In the face of mounting losses from cyberattacks, cyber insurance – already the fastest-growing sub-sector of the global insurance market – is expected to grow two-and-a-half fold in the next four years.
S&P Global Ratings recently reported that global cyber insurance premiums reached about $12 billion in 2022, and in S&P Global Ratings’ view, were likely to increase by an average of 25% to 30% a year to about $23bn by 2025. According to a leading global provider of reinsurance, Munich Re, cyber insurance premiums are expected to reach about $33bn by 2027.
Ryan van de Coolwijk, the head of cyber insurance at iTOO Special Risks, notes significant growth in South African companies adopting cyber insurance. He ascribes this rise to increased awareness of cyber risks, accentuated by real-life examples illustrating the potential dangers to businesses.
“Larger companies were generally earlier adopters of the cover, in part aligned to how we as underwriters were approaching the market, but we are seeing an increasing number of local small and medium enterprises (SMEs) also purchasing. We believe that this trend will continue for the foreseeable future,” he says.
The scope of cyber-attacks
According to Munich Re, losses from cyber-attacks are estimated to triple to $24 trillion by 2027 compared to the 2022 baseline. Bringing these stats closer to home, Interpol’s 2022 Africa Cyberthreat Assessment Report found that South Africa leads the continent in the number of cybersecurity threats identified. Global professional services company Accenture identified that South Africa has the third highest number of cybercrime victims worldwide, at a cost of R2.2bn a year.
According to the latest Specialist Risk Review conducted by liability insurer SHA Risk Specialists, the past two years have seen a third of South African small businesses fall victim to a cyber-attack. Of these attacks, 30% were attributed to the installation of malware, while 26% were reported as phishing attempts.
Bongani Nxumalo, digital distribution specialist at SHA Risk Specialists, says 69% of the cyber-attacks aimed at South African businesses result in a full shutdown of operations as businesses are forced to go offline for more than 24 hours.
“Almost two-thirds of the respondents to the SHA Risk Review also claimed to have been severely financially impacted by such attacks, with 34% of respondents reporting that they had fallen victim to an email scam.”
Van de Coolwijk says that at iTOO, the biggest drivers of claims are business email compromise and cyber extortion attacks, with the latter being more costly to recover from.
Ransomware has evolved into cyber extortion, where hackers compromise and steal a company’s data, demanding payment to prevent data publication and for decryption keys. This change has led to significantly higher ransoms and increased pressure on businesses.
He says finding your systems encrypted and having to face the prospect of downtime while rebuilding or possibly losing data can be detrimental to a business.
“But then, worse than this, is being held to ransom not to have the stolen, sensitive information published and the impact this could have on your clients, employees, partners as well as reputational damage. This can have a major impact on the sustainability of the business.”
Uptake of cyber cover in South Africa
Nowadays, almost every company has a level of dependency on their systems and data. IT has become pervasive throughout most industries.
“As a result, virtually every company should be considering cyber coverage. Those that have a high degree of operational dependence on their systems and have larger data sets are more strongly advised to consider cyber cover,” Van de Coolwijk says.
Despite the prevalence of cybercrime, Santam’s 2023 Insurance Barometer found that only 26% of commercial and corporate respondents indicated they used this type of cover.
The report found that large commercial (44%) and large corporate (28%) respondents were leading the way in taking up cyber insurance. Although SMEs were aware of the risk presented by cybercrime, there was still a strong perception among business decision-makers that such risks “would never happen to them”.
Read: Cyber insurance: ‘brokers have their work cut out for them’
Van de Coolwijk says they tend to see varying levels of awareness to the risks of cybercrime, its impact, and the approach to managing it.
“There are some South African companies that are very aware and doing all they can to protect themselves. On the whole, I think the awareness is improving. We still have some way to go but are definitely heading the right direction.”
He adds, however, that companies face a challenge in the current economic climate, where scarce resources make it difficult to invest heavily in the latest cybersecurity solutions.
“Thankfully, getting some basics which need not cost a fortune can have a major impact on reducing the likelihood of suffering an incident and improving their ability to recover (resiliency),” he says.
Mitigating cyber risks
As is the case with home insurance, cyber insurance does generally come with a set of security requirements with which the insured must comply for claims to be paid out. Van de Coolwijk says this, however, should be seen as a tick list of items that can help reduce the likelihood and associated severity of a cyber incident.
“A key focus has been on ensuring these are not too onerous. Insurance should not be seen as a replacement to cyber security controls but be part of a combined front, while ensuring that the cover is affordable,” he says.
Nxumalo adds that once such a policy is in place, it is important for business owners to collaborate with their insurance advisers and brokers to gain a full understanding of their responsibilities in mitigating the related cyber risks.
“Insurers and clients need to work hand in hand to ensure that the effective measures are in place from a risk management perspective.”
According to Nxumalo, the most exploitable vulnerabilities are found in human error within business operations. Untrained and unvigilant employees are often the weakest link in the cyber security ecosystem.
“For this reason, an airtight cyber security policy must begin with awareness and an extensive educational drive to demonstrate the role of employees in protecting sensitive information and data assets.”
The basics of good cyber practice also include conducting regular backups and installing the necessary security patches on operating software and other applications.
“Attention should also be given to reputable anti-virus software, data encryption, firewalls, and automatic alert systems. Small businesses can also benefit immensely from partnering with an IT specialist or cybersecurity consultant to fill any knowledge gaps and keep abreast of the latest developments in the cyber risk landscape,” advises Nxumalo.
Earn CPD points by getting up to speed on cyber security
Moonstone Business School of Excellence (MBSE) is rolling out a series of cybersecurity courses, with content created by DataGR8, on its online CPD course platform.
The first two courses, “Understanding the Cloud” and “Cyber leadership and strategy” is available on the MBSE online platform with “SMMEs’ approach to self-assessing cybersecurity” set to follow in due course.
MBSE is a recognised CPD provider and offers programmes, including online courses, events, and publications to assist FSPs, key individuals, and representatives in gaining their required CPD hours.
Click here to choose an online CPD course that suits your needs.