Cyber insurance in Nigeria: Risk hedging in an increasing threat landscape
Cyber attacks are getting more complex, frequent and expensive. According to the Global Risk Report 2019, cyber attack ranked 4th on the global risk landscape. A data breach could result in revenue loss, operational disruption, loss of trust and reputation, drop in share price, loss of investment opportunities, litigation, fines and sanctions, and in extreme case, a shutdown of business. According to Serianu’s 2017 Cybersecurity Report, Nigeria lost $649 million to cyber attack. According to Hiscox, cyber attacks cost organisations about $200,000 on the average. The NotPetya attack for example cost pharmaceutical giant, Merck $870,000,000 and Danish shipping company, Maersk $300,000,000. The above underscores the Impact of cyberattack to an organisation or a country as a whole.
The growing global privacy and security legal obligation is increasing compliance requirement for organisations. Similarly, the persistence and the wide spread of attack affects small, medium and big size organisations. Verizon Data Breach Investigation Report 2019 indicates that about 43% of online attacks are aimed at small businesses. The increasing cost of cybersecurity has made a growing need for cyber insurance to limit exposure and liabilities of company. Christine Marciano, President, Cyber Data Risk Managers, rightly noted that “the cyber threats of today are the insurance claims of tomorrow.” Consequently, beyond compliance obligations, organisation are considering insurance as part of their risk management strategy.
Understanding Cyber insurance
A cyber insurance policy, “also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event.” Cyber insurance is fast becoming an integral part of survival for organisations. According to PwC, the cost of premium is predicted to be $7.5 billion by 2020.
Legal framework in Nigeria
Cyber insurance is still a nascent phenomenon in Nigeria. A quick search of top insurance companies product offering in the country did not include it as a product, though we found a number of insurance companies offering “electronic equipment” and “computer and electronic equipment” policy as a product; the scope of the policy covers electronic data processing, data loss amongst other things.
Nevertheless, cyber insurance is not mentioned inside the Insurance Act 2003 (the “Act”), but a close reading of the law does not expressly prohibit the creation of such policy. Section 2(5) of the Act provides that an insurer “may be authorised to transact any new category of miscellaneous insurance business…” Section 16 of the Act similarly provides a framework for approval of new product. Similarly, the Central Bank of Nigeria Risk Based Cybersecurity Framework provided that cyber-insurance coverage should be considered as part of security assurance program for Payment Service Providers.
Scope of insurance cover
Cyber insurance policy characteristically covers expenses related to first and third parties claim. The cover include cost of the breach, infringement of data protection and privacy laws, and cost of recovery. When there is a claim, the insurance company is expected to indemnify the assured the cost of forensic investigation; computer and data restoration costs; business interruption; public relations cost; notification of victims of the breach cost; electronic theft and fraud protection; and cyber extortion. In the event that a third party suffers from the loss occasioned on the assured, the insurance company will be expected to indemnify the third parties in accordance with the terms of the insurance policy.
- Low reporting rate – The risk landscape keeps evolving and organisations are inclined to under report the full impact of breaches in order to avoid adverse publicity and loss of customers trust. In Nigeria, despite the obligation to report an attack under different laws, the level of reporting is low. The absence of true data to reflect extent of data breaches makes it hard to ascertain precisely the cost of financial loss, which in extension makes it harder for the insurer to have incisive insight.
- Difficulty in identifying skilled practitioner – Though, according to the 2016 Serianu’s Africa Cyber Security Report, it was reported that the skill gap in Nigeria is low compared to our population. However, some professionals differ and opine that lack of opportunities for practitioners is the actual problem, rather than absence of competence. According to Nurudeen Odeshina, a privacy and cybersecurity manager, “I do not think there is lack of experts, but dearth in the identification of experienced security experts.” In today’s online age, the number of threats to businesses and their customers increases every day and the awareness and ability to combat these threats is still very low. For cyber insurance to thrive, the knowledge gap and the ability to unearth talent in the industry has to be addressed.
- Regulatory – the insurance regulatory body, NAICOM pose a major threat to the advent of cyber insurance. The body is conservative and hence a bit careful with the adoption of new insurance products. NAICOM as regulators must take steps to develop a comparable framework among multiple jurisdictions for cyber insurance conduct and supervision.
- Proper risk profiling – The Risk Profile Assessment (RPA) is a tool that calculates the inherent risk of an organization based on the answers to a series of multi-choice questions. This is an essential activity that must be properly executed before any cyber insurance policy can issued. The major challenge here is related to the lack of skilled personnel to carry out a proper risk profile exercise.
Factors to consider before considering cyber insurance policy
Any organisation that process personal data and hold other valuable corporate digital asset, or uses the cloud, should consider adding cyber insurance to its budget. The proliferation of devices that could connect to business networks increases the threat landscape for malicious attack on an organisation. “As with any other sort of insurance, the cost of a cyber insurance policy will depend on a number of factors—industry type, size of business, annual revenue, and estimated risk level, among other things.” An adequate policy will aid organisations to survive the storm more effectually.
It is important for an organisation to assess its risk exposure by creating a risk profile. The risk profile help to create a list of expenses an organisation desire to cover in the event of a breach. Then, the organisation can make projections for third-party costs. Such organisation must have in place best cybersecurity practices to protect against attack. “An insurer might request an audit of an organization’s processes and governance as a condition of coverage.”
The insured should be wary of policies that are vague and unreasonable, and mindful of exclusions. The decision to take a policy should involve the cybersecurity, IT, legal department and the board. Regarding costs, cyber insurance coverage and premiums are based on an organisation’s industry, type of services provided, data risks and exposures, security posture, policies and annual gross revenue. Organisations have to decide if they need insurance relative to their risk exposure and also if the scope of the cover they are buying addresses their risk.
Cyber insurance is still a burgeoning product in the Nigerian market, but as the threat landscape increases, it will emerge as part of wider business survival strategy. Cyber insurance is not a replacement for implementing the appropriate level of privacy and security required by a business. Organisations will continuously need to put in place process and technology to limit risk and also train its staff to maintain best practice. Cyber insurance at best, forms part of risk management strategy and not a replacement for good privacy and security practice. Above all, insurance companies must remain flexible and should continue to review their products and consider new offerings.
Ibrahim Tijani is a cybersecurity analyst with experience in the Insurance industry.
Ridwan Oloyede is the Partner (Privacy, Data Protection & Legal Services) at Tech Hive Advisory