Does cyber insurance truly mitigate financial risks?
Cyber insurance has many benefits, but also some limitations that CFOs and accounting departments aren’t always aware of. Here’s how you can protect yourself more comprehensively.
The estimated impact of cybercrime on the South African economy is R2.2 billion per annum. Impersonation crimes, especially, are of huge concern. These fraud instances, where fraudsters assume the identity of a victim, increased 356% from April 2022 to April 2023.
Not only that, but South Africa had the third most cybercrime victims worldwide in 2020. In just the last few years, Dis-Chem, TransUnion, and Dimension Data were just some of the large organisations that suffered attacks or breaches. Clearly, not only CIOs and IT departments need to be vigilant about cybercrime, but also CFOs and accounting departments too.
Many organisations already have cyber insurance in place and while this can provide a safety net, it is crucial to understand its limitations and safeguard against them, says Ryan Mer, CEO of eftsure Africa, a Know Your Payee (KYP) platform provider. “While a cyber policy can certainly help you recover some losses and minimise the damage incurred, no policy will protect against every instance of cybercrime – with regard to business email compromise (BEC), notably, insurance generally does not cover compromise of the email of the third party you are dealing with (leading to manipulation of information received), therefore should the compromise happen outside of the insured’s environment (which is basically every supplier/customer/third party dealt with) leading to a loss, this is likely to not be covered.”
BEC has become rampant over the past 18 months and is now the most common reason for cyber insurance claims, says Ryan van de Coolwijk, Product Head: Cyber at iTOO Special Risks, a leading provider of Cyber Insurance. “There are a lot more incidents occurring in the SA market than is realised, many of which do not break into the media.” “Double extortions are also increasing, where hackers steal data and encrypt it, then demand money not only to release the stolen data but also to hand over decryption keys. Even in South Africa, this has caused ransoms to skyrocket to more than R100million – with tens of millions paid in some instances.”
Cybercrime insurance policies can be seen as providing cover across 3 broad spectrums, the incident response process, additional business damages and liability - up to certain values and depending on the terms of your policy. The incident response process can provide access to expert IT containment, recovery and forensic investigation services, legal guidance and regulatory representations, crisis communications to minimise reputational damage, communication, and remediation services to affected parties and cyber extortion cover which can extend to settling ransoms. The business damages can cover loss of business income, increased cost of working and theft of first-party funds. The liability component is the defence and settlement of ensuing litigation from compromised data or where a compromised environment has been used to launch downstream attacks e.g., against clients and business partners.
But they don’t cover every instance of cybercrime. For example, the Business Email Compromise (BEC) instance mentioned by Mer above as well as internal related payment fraud by employees would not be covered under a cyber policy but rather fall under a commercial crime policy, which can be very costly to have in place.
Aligned to the evolving threat landscape, insurers tend to have requirements for cover and payouts, it is, therefore, important to ensure you, at a minimum, maintain your disclosed security standards and internal controls during the policy period and keep abreast of any new requirements that may come into effect on policy renewal.
And, of course, no cyber policy can protect against reputational damage, loss of customer and partner confidence, knock-on operational impacts, and the impact on staff, says Mer. Clearly, even with a cyber policy in place, implementing preventive measures and maintaining strong security protocols should be a priority for businesses, Mer adds. “Cyber insurance policies are certainly necessary these days and, yes, they do protect against some of the potential losses. But by taking a proactive approach and working collaboratively with insurers and cybersecurity solution providers, organisations can better protect themselves from cyber risks and reduce the likelihood of falling victim to cyberattacks, while having adequate controls at the very least to back up an insurance claim, should an event still occur.”
The best defence is a comprehensive cybercrime strategy that aligns cybersecurity measures with internal controls, says Mer. “A cybercrime strategy brings together elements of your cybersecurity strategy and your financial controls. It recognises the importance of information security but also recognises the importance of robust financial controls, like segregation of duties. For example, it’s critical that staff always conduct verification controls when any payment needs to be processed. This should happen even in cases where the accounts team receives a payment request via email from one of the executives – because such emails could be the result of a BEC attack.”
Greater automation and digital controls, such as those provided by eftsure, are the best defence against human error during BEC and other attacks. “With such controls on top of your accounting processes, you can rest assured that you’re always paying a legitimate recipient. Even if a cyber-criminal is able to penetrate your executives’ email accounts and impersonate them, any suspicious outgoing payments will be flagged in real-time immediately prior to processing. This gives your accounting team time to pause and investigate the payment further before proceeding,” says Mer.
Prevention is key in the ever-evolving landscape of cybersecurity, he says. Another key thing to consider says Van de Coolwijk is that “most people are surprised at how significant the effect is on the operational abilities of a business and the time resource involved in investigating and dealing with things following a cyber-attack.” In Mer’s opinion, “it’s a good idea to have a buffer in place in the form of insurance, however prevention remains key.”