Once a luxury, cyber insurance has now become an imperative. With attacks on the rise around the globe, businesses must be sure they have sufficient coverage and that it’s tailored to their needs.
When, not if. That’s how businesses in today’s world need to think about cybersecurity. After all, there are nearly 11 attacks a second globally (according to the Identity Theft Resource Center’s Annual Data Breach Report), with a recent survey by the Council for Scientific and Industrial Research (CSIR) showing that 88% of South African organisations experienced at least one cyber attack in 2023. Some 47%, meanwhile, reported that they’d experienced between one and five attacks in that time.
Successful attacks resulting in data breaches are expensive too. According to the most recent Cost of a Data Breach Report from IBM, the average data breach now costs South African companies US$ 2.78 million. As well as the cost of getting back to business and potential penalties from the information regulator, data breaches and cyber attacks can lead to long-term declines in customer trust and confidence.
Apart from other notable cyber attacks, The Interpol African Cyber Threat Assessment Report 2024, advised that the frequency of ransomware attacks was on the rise, whereby 300 cases of ransomware attempts were detected during a single week in February 2023.
A mature and resilient cyber posture is key from an operational perspective. Additionally, a cyber insurance policy that can effectively respond is more important than ever. Once seen as a luxury, it’s fast become an imperative that no company can afford to be without. But what should organisations look for in an insurance product and how can they ensure that what their insurer offers is effective?
Massive underinsurance
Before answering those questions, it’s worth providing a little more context around how big an issue cybercrime is in today’s business environment, affecting individuals, businesses, and economies. According to Cybersecurity Ventures, the global cost of cybercrime is projected to increase to nearly US$ 24 trillion by 2027, up from US$ 8.5 trillion in 2022.
Large-scale cyber events present substantial risks to the global economy. According to the World Economic Forum’s Global Risks Report 2024, nearly 40% of experts surveyed consider cyber attacks to be a paramount risk with the potential to trigger a material crisis in the near future. While many large businesses have the cyber insurance necessary to recover from an attack, far too many small and medium enterprises (SMEs) are either uninsured or underinsured and face debilitating financial risks should they be hit by an IT outage.
While figures from Sage suggest that around 64% of South African SMEs have cyber insurance, that still leaves a sizable number of businesses that don’t. If we take the OECD’s 2022 estimate of there being 2.6 million SMEs in South Africa as accurate, we’re looking at around 936 000 SMEs without cyber insurance. And that’s to say nothing of those businesses that have insurance but don’t have comprehensive enough products protecting them.
That lack of insurance can have significant impacts in the long term. Even when SMEs survive major cyber attacks, their ability to innovate and take risks might suffer as a result. And taking risks is vital to growing businesses and the economy.
The right insurer matters
A good insurer will ensure that companies feel protected and capable of taking the kind of risks required to foster innovation and growth. More importantly, perhaps, they’ll take the individual considerations of the business into consideration.
From there, the insurer should be able to tailor a policy to the business and its needs. At the very least, however, it should include third-party liability for privacy and data breaches, media liability claims, regulatory fines and penalties, and first-party losses like business interruption and cyber extortion.
When it comes to preventing financial losses, meanwhile, businesses should have the option of covering a range of risks, including financial losses, business interruption costs, recovery expenses, and other expenses like regulatory investigation coverage, crisis management expenses and third-party legal liability coverage.
Finding an insurer that offers all of those things and has a strong track record of paying out valid claims will help ensure that businesses of all sizes are properly protected in the event of a cyber attack. Given the prevalence of cyber attacks in South Africa and around the globe, that should be a priority for any business leader.
Adapting to a changed world
Ultimately, it’s important for businesses to recognise that the environments they operate in are constantly changing. Few areas of concern for businesses change faster or more dramatically than cybersecurity. The rapid advances made thanks to automation and artificial intelligence mean that everyone is now a target. As such, businesses cannot afford to see cyber insurance as anything other than a requirement for their ability to operate effectively.
