Cyber incidents including malicious acts, malware attacks, theft of data and cyber extortion are on the rise.
The difficulty with cybercrime insurance is that it doesn’t relate to a tangible asset like a property or car. You are putting protection in place for your data, and the magnitude of the risk is difficult to quantify.
For individuals, the theft of a mobile device could result in their personal information being compromised. This could lead to theft of funds via internet banking or even the defacing of a personal blog/social media account. Some criminals may try to reach out with ransom demands, while others will download your data in the blink of an eye. For a business, the risks are tenfold.
According to SHA statistics from a survey of over 200 businesses (large and small) in 2019, the number one reason why cybercrime cover isn’t taken out, is because so many businesses believe they have no risk exposure. But this is rarely the case.
The scariest statistics are those of denial. Almost 45% of businesses interviewed believed they were not at risk of a cyber breach, while 40% relied on free anti-virus software, and 27% still do not back up their data regularly. Interestingly, one in every five businesses interviewed had suffered a ransomware attack averaging at R10 000 to R25 000 (34% of the victims ended up paying the ransom, probably as a result of no backups being available). As frightening as the numbers are, they still do not account for the business interruption or potential third-party issues that may follow a breach. Without proper cyber insurance, a worst-case scenario could very quickly become a reality.
A cyber policy blends first- and third-party coverage and claims are generally off the back of a network or privacy breach. An incident could include liability claims from third parties whose data became compromised, plus all the costs in getting up and running again. Business interruption coverage is found in a separate part of a cyber policy, with indemnity limits in line with what the policyholder chooses or can afford. There is no rule of thumb for calculating how much cover is needed, but most underwriters sub-limit the coverage and will insist that the insured has backups of their data and proper cybersecurity in place. Much like the wear and tear or maintenance terms and conditions in a home policy, you will be responsible for having measures in place to protect your data.
Internet security specialists Symantec also shared that one out of every 785 emails in South Africa is a phishing email. Not unlike traditional fishing, where one tries to hook an unsuspecting fish, cyber criminals try to convince their victims to mindlessly click on malicious links. This inevitably leads to a privacy or network breach. This is largely why an insurance policy needs to be in place. Even with the best security, user negligence can lead to substantial losses. SHA states that according to the Global Cyber Exposure Index, South Africa is ranked as the 6th most exposed country to cybercrime, so it makes sense to put in place any protection you can.
A closer look at the risks
SHA’s survey saw that most data breaches resulted in up to 48 hours of business interruption on average. That time can add up to significant losses depending on the industry. While business interruption won’t impact all businesses in the same way when a cyber breach happens, in some cases having down time for more than an hour, let alone two days, can cause massive financial losses. SHA says that 7% of businesses impacted by cyber-related business interruption, suffer losses exceeding R1 million, while around 30% will experience losses in the region of R250 000. These are figures that could mean the end of your business altogether without the cover provided by appropriate insurance.
Conveyancers, attorneys and those in real estate are common targets according to SHA, due to the typically large sums of money that pass through their accounts. The risk of litigation after a breach has been sustained is high – at 54%. But it won’t just be those who understand the law who could get hit with a lawsuit; any business is at risk. Imagine a claim against you from a client whose data was accessed through your poor online security?
Some SMEs, particularly those in financial services, or those who deal with high net worth (HNW) customers, are targeted by cyber criminals because of the valuable information they store, and poor cybersecurity. They may also have disgruntled employees (another popular target for a cybercriminal to gain access). It’s a slippery slope once a data breach occurs, but fortunately you can put some protection in before you may need it.
Finding the one
There are numerous niche cyber products available on the market, and some short-term insurers are starting to include this cover in traditional short-term policies. However, those often come with restrictions. Unless you take out a cyber-specific product, you are unlikely to enjoy the kind of cover you need.
When taking out a policy, the type of information you’ll need to provide would be: how frequently you back up your work and company data; your password management and security in place; software updates and anti-virus and firewall protection. Any history of incidents will be addressed, and the nature of your business will be assessed, including where vulnerabilities may exist.
It’s essential to chat to your adviser about your cyber risks. The sooner you secure yourself as best you can, the better.
Rather be safe than sorry
Above all, you should be prioritising whatever you can, realistic to your unique circumstances, to keep your business safe online.
Also keep your personal safety in mind. Cybercrime may present less physical danger than other crimes, but it can become dangerous if there are ransom demands to retrieve data. Cyber criminals are smart, and civilians should rather involve the authorities as needed, as they are experienced in dealing with criminal activity. Always be vigilant and aware of the type of cybercrimes that exist, as well as exactly what is covered by your short-term insurance policy (and what may be excluded). Chat to your adviser for guidance, or to top up on cyber cover.