The first step in combatting cybercrime is to realise that many of the criminal syndicates involved in this space are run like de facto businesses; they operate from offices with large staff complements, all working long shifts to meet targets. This cold truth was shared in the first part of a double-header presentation on cybersecurity, held at Insure Talk 46, a virtual insurance seminar.
Cybercrime affects us all
Two presenters set out to educate an audience of local insurance and insurance broking professionals on cybercrime and its impact on small, medium and micro-enterprises (SMMEs). First up was Macleod Burrill, CEO of Cyber Safe Consultants. He warned the audience of the growing universe of bad actors hell-bent on exploiting information technology (IT) security vulnerabilities to compromise access credentials and data, usually to extract some form of financial gain. “These guys operate worldwide, and no company or individual is exempt; if they find a way in, they will exploit you,” he said.
The expert singled out a lack of cybersecurity knowledge and skill as among the major constraints in combatting this type of crime, but there are plenty of other challenges. “There is a lack of context with regard to IT security incidents and a lack of agility in identifying and addressing breaches when they happen,” Burrill said. He warned about the ‘install and forget’ approach that many firms took when installing firewalls and anti-virus software. Finally, he commented on the “prohibitive costs associated with specialist security services and solutions.” It is a typical catch-22; you cannot afford security, nor can you afford the consequences of a security compromise.
There are countless reports documenting instances of cybercrime and the staggering financial consequences of the same. For example, in 2023, there was a notable increase in cyberattacks, resulting in more than 343 million victims worldwide. And in 2022, around 236.1 million ransomware attacks took place. “Up to 93% of data breaches are motivated by financial gain, [and] 46% of all cyber breaches occur in companies with fewer than 1 000 employees,” Burrill said. “By 2025, it is estimated that 60% of organisations will use cybersecurity risk as a key factor in determining transactions and business engagements with third parties.”
Staggering impact, running to trillions of dollars
It escalates from there, with cybercrime predicted to cost the world USD9.5 trillion in 2024. Nobody is immune. Over the past few years, the South African media has reported on data breaches at a long list of household brands including Liberty Group, Life Healthcare Group, Momentum Metropolitan Holdings, PPS, Stefanutti Stocks, and TransUnion, to name a few. “These are large organisations that spend millions on cybersecurity skills, solutions and personnel each year; and they are still breached,” Burrill said.
In contrast, SMEs have small cybersecurity budgets and employ generalist IT people rather than cyber specialists. This, coupled with the reliance on free anti-virus software and limited cybercrime awareness, makes them even more prone to cyberattacks. The risk to domestic insurance brokers is significant too, as illustrated in this ‘what if’ scenario. Imagine you are a small broker providing solutions to various commercial insurance clients. During renewal negotiations, your email is spoofed, and your banking details changed, resulting in your client’s renewal deposits being diverted. The potential financial and reputational damage is immense.
The presenter contended that cybersecurity was non-negotiable in a Protection of Personal Information (POPI) Act world, citing a recent R5 million fine handed down by the Information Regulator to the Department of Justice and Constitutional Development. Against the triple threat of business interruption, regulatory enforcement and reputational damage, the audience was encouraged to take the necessary steps to mitigate risk, beginning with employee education. “You are only as strong as your human firewall, there are multiple avenues that you can pursue to test your staff and educate them about these issues,” Burrill said.
Some fundamental cyber insurance covers
Sarel Lamprecht, MD of Phishield Underwriting Management Agency, furthered the cybersecurity discussion by considering the impact of a data breach on a firm. “Cyber is an ever-growing risk,” he said. “Luckily, there have been decent strides made in combatting cyber risk through cybersecurity and insurance solutions.” He observed that the typical commercial insurance policy should offer a mix of education, risk assessment, risk mitigation tools and services, and, of course, insurance benefits. He further held that a holistic approach to underwriting cyber risk should span the core cybersecurity functions of identify, protect, detect, respond and recover.
The presenter said that a cyber insurance policy covered the insured against first-party losses due to BI, data restoration costs, cyber extortion costs and computer crime alongside third-party losses such as third-party claims, multimedia liability and regulatory expenses and penalties. Most policies also provide for emergency response costs, proactive mitigation and monitoring tools, and a reactive resolution centre. These covers were further explained in the context of the rising frequency and severity of data breach events, supported by figures from global IT giant, IBM.
Data breach lifecycle: identification to containment
According to the IBM Cost of a Data Breach Report 2024, the average cost of a data breach, measured globally, stood at US$4.88 million. The average cost is slightly lower in South Africa, at around $2.8 million, or just short of R50 million per breach, though there is quite a variance across economic sectors. Lamprecht then explained the life cycle of data breaches under two headings: the mean time to identify a breach (MTTI), and the mean time it takes to contain a breach (MTTC).
“The longer the life cycle of a breach, the more costly the breach is,” he said, before welcoming the slight improvement in this measure over the latest year. Swifter data breach resolution was attributed to the global adoption of best practice risk exposure reduction techniques. Firms find out about data breaches via one of three channels: first, by their own security teams and tools; second, by disclosure through a benign third party; and finally, through a disclosure from the attacker or threat actor. The costliest remediation stems from an attacker-notified breach.
Your writer was intrigued by the four-pillar breakdown of costs related to domestic data breaches. According to IBM, the notification of the breach accounts for around 8.8% of the total. This first pillar centres on notifying data subjects and ongoing engagements with ombudsman schemes, regulators and third-party experts, where necessary. Pillar two, described as post-breach response, accounts for close to 28% of data breach costs. In this stage, the firm might pay for help desk and inbound communication, credit monitoring, identity protection services, legal expenditures and regulatory fines.
“Costs incurred for detection and escalation account for 33.4% of the total and include forensic and investigation activities, assessment and audit services, crisis management, communication to the executive and board escalation of the matter,” Lamprecht explained. Finally, the fourth pillar, at just over 30% of the total, deals with loss of business costs including “business disruption and revenue losses due to ecosystem downtime, cost of losing and acquiring new customers, reputational damage and diminished goodwill.” The presentation shared further insights into extortion and ransomware and initial attack vectors before concluding.
Prevention is better than cure
The clear message to FAnews readers is that prevention remains better than response, especially when considering a risk that can cost your business millions of rand and hinder your operations for months. It is clear that insurance and technology are part-and-parcel of any cyber risk mitigation strategy.
“Insurance policies rely on or incorporate certain tools and technologies to reduce cyber risk to an acceptable level; but the cost of technologies versus insurance is probably between 10-to-one and 20-to-one,” Lamprecht concluded. “This makes insurance an integral part of the recovery process following a breach … it fits firmly into the recovery phase.”
Writer’s thoughts:
As the frequency and severity of cyberattacks and data breaches surge, the question becomes: Do brokers and risk managers know enough about cybercrime, cyber risk and cybersecurity to protect their own businesses, let alone advise commercial clients on insurance covers and alternative risk mitigations and transfer? Please comment below, interact with us on X at @fanews_online or email us your thoughts editor@fanews.co.za.
Comment on this post