

Helps prevent cyber-attacks: Some insurers are keen on helping their clients in preventing cyberattacks through pre-breach services. Such services may include the provision of the following: training and awareness, cyber security products and services at discounted prices, cyber security intelligence, advisory and cyber experts.

Challenges of Cyb-Ins

Despite the benefits, Cyb-Ins also has some challenges. The following are some of the challenges:

Expensive: Due to the rampant and ubiquitous nature of cyber-attacks, the premium for Cyb-Ins has become very prohibitive for some organizations.

Provides a false sense of security: The insured may have a false sense of security. Cyb-Ins is not a silver bullet to prevent and recover from cyber-attacks. The insured ought to know that they may not even get any form of support when an incident occurs. It is an onus on the insured to be proactive and not rely solely on the insurance.

Coverage limitation: No single Cyb-Ins policy would be able to cover all cyber security incidents or breaches. All Cyb-Ins policies have limitations in terms of coverage and payouts. Hence an insured may have to take care of some aspects of an incident when it falls outside the scope of the agreement.

Embolden cyber criminals: With insurers paying the ransom on behalf of the insured, this can increase the spate of ransomware attacks. Since the ransomware attackers know, they would get paid for their ransom, they will always be encouraged to ply their trade.

Intricate coverage terms: Some Cyb-Ins agreements are very complicated for easy understanding. Some need cyber security experts and lawyers to provide interpretation. It may provide dire consequences if the agreement is not gotten right ab initio.

May not get payout: Due to the preceding point and among other things, the insured may not get a payout (what the Insurer needs to pay in case of an incident) when an incident occurs. There have been instances where the insured have dragged insurers to court to demand payouts. Examples of such cases include SS&C Technologies vs AIG, Mondelez vs Zurich, and SJ Computers vs Travelers.

Author: Kaunda Ibn Ahmed (Online President) | Communications Team Member, Institute of ICT Professionals Ghana, Communications Team.

For comments, contact author kaunda@outlook.com | +233234809010.

More Articles

Translate

ICTAZ Zimbabwe

The Organization seeks to empower society to master emerging technologies as essential tools and catalysts for sustainable development and independently watch-dogging the impact of ICTs on the environment and society for the good of the people and our planet.