Cyber risks – an African concern?
Why has there been so few African companies buying specific cyber insurance cover?
Nigeria is one of the most technologically advanced countries in Africa, indeed their mobile banking technology is far more advanced than most, with “Mobile Money” set to have an ever increasing use. With such technologies comes increased risks of cyber crime and data thefts. A Nigerian Data Protection Bill is being considered, but at present no relevant legislation is in force. The lack of any regulatory policing pressure on corporates within Nigeria to comply with data protection obligations, and the fact, therefore, that those corporates presently do not face the threat of regulatory fines and investigations, may explain the slow take up of cyber insurance buying in Nigeria. The protection afforded, however, by cyber insurance cover goes far beyond the first party costs for liability arising out of breaches of privacy legislation (such as the costs of notifying all customers of the data breach, or the legal costs of defending regulatory investigations), and so should seriously be considered in terms of the overall protection afforded to a corporate entity, especially given the dramatic rise in cyber crime exposures to businesses.
There has been a much better uptake from, for instance, US corporates for tailored cyber covers. This may well be due to the significant risk of third party claims arising out of data breaches and the various class actions advanced in the USA, but similar risks exist in principle in Nigeria and other African jurisdictions, certainly in terms of general duties of care owed to customers and consumers, beyond any specific legislation that may be in force.
Another anomaly is that a greater proportion of larger corporates have traditionally bought such cover, as opposed to the small to mid-sized players, even though the latter are, arguably, more at risk; not least, they have less resources to invest in infrastructure protection. Cyber attacks can cover a variety of criminal activities from data and information thefts, including industrial espionage, to “hacktivists” targeting a company’s website with a denial of service attack, which ultimately can affect a company’s profits and/or reputation.
There may be capacity issues in local markets, but reinsurance rates for such cover are low at the moment, so suitably priced local cyber cover should be available? Nobody is immune – Google to governments have fallen victim to cyber attacks, and, indeed, high profile attacks are reported in the global press almost weekly. As a result, most corporates now identify cyber risk as the number one concern to their business. On the face of it, such insurance seems destined to be a key part of the portfolio of business liability covers, so why is that not currently the case?
Perhaps there is still a need for further education of businesses on this available cover – and, indeed, of the gaps in cover from their existing policies.
One thing is for certain: new cover being offered to policyholders must be fit for purpose. One concern that has arisen for some policyholders who purchased new cover is that the “retroactive” date in their policy was the same as the inception date. For those policyholders, cyber losses then came to light during the period of cover, but as the first cyber attack had originally occurred prior to the retroactive date, but remained undetected, insurers denied cover on the basis that the policyholders had suffered an excluded loss.
From the policyholder’s point of view, such insurance essentially proved worthless for the first year or so. As to why the retroactive date was not set back several years and whether that was due to aggressive underwriting and/or lax broking is unclear, but, going forward, such policies must be designed to respond appropriately when such a loss occurs. A pre-condition to cover was for IT security experts to assess the policyholders’ IT systems and controls which they reported as good (the cyber hack and information thefts had not been picked up). The risk was assessed on that basis, yet the policyholders found themselves without cover. The retroactive date should therefore be pushed back as far as possible, especially when hacking has become so much more sophisticated and can go undetected for a long period of time: indeed it is very difficult to prove exactly when a system was first breached, and when the insuring “event” was triggered.
Another point of note: of the minority of companies that do actually buy cyber cover, many are not buying enough cover, with limits being too low to respond realistically to the true cost of a cyber attack. Insurers need to offer higher limits, and have more defined primary and excess markets for larger businesses, to make the cover more meaningful.
To date, cyber insurance has been driven by third party privacy/data breach exposures, with an emphasis on “service” provision rather than true risk transfer – this may not have proved attractive enough for most companies to invest in. “Crisis management” services, such as access to PR specialists in the event of a data breach/regulatory investigation, may have been seen by some companies as a gimmick and as services that could be sourced directly if and when the need arises.
There has recently been a shift in emphasis, however, with the range of cyber covers now moving into insuring against 1st party exposures, such as business interruption losses. These newer, more expansive products, which cover genuine intangible risks, may finally provide the necessary ingredients to ensure that most corporates purchase this type of insurance, as it comes closer to representing a true risk transfer reflecting the actual financial harm that a company can suffer as a result of a cyber attack. This, coupled with pushing up the limits of cover, should hopefully ensure that cyber insurance becomes a regular and effective feature of any company’s insurance programme.
There has been conflict to date between two main schools of thought depending on what sector the policyholder belongs to: some promote new stand-alone cyber products, but others prefer extensions to existing policies. There is not necessarily a right and wrong position, and each company needs to assess its own programme to understand its specific business needs. The risk of trying to build into an existing professional lines cover, for instance, is that gaps in cover may be discovered once a loss has occurred.
What other heads of cover should be considered? It is recognised that the largest loss for a company that has suffered a data breach or an outage is not the legal costs incurred or damages paid out to customers, for example, but the reputational damage caused. This is particularly so with cases involving large household names, such as Sony Playstation – one can purchase separate reputational risk insurance, but again the limits are too small to have any meaningful purpose, especially where quantification of such losses are yet to be properly tested.
What is perhaps of greater interest as a new head of cover is “cyber extortion” – cyber criminals have realised, for example, that by the time stolen personal customer data is sold to the end-user, there is little value left in it, so some now contact the company directly, requesting a more valuable ransom, failing which their stolen data would be sold on. This is a new offering, and is yet to be tested, but it adds to the package of cyber-related covers that companies will hopefully want.
Perhaps risk managers will now finally convince their boards to add cyber cover to their programmes. IT security officers have realised that, no matter how good the technology and systems they have put in place, there is still a risk of security breaches which needs to be proactively managed; this should now make internal conversations easier – particularly in convincing boards to transfer some of that cyber risk into specialist insurance cover.
Garbhan Shanks is a solicitor at law firm Addleshaw Goddard, London, who specialises in insurance and reinsurance law, and who is also part of the Africa Focus Group: garbhan.shanks@addleshawgoddard.com