ENTERPRISE TECHNOLOGY
Third-party claims cover lawsuits brought by third parties where confidential personally identifiable information has been leaked or where viruses have been transferred, contractual liabilities, multimedia liability, and legal defense costs.
Due to the nature of the insurance business, the crippling effect of a denial of service attack, ransomware, and personal data breaches as the primary cyber risks facing the insurance industry in this region.
Cyber Insurance helps organisations transfer its risk exposure by offsetting costs and business losses related with a potential security breach.
Clients need to understand the benefits and caveats of a cyber insurance policy. By failing to comply with the terms, conditions and exclusions of such a policy, the insurer may deny claims. To ensure compliance, it is important to provide accurate information during the underwriting process so that the insurance policy covers all.
If there is a data breach of any kind, it is important that a client understands the methods to guarantee a claim is covered. The client-first approach of ACE ensures brokers are fully equipped to advise a client through their cyber insurance policy in order to maximise their coverage.
One important point to bear in mind is that a cyber-insurance does not protect data and does not replace the security controls all companies should have in place.
A growing body of regional legislation in the Middle East demands mandatory compliance from insurance companies given the sensitivity of the data they
Antonio Dionisio, Group CIO, ACE.
Cyber Insurance helps organisations transfer risk exposure by offsetting business losses related with a potential security breach.
process. For example, SAMA – a Saudi Arabian regulator – published a comprehensive Information Security framework last year and others will follow in the same steps.
Cyber Insurance is actually considered an actuarial conundrum by the actuarial community. There is no relevant historical data and the risks are evolving on a daily basis.
Pricing differs from insurer to insurer and typically is based on a combination of factors:
• Revenue
• Countries of operation
• Existing cybersecurity framework
• Third-party risk assessment
• Compliance with security practices
• Surface of exposure
• Nature and volume of information
• How is information stored
• Different coverage subscribed
• Previous losses or incidents
Landscape A widely accepted notion is that there are only two types of companies: those that have been hacked and those that have been hacked but do not know it as yet. There will never be 100 % security regardless of the investments made and so even some of the most advanced companies get hacked. The cyber security landscape is always evolving with new threats appearing almost daily and the sophistication of the attacks is increasing.
The recent evolution of increasingly stringent data privacy regulations such as the General Data Protection Regulation, is a good example of the growing importance of the need to invest in cyber insurance. While GDPR is a European regulation, its application is global and would still affect businesses operating in the GCC. The financial penalties for breaching GDPR are severe.
The immediate indirect costs are caused by damage to reputation and brand value, which in turn hinder customer trust and investor commitment. The mid to long term effects include a loss of intellectual property, disclosure of sensitive data, and loss of customer confidence which may result in loss of market share. These losses are usually difficult to quantify but can indeed be significant.
Cybercrime has evolved into a thriving industry of its own; it no longer requires elite technical skills or hefty investments. The most common attacks have become commodities easily found in the dark web.
Back in 2015, one of the largest health insurance companies in the US, faced a data breach of almost 80 million customers. Anthem had to pay approximately US $ 375 million to remediate and improve its security and settle lawsuits.
Awareness plays the most important role in the cyber-security strategy of any organisation and business leaders need to understand that cyber-security is a business issue and not an IT issue. It is a process that needs to be acknowledged and driven by company leadership boards. A strong cyber security program must begin by first educating people before proceeding with investment in technical measures and cyber insurance. The spending range for cybersecurity is approximately 10 – 15 % of the overall IT budget, regardless of the company size.
Given the technology-driven world we live in today, people and businesses are reliant on technology more than ever and even small disruptions can have a significant impact. •
23