A data breach can damage more than just a small-business computer system. A company’s reputation can also be damaged and put customers and employees at risk. That is why cyber insurance can be a smart precaution for any size of business.
Technology, social media and transactions over the internet play key roles in how most organisations conduct businesses and reach out to prospective customers today. Those vehicles also serve as gateways to cyberattacks.
Whether launched by run-of-the-mill hackers, criminals, insiders or even nation states, cyberattacks are likely to occur and can cause moderate to severe losses for organisations, large and small. As part of a risk management plan, organizations routinely must decide which risks to avoid, accept, control or transfer. Transferring risk is where cyber insurance comes into play.
Cyber insurance is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. It generally covers a business’ liability for a data breach involving sensitive customer information such as Social Security numbers, credit card numbers, account numbers, driver’s license numbers and health records.
In January 26, 2017, Ghana’s Parliament adopted a Cyber Security Policy and Strategy. The policy seeks to build upon and harmonise previous policies that touched briefly on cyber security such as the Information Communications and Technology for Accelerated Development (ICT4AD) of 2003 and the Electronic Transaction Act (Act 772) of 2008.
The Bank of Ghana on March 21, 2018, organised a summit for all banks which aimed to exercise firm oversight of the payment system, monitor risks associated with digital innovation, and develop appropriate regulatory responses without stifling innovation. The Central Bank has prepared a banking sector Cyber and Information Security guidelines which banks have to use to protect consumers and create a safer environment for online and e-payments products.
However, financial institutions are required to publish bank-specific cyber security policies in line with the provisions in the Payment Systems and Services Bill which is expected to be passed by the Parliament of Ghana. The financial institutions are also required to implement an integrated approach by adopting enterprise-wide frameworks of cyber risk management in line with business objectives.
MAKING THE BUSINESS CASE FOR CYBER INSURANCE
The risks associated with the digitisation of transactions and data exchange are a threat to the due progress of financial institutions. Attacks against businesses are on the rise. Small businesses tend to think they are safely tucked away from exposure, but Symantec Corporation, an American software company, found out that over 30% of phishing attacks in 2015 were launched against organizations with less than 250 employees. Symantec’s 2016 Internet Security Threat Report indicated that 43% of all attacks in 2015 were targeted at small businesses.
On a larger scale, the Centre for Strategic and International Studies in 2014 estimated that the annual costs to the global economy from cybercrime was between USD375 billion and USD575 billion. Although sources differ, the average cost of a data breach incident to large companies is over USD3 million. Each organization has to decide if they can risk that amount of money, or if cyber insurance is necessary to defray the costs that may occur.
The example of Equifax, an American credit agency, is clear testament to the scale of the phenomenon. The company that compiles and processes personal data of customers applying for loans had been the victim of a cyber-attack during more than two months. Confidential data of more than 147 million customers had been hacked, that is, nearly half the American population.
Several other acts of large-scale cyber criminality, including ransomware, have been reported everywhere around the world, which makes cyber insurance underwriting indispensable in the all-out digital era.
In June 2018, Caisse Primaire d’Assurance Maladie (CPAM) warned its policyholders against fraudulent emails in France. The company published an alert on its website, warning its clients against false emails sent to them. Hackers duplicated the graphics of emails from the Caisse and sent them massively to the insureds in order to extract money from them. Policyholders were advised to be extra vigilant to avoid those hackers’ behaviours.
EFFECTS OF CYBER-ATTACKS
Cyber-attacks often result in substantial financial losses arising from theft of corporate information, theft of financial information (eg. bank details or payment card details), theft of money, disruption to trading (eg. inability to carry out transactions online), and loss of business or contract. Businesses that suffer a cyber-breach will also generally incur costs associated with repairing affected systems, networks and devices.
Trust is an essential element of customer relationship. Cyber attacks can damage a business’ reputation and erode the trust customers have for that business. This, in turn, could potentially lead to loss of customers, loss of sales, and reduction in profits. The effect of reputational damage can even have impact on suppliers, or affect relationships the business have with its partners, investors and other third parties vested in the business.
Data protection and privacy laws require businesses to manage the security of all personal data kept, whether on staff, customers, suppliers, and other business partners. If this data is accidentally or deliberately compromised, and appropriate security measures are failed to be deployed, that organisation is likely to face fines and regulatory sanctions.
BENEFITS OF CYBER INSURANCE
The most effective strategy to mitigate and minimise the effects of a cyber attack is to build a solid foundation upon which to grow cyber security technology stack. Most notably, but not exclusively, cyber and privacy policies cover a business’ liability for a data breach in which the firm’s customers’ personal information such as Social Security or credit card numbers are exposed or stolen by a hacker or other criminals who have gained access to the firm’s electronic network. Cyber Insurance as a policy covers a variety of expenses associated with data breaches including notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft.
Threats against cyber security will remain prominent as internet penetration grows and smart devices proliferate. Ideally, this policy will stimulate interest in the business side of digital technology in Ghana and attenuate risks for any company seeking to enter the market. It will also create opportunities for companies to partner with the various implementing agencies, particularly when it comes to data collection and collation as this is one of the major gaps in the digital technology sphere in Ghana.
Unfortunately, local insurers are yet to consider cyber insurance due to low capacity to cover the risk. Insurance companies in Ghana can work in collaboration with banks, telecommunication networks, IT companies, among other companies who use data for their daily operations, and grant cyber insurance cover for them. Local insurers can also collaborate with foreign insurers and reinsurers to provide the support to underwrite the cover in Ghana.
Writer: Gideon Sarfo
Email Address: email@example.com
Place of work: Tri-Star Insurance Services Gh. Ltd.