Insurers and brokers have their work cut out for them to ensure that cyber insurance is not relegated to the bottom of the commercial insurance shopping list, says Gareth Beaver, the chief executive: Specialist Solutions at Santam.
Insurers and reinsurers are concerned about South Africa “lagging the globe” in the uptake of cyber insurance, Gareth said.
“Our research revealed that only 26% of commercial and corporate respondents indicated they ‘used’ this type of cover,” he said.
Beaver shared his insights in Santam’s 2023 Insurance Barometer released last month. The biennial report analyses the evolving risk trends impacting South Africa. It surveyed more than 900 consumers (personal lines), businesses (commercial lines), and brokers from across the country. The findings were combined with Santam’s own claims data.
The report found that large commercial (44%) and large corporate (28%) respondents were leading the way in taking up cyber insurance.
Beaver said although many small and medium enterprises (SMEs) were aware of the risk presented by cybercrime, there was still a strong perception among business decision-makers that such risks “would never happen to them”.
Insurers and brokers share a responsibility to raise awareness of the risk cybercrime poses to all businesses and encourage greater adoption of cyber insurance, he said.
A growing number of industry stakeholders believe cybercrime will be the next potential black swan loss event for the insurance industry.
“They argue that a concerted attack on a single country could trigger a diverse set of insured and uninsured losses,” said Philippa Wild, the chief underwriting officer: Broker Solutions at Santam.
What the numbers say
With the disastrous flood that hit Durban in April 2022 still fresh in South Africans’ minds, few will deny the extreme risk that climate change holds. The Mimecast’s 2023 State of Email Security report identifies data breaches as a bigger risk than climate change, with South Africa ranking sixth on the list of countries most affected by cybercrime.
The 2022 annual email security report found that 60% of local businesses suffered damages because of a ransomware attack in the year prior, with Absa, First National Bank, Tracker, Transnet, TransUnion, and Standard Bank “named”.
Back to the 2023 figures, the report found that cyber risk affects commercial and personal lines insureds, with an estimated 52 victims per million internet users per year among individuals.
Three out of four companies participating in the Mimecast survey said they expected to be harmed by a collaboration tool-based attack in 2023.
Productivity tools such as Microsoft Teams, Google Workspace, and Slack stood out as potential targets for cyber-attacks.
The most common method of infiltration remains email phishing attacks, “which account for half of all cybercrimes”.
‘It won’t happen to me’
Thabo Twalo, head: Commercial Lines Underwriting at Santam, said there was a misconception among businesses that their antivirus or IT software vendors would shoulder some of the liability following a cybercrime incident.
“Brokers are integral to unlocking the value of cyber insurance for their clients and addressing the ‘gap’ between where businesses believe they have access to cyber protection versus what a cyber policy covers, and the extent of the value such a policy offers,” said Twalo in the report.
He added that in addition to providing risk mitigation solutions, post-event incident response was arguably the most valuable component of a cyber insurance policy, alongside reputation management and regulatory compliance.
“Not to mention the payment of hefty fines should the attack result in a data breach,” said Twalo.
Another misconception among businesses, it seems, is their presumed invulnerability to cyber-attacks.
While cybercrime (data theft and ransomware) has become more of a concern to survey respondents since the previous Insurance Barometer (48% of respondents identified cybercrime as a top risk), 82% of respondents rated the effectiveness of their existing cyber risk mitigation measures as “highly effective”.
The stats show otherwise.
According to the 2022 SHA Risk Review, one in three domestic SMEs reported being a victim of cyber-attack under the malware (30%), phishing (26%), ransomware (25%), denial of service (13%), and theft of funds (13%) categories.
The South African Banking Risk Information Centre recently reported that South African businesses collectively lose up to R2.4 billion a year to cybercrime.
“Given the significant losses, it is recommended that businesses continually review their cyber risk mitigation practices and consider taking up cyber insurance should their protective barriers fail,” said Twalo.
Earn CPD points by getting up to speed on cyber security
Moonstone Business School of Excellence (MBSE) is rolling out a series of cybersecurity courses, with content created by DataGR8, on its online CPD course platform.
The first two courses, “Understanding the Cloud” and “Cyber leadership and strategy” is available on the MBSE online platform with “SMMEs’ approach to self-assessing cybersecurity” set to follow in due course.
MBSE is a recognised CPD provider and offers programmes, including online courses, events, and publications to assist FSPs, key individuals, and representatives in gaining their required CPD hours.
Click here to choose an online CPD course that suits your needs.