With the notable rise in cyber attacks recently, it should be relatively easy to sell a cyber insurance policy to a client. So why are clients seemingly still so hesitant to purchase cyber insurance? The answer might come down to a few factors including pricing, not fully understanding the coverage or they just don’t feel that they are at risk!
So how can you, as a broker, help clients to understand the need for, and importance of, purchasing cyber insurance? Here are a few discussion points which we think might help in encouraging clients to seriously consider purchasing cyber cover:
The size of your business does not make you immune from cyber attacks
Smaller businesses might feel that they are immune to a cyber attack, purely because of the size of their business. ‘Why would hackers target me?’ could be a question that they might raise in defence of not purchasing cyber insurance.
The truth is that there is not a direct correlation between the size of the insured and the quantum of a potential claim. According to the NetDiligence Cyber Claims Study 2021 Report, the most expensive cyber attack in the five-year period used for the report was actually suffered by an SME.
A hacker looking to target a business may find that the SME is a far more appealing target on account of less sophisticated controls being in place.
Data in the cloud is still data
One of the most common pieces of feedback we receive from clients is that they actually do not store any data which could be compromised in the event of a breach, because that data is stored in the cloud.
The Protection of Personal Information Act 4 of 2013 (“POPIA”) does recognise both the role of the Operator (which would be the cloud service provider) as well as the Responsible Party (which would be the insured). While the Operator will process/store the information on behalf of the Responsible Party, ultimately the responsibility will still lie with the Responsible Party who authorised the Operator to process/store that information.
An insured making use of a cloud-based service provider may thus certainly still be subject to regulatory fines under POPIA and will need to ensure that they nevertheless have all information and data management controls in place.
Cloud based service providers do not guarantee no downtime
The use of a cloud-based service provider increases a company’s productivity as data can be easily accessed with any internet connection. There are also additional security benefits such as encryption and multi-factor authentication (MFA) which are expensive controls for SMEs to implement. However, cloud-based service providers do experience downtime and are not impenetrable. According to Howarth (2022), 98% of organisations experienced cloud data breaches between May 2021 and November 2022, with a common security concern being data leakage/loss. According to Uptime Institute’s 2021 Annual Outage Analysis, 74% of cloud-based platforms experienced a form of downtime, although only three in ten outages had a significant impact on business productivity.
While a client needs to be careful in choosing the appropriate cloud-based service provider to use for their business and to ensure that their data is being adequately secured, a cyber policy will provide further assurance that should an incident occur, the client has protection against the loss. The Camargue policy does provide automatic cover for third party service providers, at no additional premium.
Cyber insurance covers a wide range of costs associated with a potential cyber attack
A client who chooses not to purchase cyber insurance might feel that the cost of the policy is just not worth it. Perhaps they are not concerned about POPIA fines or a ransomware attack and feel that they could shoulder that cost themselves, or they just don’t understand how broad the actual cover is.
The following is a simple example which could be used to illustrate the benefit of a cyber insurance policy:
Company A, an uninsured hotel, is hacked. The hackers demand R5,000,000 in Bitcoin as a ransom amount. As a result of the hack, Company A’s systems are offline and they are unable to check guests in, take reservations or allow guests to make credit card payments.
If Company A had purchased an insurance policy, the loss of their net profits would have been covered thereunder.
The hackers advise Company A that if they do not pay the ransom, they will start releasing the private information of all guests who have stayed at Company A over the past 5 years, including credit card details.
Company A chooses not to appoint a forensic investigator but rather to pay the ransom amount immediately so that they can resume operations as soon as possible. Unfortunately, it turns out that Company A was not dealing with the most ethical hackers, and the hackers disappear with the ransom amount, without providing the decryption code and, to top it off, leak all of their data! Company A now faces a R10,000,000 fine under POPIA.
Had company A taken out a cyber insurance policy, a forensic investigator would have been appointed and negotiated with the hackers, determining whether paying the ransom was, in fact, the best course of action. If they advised that the ransom should be paid, then this would have been reimbursed by the policy. In addition, if data had still been leaked then the policy would have responded, in respect of the notification expenses, to inform all affected data subjects. Lastly, fines in terms of privacy regulations (which are insurable by law) would have been paid out by the policy.
It is clear that this attack would be absolutely detrimental to Company A and potentially lead to them closing their doors. Taking out a cyber insurance policy could mean the difference between a company being able to continue operating after a cyber attack, and not.
Insurance can benefit you even before something goes wrong
While many clients still see insurance a grudge purchase which will only benefit them should they suffer an incident, there are in fact a number of useful risk management services available to clients from which they can derive huge benefit and use to hopefully even prevent an incident from occurring at all.
Clients with a Camargue cyber policy will have access to the Brit Data Safe Portal, which has a whole host of useful resources available to clients. In addition to the knowledge centre and regular news and alerts, there is also phishing simulation, online training, and unlimited advice available to clients on matters such as cyber security, compliance issues, and technical questions.
The Cyber Vulnerability Scan (“CVS”) is another risk management service which is available to all Camargue policy holders. A vulnerability scan is an inspection of the potential weaknesses in the security of a computer network. This allows the client to remedy the flaws before they are discovered by someone else who might attempt to break in. Think of the CVS as checking your locks, alarm, and motion detectors at your home or office. Computer network vulnerabilities arise from inestimable sources, which are constantly changing, such as errors in software programming, utilising outdated software or hardware, poorly configured firewalls, and lack of, or weak, passwords.
For more information on our cyber policy or risk management services for existing policyholders, please contact us at cybercrime@camargueum.co.za